Kubewarden & SbomScanner & UI

[kravciak]

Documentation - kubewarden/sbomscanner#874

• (1) I need to read a lot of sbomscanner docs just to do hello world from UI!
• (1) Explain concept of registry scanning, why would I want to scan registry?
  what registries should I add? how does it help me with my cluster safety?
• (1) registry vs workload scanning in connection my cluster safety - two types of workflows?
  give it same priority on sbomscanner readme? workload scanning seems like second hand feature
  UI tells me to add registry, does not mention worklow
• (2) registry without catalog - should this be default? (ghcr.io, docker, google, amazon)
  can I assume "catalogType" from repositories value being set? how do I know registry has catalog?
  in UI I keep trying to create registry but it won't scan
• (3) "define a Registry custom resource for SBOMscanner to fetch images"
  use simpler words - why "custom resource"? what images is sbomscanner fetching?

SBOMScanner installation

• (2) helm installation takes ~2m without any output (seems stack)
• (2) multiple warning messages
  Helm is logging some warnings about cert-manageer during the installation sbomscanner#875
  I0227 13:02:43.190007 29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from Never to Always."

SBOMScanner UI

• (2) Action button to add the CNPG/SBOMScanner Helm repository (Rename to Add Repository? button)
• (3) cnpg defaults to "default" namespace, can we change it to "cnpg-system" (or something else, but not default)
• (1) Images are empty (console Error: Unknown schema for type: storage.sbomscanner.kubewarden.io.vulnerabilityreport)
• (1) no support for rancher 2.14, extension shows blank page
• (1) remove "Advanced" grouping menu, it does not make sense to send user to "Advanced" settings as first step after installation.
  Maybe use flat 3 items: Images, Registries, Vex Management?
• (2) when I uninstall rancher-sbomscanner UI does not notice it
• (2) When I delete registry from registry details page registry is visible until I refresh the page
• (2) 2 extensions in ui repository (SBOMScanner, sbombastic-image-vulnerability-scanner)
• (2) If I install kubewarden first sbomscanner skips CNPG repository step and jumps to "Installation for CloudNativePG" (without CNPG repository, install button is disabled)
  to reproduce navigate to sidebar menu->Apps, reload (f5), menu->sbomscanner
• (2) I fixed the Registry and retriggered the scan. On dashboard I still see 1 error from last scan
• (2) 'Show Configuration' button on registry details page does not work (e.emit is not a function errorb)
• (2) Registries|Vex page - Cannot read properties of undefined (reading 'resource-list') console error
• (2) Dashboard page counters have wrong singular / plural form (0 image, 0 error)
• (2) add option to filter out registries managed by WorkloadScanConfiguration (should be default?)
• (3) Dashboard page has unimportant information (29 minutes since last scan..)
• (3) I can create Registry without repositories (it requires enter to save the value, which is not intuitive)
• (3) Fix capitalization of "Vex Management" -> "VEX Management", "Registries configuration" -> "Registries Configuration"

Image CVE policy - kubewarden/policies#395

• (1) it requires WorkloadScanConfiguration, but documentation does not mention it...? It's a struggle to connect policy / registries / workloadscan / kubewarden / rbac?.
  Give me example workflow/readme/button I can use to configure everything
• (3) rename policy to show connection to SBOMScanner (or at least change "image-cve" name)
• (3) RBAC rules for Policy Server (is this required for default ps?)
• (3) Put Examples higher in README (before policy-evaluation-time).
  I didn't see examples it so I was looking for required values in settings section (which is quite big)
  I didn't notice comment that values are exclusive, so I had to check policy server logs.
  What is max_cve_severity comment
  Keep only 1 comment maxSeverity section, remove copy & paste comments
• (2) failurePolicy: Ignore -> explain why - related to policy-evaluation-time?
• (1) vulnerabilityReportNamespace - is this for "k get vulnerabilityreports -n ".
  Each sbomscanner registry can have different namespace, do I need separate policy for each registry namespace?
  Explain this is related only to workloadscan value "artifactsNamespace" (is it?)

Kubewarden + SBOMScanner

• (1) detection of UI does not work
  Installation on top of SBOMScanner rancher/kubewarden-ui#1435
  UI allows me to install Kubewarden, but it does recognize finished installation until I uninstall SBOMScanner
  same for uninstallation of kubewarden
• (1) image-sve workload scan reports shown on sbomscanner namespaces
  [Bug][Policy Reporter page][image-cve-policy] It shows that All pods (all are with different images) have the same cve numbers after running scan by sbomscanner rancher/kubewarden-ui#1371
  ghcr.io/nginx/nginx-unprivileged:1.29.0-alpine-perl: Exceeded the number of allowed CVEs: Critical: found 5 CVEs, at most 0 could be tolerated High: found 12 CVEs, at most 5 could be tolerated Medium: found 34 CVEs, at most 10 could be tolerated
  ghcr.io/cloudnative-pg/cloudnative-pg:1.28.1: Exceeded the number of allowed CVEs: Critical: found 5 CVEs, at most 0 could be tolerated High: found 12 CVEs, at most 5 could be tolerated Medium: found 34 CVEs, at most 10 could be tolerated

Warnings

• At some point scans were in error state with You have reached your unauthenticated pull rate limit:

2026-03-01T16:23:09.321064Z ERROR request{method=POST uri=/audit/clusterwide-test-image-cve version=HTTP/1.1}:audit{host="policy-server-default-7c8dd48856-q82p4" policy_id="clusterwide-test-image-cve" kind="StatefulSet" kind_group="apps" kind_version="v1" name="rancher-sbomscanner-nats" namespace="cattle-sbomscanner-system" operation="CREATE" request_uid="46683d0f-c2e9-4618-b1bd-907d56ed6913" resource="StatefulSet" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings=PolicySettings({"ignoreMissingVulnerabilityReport": Bool(true), "maxSeverity": Object {"critical": Object {"total": Number(0)}, "high": Object {"total": Number(5)}, "low": Object {"total": Number(20)}, "medium": Object {"total": Number(10)}}, "vulnerabilityReportNamespace": String("cattle-sbomscanner-system")})}: policy_evaluator::runtimes::callback: callback evaluation failed policy_id="clusterwide-test-image-cve" binding="kubewarden" operation="v1/oci_manifest" error=Fail to interact with OCI registry: Registry error: url https://index.docker.io/v2/natsio/nats-server-config-reloader/manifests/0.21.1, envelope: OCI API errors: [OCI API error: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit]
Caused by:
    Registry error: url https://index.docker.io/v2/natsio/nats-server-config-reloader/manifests/0.21.1, envelope: OCI API errors: [OCI API error: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit]
2026-03-01T16:23:09.321370Z  INFO request{method=POST uri=/audit/clusterwide-test-image-cve version=HTTP/1.1}:audit{host="policy-server-default-7c8dd48856-q82p4" policy_id="clusterwide-test-image-cve" kind="StatefulSet" kind_group="apps" kind_version="v1" name="rancher-sbomscanner-nats" namespace="cattle-sbomscanner-system" operation="CREATE" request_uid="46683d0f-c2e9-4618-b1bd-907d56ed6913" resource="StatefulSet" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings=PolicySettings({"ignoreMissingVulnerabilityReport": Bool(true), "maxSeverity": Object {"critical": Object {"total": Number(0)}, "high": Object {"total": Number(5)}, "low": Object {"total": Number(20)}, "medium": Object {"total": Number(10)}}, "vulnerabilityReportNamespace": String("cattle-sbomscanner-system")})}:policy_log{self=EvaluationContext { policy_id: "clusterwide-test-image-cve", callback_channel: Some(...), allowed_kubernetes_resources: {ContextAwareResource { api_version: "storage.sbomscanner.kubewarden.io/v1alpha1", kind: "VulnerabilityReport" }} }}: policy_log: ignoring error while attempting to fetch the image manifest because ignoreMissingVulnerabilityReport is enabled data={"column":17,"error":"ManifestFetchError(\"error invoking wapc oci.manifest_digest: Error(HostError([67, 97, 108, 108, 98, 97, 99, 107, 32, 101, 118, 97, 108, 117, 97, 116, 105, 111, 110, 32, 102, 97, 105, 108, 117, 114, 101, 58, 32, 70, 97, 105, 108, 32, 116, 111, 32, 105, 110, 116, 101, 114, 97, 99, 116, 32, 119, 105, 116, 104, 32, 79, 67, 73, 32, 114, 101, 103, 105, 115, 116, 114, 121, 58, 32, 82, 101, 103, 105, 115, 116, 114, 121, 32, 101, 114, 114, 111, 114, 58, 32, 117, 114, 108, 32, 104, 116, 116, 112, 115, 58, 47, 47, 105, 110, 100, 101, 120, 46, 100, 111, 99, 107, 101, 114, 46, 105, 111, 47, 118, 50, 47, 110, 97, 116, 115, 105, 111, 47, 110, 97, 116, 115, 45, 115, 101, 114, 118, 101, 114, 45, 99, 111, 110, 102, 105, 103, 45, 114, 101, 108, 111, 97, 100, 101, 114, 47, 109, 97, 110, 105, 102, 101, 115, 116, 115, 47, 48, 46, 50, 49, 46, 49, 44, 32, 101, 110, 118, 101, 108, 111, 112, 101, 58, 32, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 115, 58, 32, 91, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 58, 32, 89, 111, 117, 32, 104, 97, 118, 101, 32, 114, 101, 97, 99, 104, 101, 100, 32, 121, 111, 117, 114, 32, 117, 110, 97, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 101, 100, 32, 112, 117, 108, 108, 32, 114, 97, 116, 101, 32, 108, 105, 109, 105, 116, 46, 32, 104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 100, 111, 99, 107, 101, 114, 46, 99, 111, 109, 47, 105, 110, 99, 114, 101, 97, 115, 101, 45, 114, 97, 116, 101, 45, 108, 105, 109, 105, 116, 93, 10, 10, 67, 97, 117, 115, 101, 100, 32, 98, 121, 58, 10, 32, 32, 32, 32, 82, 101, 103, 105, 115, 116, 114, 121, 32, 101, 114, 114, 111, 114, 58, 32, 117, 114, 108, 32, 104, 116, 116, 112, 115, 58, 47, 47, 105, 110, 100, 101, 120, 46, 100, 111, 99, 107, 101, 114, 46, 105, 111, 47, 118, 50, 47, 110, 97, 116, 115, 105, 111, 47, 110, 97, 116, 115, 45, 115, 101, 114, 118, 101, 114, 45, 99, 111, 110, 102, 105, 103, 45, 114, 101, 108, 111, 97, 100, 101, 114, 47, 109, 97, 110, 105, 102, 101, 115, 116, 115, 47, 48, 46, 50, 49, 46, 49, 44, 32, 101, 110, 118, 101, 108, 111, 112, 101, 58, 32, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 115, 58, 32, 91, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 58, 32, 89, 111, 117, 32, 104, 97, 118, 101, 32, 114, 101, 97, 99, 104, 101, 100, 32, 121, 111, 117, 114, 32, 117, 110, 97, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 101, 100, 32, 112, 117, 108, 108, 32, 114, 97, 116, 101, 32, 108, 105, 109, 105, 116, 46, 32, 104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 100, 111, 99, 107, 101, 114, 46, 99, 111, 109, 47, 105, 110, 99, 114, 101, 97, 115, 101, 45, 114, 97, 116, 101, 45, 108, 105, 109, 105, 116, 93]))\")","file":"image-cve-policy/src/lib.rs","image":"natsio/nats-server-config-reloader:0.21.1","line":214,"policy":"image-cve"}

• SBOMScanner installation warnings

helm install --labels=catalog.cattle.io/cluster-repo-name=kubewarden-charts --namespace=cattle-sbomscanner-system --timeout=10m0s --values=/home/shell/helm/values-sbomscanner-0.10.0-rc1.yaml --version=0.10.0-rc1 --wait=true rancher-sbomscanner /home/shell/helm/sbomscanner-0.10.0-rc1.tgz
I0227 13:02:43.185227      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.185445      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.185537      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190007      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190200      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190384      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.196643      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
NAME: rancher-sbomscanner
LAST DEPLOYED: Fri Feb 27 13:02:42 2026
NAMESPACE: cattle-sbomscanner-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
___________  ________  ___
/  ___| ___ \|  _  |  \/  |
\ `--.| |_/ /| | | | .  . |___  ___ __ _ _ __  _ __   ___ _ __
 `--. \ ___ \| | | | |\/| / __|/ __/ _` | '_ \| '_ \ / _ \ '__|
/\__/ / |_/ /\ \_/ / |  | \__ \ (_| (_| | | | | | | |  __/ |
\____/\____/  \___/\_|  |_/___/\___\__,_|_| |_|_| |_|\___|_|
---------------------------------------------------------------------
SUCCESS: helm install --labels=catalog.cattle.io/cluster-repo-name=kubewarden-charts --namespace=cattle-sbomscanner-system --timeout=10m0s --values=/home/shell/helm/values-sbomscanner-0.10.0-rc1.yaml --version=0.10.0-rc1 --wait=true rancher-sbomscanner /home/shell/helm/sbomscanner-0.10.0-rc1.tgz

[williamshen9999]

Hi @kravciak ,
as we discussed, for "SBOMScanner UI" portion,

(1) Images are empty (console Error: Unknown schema for type: storage.sbomscanner.kubewarden.io.vulnerabilityreport)

-> As we discussed, it should be related to this : https://suse.slack.com/archives/C08SW9E2M2R/p1772438390864029

(1) remove "Advanced" grouping menu, it does not make sense to send user to "Advanced>Registries" as first step after installation.

-> For "Advanced" portion, this is the info from uxui; but I think you could still provide your thought :)
https://suse.slack.com/archives/C08SW9E2M2R/p1768905547117429?thread_ts=1768497558.371659&cid=C08SW9E2M2R

cc: @selvamt94

[williamshen9999]

(1) no support for rancher 2.14, extension shows blank page

So far it supports at most 2.13; I can have a check and file PR to update it (maybe with "<= 2.99.100-0" so that we don't need to update it frequently...)
https://github.com/kubewarden/sbomscanner/blob/main/charts/sbomscanner/Chart.yaml#L57

[kravciak]

Thanks, I forgot about this constraint - we should bump this to 2.14.
I would not bump to 2.99, in case we have breaking changes - this would declare unlimited future compatibility, right?

[williamshen9999]

yeah... you are right... I'll bump to 2.14 first. Thanks! :)

[xingzhang-suse]

Hi @kravciak ,
Please allow me to confirm the pointed out issues inline.

SBOMScanner UI

(2) Action button to add the CNPG/SBOMScanner Helm repository (Rename to Add Repository? button)

We will rename it in order to align with KubeWarden
(UI components' naming issue rancher/security-ui-exts#509)

(3) cnpg defaults to "default" namespace, can we change it to "cnpg-system" (or something else, but not default)

We can try to redirect the page to app installation page with namespace as query to set the default namespace.
(UI components' naming issue rancher/security-ui-exts#509)

(1) Images are empty (console Error: Unknown schema for type: storage.sbomscanner.kubewarden.io.vulnerabilityreport)

(1) no support for rancher 2.14, extension shows blank page

(1) remove "Advanced" grouping menu, it does not make sense to send user to "Advanced" settings as first step after installation.
Maybe use flat 3 items: Images, Registries, Vex Management?

This is following the UX design.

(2) when I uninstall rancher-sbomscanner UI does not notice it

It is because, the UI verify if the registry's schema (CRD) is existing to determine whether we show installation page. However uninstalling SBOMScanner backend does not trigger CRDs removal automatically. The users need to manually remove them.
So UI does not know if the backend is removed, as the CRDs are still there. The logic to verify the installation page's display is according to how KubeWarden implement it.

(2) When I delete registry from registry details page registry is visible until I refresh the page

It is a valid bug. We will fix it. Thanks.
(After removing registry from registry detail page, the list page still shows the registry unless refreshing the page rancher/security-ui-exts#511)

(2) 2 extensions in ui repository (SBOMScanner, sbombastic-image-vulnerability-scanner)

It is caused by a project renaming during our preview phase. We will remove the old one before it goes public.
(Remove the built package "sbombastic-image-vulnerability-scanner" from gh-pages branch rancher/security-ui-exts#512)

(2) If I install kubewarden first sbomscanner skips CNPG repository step and jumps to "Installation for CloudNativePG" (without CNPG repository, install button is disabled)
to reproduce navigate to sidebar menu->Apps, reload (f5), menu->sbomscanner

(2) I fixed the Registry and retriggered the scan. On dashboard I still see 1 error from last scan

The Dashboard page is showing the scan history, the number are accumulated. The failed scan records will not be erased after you fix the registry. It is by design.

(2) 'Show Configuration' button on registry details page does not work (e.emit is not a function errorb)

In the registry detail page, there is only Edit config button on the row actions menu. Could you please provide a screenshot to let me confirm where is the Show Configuration button?

(2) Registries|Vex page - Cannot read properties of undefined (reading 'resource-list') console error

(2) Dashboard page counters have wrong singular / plural form (0 image, 0 error)

(2) add option to filter out registries managed by WorkloadScanConfiguration (should be default?)

This is a product level question to Davide and Ovi. The UI team does not have permission to change the design. We can create a discussion on this topic.

(3) Dashboard page has unimportant information (29 minutes since last scan..)

It is following the UX design.

(3) I can create Registry without repositories (it requires enter to save the value, which is not intuitive)

(3) Fix capitalization of "Vex Management" -> "VEX Management", "Registries configuration" -> "Registries Configuration"

We only need to change "Vex management" -> "VEX management". Otherwise are following the UX design.
(UI components' naming issue rancher/security-ui-exts#509)

[kravciak]

(2) 'Show Configuration' button on registry details page does not work (e.emit is not a function errorb)
In the registry detail page, there is only Edit config button on the row actions menu. Could you please provide a screenshot to let me confirm where is the Show Configuration button?

I created rancher/security-ui-exts#513 for this with more details.

(2) I fixed the Registry and retriggered the scan. On dashboard I still see 1 error from last scan
The Dashboard page is showing the scan history, the number are accumulated. The failed scan records will not be erased after you fix the registry. It is by design.

It looks like something I should fix...
Error is visible only on dashboard but error details are not available. Can user clean this error?
Just my first-time user opinion, feel free to ignore this :)

@xingzhang-suse Thanks for looking into the list, we can close this issue if you don't need it anymore.

[xingzhang-suse]

Hi @kravciak

Error is visible only on dashboard but error details are not available. Can user clean this error?
Just my first-time user opinion, feel free to ignore this :)

Is the error detail visible in the registry detail page? By design, it should be there.

[kravciak]

Is the error detail visible in the registry detail page? By design, it should be there.

You are right, it's available on registry details page.
But I have to open each registry detail to find it and it can't be cleaned.

Screencast.From.2026-04-01.09-23-47.mp4