
The container vulnerability exporter will collect an image inventory from an OpenShift cluster and report on detected vulnerabilties, for images hosted and scanned with

Developed and tested with OpenShift =>3.11 (k8s 1.11)


  • export KUBECONFIG="$HOME/.kube/config" (or change to any authenticated OpenShift client config path)
  • export QUAY_TOKEN="aaabbbzzz" (set to QUAY api token)
  • make build
  • make test
  • make run

Once running, point a Prometheus scraper at localhost:8080 (default) or curl http://localhost:8080

To enable very verbose debug logging:

  • make run LOG_LEVEL=DEBUG

Image data example

'image': '' 'imageID': 'docker-pullable://'

OpenShift Config

The pod expects the following secrets:

  • QUAY_TOKEN: QUAY api token
  • KUBECONFIG: base64 encoded k8s config file, see kubeconfig.EXAMPLE for non-base64 enecoded boiler plate

You can turn a k8s config file into a secret (see for more info) by:

  • kubectl config view --flatten | base64 -w0 | tee k8s-secret.yaml

A future verison of this code will provide support for multiple contexts as a parameter.

To create the relevant openshift objects: Note: the dummysecrets values in this repo are not valid.

oc process -f openshift/dummysecrets.yaml | oc create -f -
oc process -f openshift/cvexporter.yaml | oc create -f -