Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-32124

[Discovery] Explore Stateless Scanning in RHACS

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ROX-30042RHACS Enhanced Reliability and Scalability with HA/DR considerations
    • Not Selected
    • Dev Preview
    • Yes

      Goal Summary:

      CI/CD pipelines for RHACS customers are currently dependent on Central being available. If Central goes down, pipeline security scans fail, slowing developer velocity and creating gaps in supply chain visibility and compliance.  

      The goal of this feature is to explore the feasibility of a stateless, high-availability scanning solution for CI/CD pipelines. The focus is on understanding how a scanner could operate independently and deliver scan results reliably. This phase will investigate architecture options, strategies, and integration approaches.

      Goals and expected user outcomes:

      Goals:

      • Assess approaches for stateless scanning of container images and SBOMs.
      • Evaluate methods for external persistence of scan results to support HA and retries.
      • Identify technical challenges and constraints for optional integration with RHACS Central.
      • Stretch goal: Investigate scanning of additional OCI artifacts such as AI-BOMs and Helm charts.

      Acceptance Criteria:

      • High-level prototype or proof-of-concept demonstrates stateless scanning of container images and SBOMs.
      • External persistence mechanism evaluated (Central, object storage, or event bus) for scan results.
      • HA behavior validated on Kubernetes with multiple replicas and pod failover.
      • Scan results are captured and retrievable, even if an instance crashes.
      • Performance, scalability, and security considerations are documented even if not fully whetted. 

      Success Criteria or KPIs measured:

      • Feasibility of running stateless scanner without Central verified.
      • HA patterns for Kubernetes-based stateless scanning validated.
      • Prototype successfully persists and retrieves scan results externally.
      • Technical risks, constraints, and gaps identified for future development.
      • Recommendations for next steps (full implementation or further exploration) documented.

      Use Cases (Optional):

      • Main scenario: CI/CD pipeline triggers prototype scanner → scan runs independently of Central → results persisted externally → pipeline completes without failure.
      • Alternative scenario: A scanner pod fails mid-scan → job is picked up by another instance → results are still captured and retrievable.

      Out of Scope (Optional):

      • Full implementation out of scope, Feasibility prototyping and analysis only in this phase. 

              sbadve@redhat.com Shubha Badve
              atelang@redhat.com Anjali Telang
              Shubha Badve Shubha Badve
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: