Skip to content

Kubewarden & SbomScanner & UI #1528

New issue
New issue
Open
Open
Kubewarden & SbomScanner & UI#1528
@kravciak

Description

@kravciak
kravciak
opened on Mar 2, 2026

Documentation - kubewarden/sbomscanner#874

  • (1) I need to read a lot of sbomscanner docs just to do hello world from UI!
  • (1) Explain concept of registry scanning, why would I want to scan registry?
    what registries should I add? how does it help me with my cluster safety?
  • (1) registry vs workload scanning in connection my cluster safety - two types of workflows?
    give it same priority on sbomscanner readme? workload scanning seems like second hand feature
    UI tells me to add registry, does not mention worklow
  • (2) registry without catalog - should this be default? (ghcr.io, docker, google, amazon)
    can I assume "catalogType" from repositories value being set? how do I know registry has catalog?
    in UI I keep trying to create registry but it won't scan
  • (3) "define a Registry custom resource for SBOMscanner to fetch images"
    use simpler words - why "custom resource"? what images is sbomscanner fetching?

SBOMScanner installation

SBOMScanner UI

  • (2) Action button to add the CNPG/SBOMScanner Helm repository (Rename to Add Repository? button)
  • (3) cnpg defaults to "default" namespace, can we change it to "cnpg-system" (or something else, but not default)
  • (1) Images are empty (console Error: Unknown schema for type: storage.sbomscanner.kubewarden.io.vulnerabilityreport)
  • (1) no support for rancher 2.14, extension shows blank page
  • (1) remove "Advanced" grouping menu, it does not make sense to send user to "Advanced>Registries" as first step after installation.
    Use flat 3 items: Images, Registries, Vex Management
  • (2) when I uninstall rancher-sbomscanner UI does not notice it
  • (2) When I delete registry from registry details page registry is visible until I refresh the page
  • (2) 2 extensions in ui repository (SBOMScanner, sbombastic-image-vulnerability-scanner)
  • (2) If I install kubewarden first sbomscanner skips CNPG repository step and jumps to "Installation for CloudNativePG" (without CNPG repository, install button is disabled)
    to reproduce navigate to sidebar menu->Apps, reload (f5), menu->sbomscanner
  • (2) I fixed the Registry and retriggered the scan. On dashboard I still see 1 error from last scan
  • (2) 'Show Configuration' button on registry details page does not work (e.emit is not a function errorb)
  • (2) Registries|Vex page - Cannot read properties of undefined (reading 'resource-list') console error
  • (2) Dashboard page counters have wrong singular / plural form (0 image, 0 error)
  • (2) add option to filter out registries managed by WorkloadScanConfiguration (should be default?)
  • (3) Dashboard page has unimportant information (29 minutes since last scan..)
  • (3) I can create Registry without repositories (it requires enter to save the value, which is not intuitive)
  • (3) Fix capitalization of "Vex Management" -> "VEX Management", "Registries configuration" -> "Registries Configuration"

Image CVE policy - kubewarden/policies#395

  • (1) it requires WorkloadScanConfiguration, but documentation does not mention it...? It's a struggle to connect policy / registries / workloadscan / kubewarden / rbac?.
    Give me example workflow/readme/button I can use to configure everything
  • (3) rename policy to show connection to SBOMScanner (or at least change "image-cve" name)
  • (3) RBAC rules for Policy Server (is this required for default ps?)
  • (3) Put Examples higher in README (before policy-evaluation-time).
    I didn't see examples it so I was looking for required values in settings section (which is quite big)
    I didn't notice comment that values are exclusive, so I had to check policy server logs.
    What is max_cve_severity comment
    Keep only 1 comment maxSeverity section, remove copy & paste comments
  • (2) failurePolicy: Ignore -> explain why - related to policy-evaluation-time?
  • (1) vulnerabilityReportNamespace - is this for "k get vulnerabilityreports -n ".
    Each sbomscanner registry can have different namespace, do I need separate policy for each registry namespace?
    Explain this is related only to workloadscan value "artifactsNamespace" (is it?)

Kubewarden + SBOMScanner

Warnings

  • At some point scans were in error state with You have reached your unauthenticated pull rate limit:
2026-03-01T16:23:09.321064Z ERROR request{method=POST uri=/audit/clusterwide-test-image-cve version=HTTP/1.1}:audit{host="policy-server-default-7c8dd48856-q82p4" policy_id="clusterwide-test-image-cve" kind="StatefulSet" kind_group="apps" kind_version="v1" name="rancher-sbomscanner-nats" namespace="cattle-sbomscanner-system" operation="CREATE" request_uid="46683d0f-c2e9-4618-b1bd-907d56ed6913" resource="StatefulSet" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings=PolicySettings({"ignoreMissingVulnerabilityReport": Bool(true), "maxSeverity": Object {"critical": Object {"total": Number(0)}, "high": Object {"total": Number(5)}, "low": Object {"total": Number(20)}, "medium": Object {"total": Number(10)}}, "vulnerabilityReportNamespace": String("cattle-sbomscanner-system")})}: policy_evaluator::runtimes::callback: callback evaluation failed policy_id="clusterwide-test-image-cve" binding="kubewarden" operation="v1/oci_manifest" error=Fail to interact with OCI registry: Registry error: url https://index.docker.io/v2/natsio/nats-server-config-reloader/manifests/0.21.1, envelope: OCI API errors: [OCI API error: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit]
Caused by:
    Registry error: url https://index.docker.io/v2/natsio/nats-server-config-reloader/manifests/0.21.1, envelope: OCI API errors: [OCI API error: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit]
2026-03-01T16:23:09.321370Z  INFO request{method=POST uri=/audit/clusterwide-test-image-cve version=HTTP/1.1}:audit{host="policy-server-default-7c8dd48856-q82p4" policy_id="clusterwide-test-image-cve" kind="StatefulSet" kind_group="apps" kind_version="v1" name="rancher-sbomscanner-nats" namespace="cattle-sbomscanner-system" operation="CREATE" request_uid="46683d0f-c2e9-4618-b1bd-907d56ed6913" resource="StatefulSet" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings=PolicySettings({"ignoreMissingVulnerabilityReport": Bool(true), "maxSeverity": Object {"critical": Object {"total": Number(0)}, "high": Object {"total": Number(5)}, "low": Object {"total": Number(20)}, "medium": Object {"total": Number(10)}}, "vulnerabilityReportNamespace": String("cattle-sbomscanner-system")})}:policy_log{self=EvaluationContext { policy_id: "clusterwide-test-image-cve", callback_channel: Some(...), allowed_kubernetes_resources: {ContextAwareResource { api_version: "storage.sbomscanner.kubewarden.io/v1alpha1", kind: "VulnerabilityReport" }} }}: policy_log: ignoring error while attempting to fetch the image manifest because ignoreMissingVulnerabilityReport is enabled data={"column":17,"error":"ManifestFetchError(\"error invoking wapc oci.manifest_digest: Error(HostError([67, 97, 108, 108, 98, 97, 99, 107, 32, 101, 118, 97, 108, 117, 97, 116, 105, 111, 110, 32, 102, 97, 105, 108, 117, 114, 101, 58, 32, 70, 97, 105, 108, 32, 116, 111, 32, 105, 110, 116, 101, 114, 97, 99, 116, 32, 119, 105, 116, 104, 32, 79, 67, 73, 32, 114, 101, 103, 105, 115, 116, 114, 121, 58, 32, 82, 101, 103, 105, 115, 116, 114, 121, 32, 101, 114, 114, 111, 114, 58, 32, 117, 114, 108, 32, 104, 116, 116, 112, 115, 58, 47, 47, 105, 110, 100, 101, 120, 46, 100, 111, 99, 107, 101, 114, 46, 105, 111, 47, 118, 50, 47, 110, 97, 116, 115, 105, 111, 47, 110, 97, 116, 115, 45, 115, 101, 114, 118, 101, 114, 45, 99, 111, 110, 102, 105, 103, 45, 114, 101, 108, 111, 97, 100, 101, 114, 47, 109, 97, 110, 105, 102, 101, 115, 116, 115, 47, 48, 46, 50, 49, 46, 49, 44, 32, 101, 110, 118, 101, 108, 111, 112, 101, 58, 32, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 115, 58, 32, 91, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 58, 32, 89, 111, 117, 32, 104, 97, 118, 101, 32, 114, 101, 97, 99, 104, 101, 100, 32, 121, 111, 117, 114, 32, 117, 110, 97, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 101, 100, 32, 112, 117, 108, 108, 32, 114, 97, 116, 101, 32, 108, 105, 109, 105, 116, 46, 32, 104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 100, 111, 99, 107, 101, 114, 46, 99, 111, 109, 47, 105, 110, 99, 114, 101, 97, 115, 101, 45, 114, 97, 116, 101, 45, 108, 105, 109, 105, 116, 93, 10, 10, 67, 97, 117, 115, 101, 100, 32, 98, 121, 58, 10, 32, 32, 32, 32, 82, 101, 103, 105, 115, 116, 114, 121, 32, 101, 114, 114, 111, 114, 58, 32, 117, 114, 108, 32, 104, 116, 116, 112, 115, 58, 47, 47, 105, 110, 100, 101, 120, 46, 100, 111, 99, 107, 101, 114, 46, 105, 111, 47, 118, 50, 47, 110, 97, 116, 115, 105, 111, 47, 110, 97, 116, 115, 45, 115, 101, 114, 118, 101, 114, 45, 99, 111, 110, 102, 105, 103, 45, 114, 101, 108, 111, 97, 100, 101, 114, 47, 109, 97, 110, 105, 102, 101, 115, 116, 115, 47, 48, 46, 50, 49, 46, 49, 44, 32, 101, 110, 118, 101, 108, 111, 112, 101, 58, 32, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 115, 58, 32, 91, 79, 67, 73, 32, 65, 80, 73, 32, 101, 114, 114, 111, 114, 58, 32, 89, 111, 117, 32, 104, 97, 118, 101, 32, 114, 101, 97, 99, 104, 101, 100, 32, 121, 111, 117, 114, 32, 117, 110, 97, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 101, 100, 32, 112, 117, 108, 108, 32, 114, 97, 116, 101, 32, 108, 105, 109, 105, 116, 46, 32, 104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 100, 111, 99, 107, 101, 114, 46, 99, 111, 109, 47, 105, 110, 99, 114, 101, 97, 115, 101, 45, 114, 97, 116, 101, 45, 108, 105, 109, 105, 116, 93]))\")","file":"image-cve-policy/src/lib.rs","image":"natsio/nats-server-config-reloader:0.21.1","line":214,"policy":"image-cve"}
  • SBOMScanner installation warnings
helm install --labels=catalog.cattle.io/cluster-repo-name=kubewarden-charts --namespace=cattle-sbomscanner-system --timeout=10m0s --values=/home/shell/helm/values-sbomscanner-0.10.0-rc1.yaml --version=0.10.0-rc1 --wait=true rancher-sbomscanner /home/shell/helm/sbomscanner-0.10.0-rc1.tgz
I0227 13:02:43.185227      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.185445      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.185537      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190007      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190200      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.190384      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
I0227 13:02:43.196643      29 warnings.go:110] "Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`."
NAME: rancher-sbomscanner
LAST DEPLOYED: Fri Feb 27 13:02:42 2026
NAMESPACE: cattle-sbomscanner-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
___________  ________  ___
/  ___| ___ \|  _  |  \/  |
\ `--.| |_/ /| | | | .  . |___  ___ __ _ _ __  _ __   ___ _ __
 `--. \ ___ \| | | | |\/| / __|/ __/ _` | '_ \| '_ \ / _ \ '__|
/\__/ / |_/ /\ \_/ / |  | \__ \ (_| (_| | | | | | | |  __/ |
\____/\____/  \___/\_|  |_/___/\___\__,_|_| |_|_| |_|\___|_|
---------------------------------------------------------------------
SUCCESS: helm install --labels=catalog.cattle.io/cluster-repo-name=kubewarden-charts --namespace=cattle-sbomscanner-system --timeout=10m0s --values=/home/shell/helm/values-sbomscanner-0.10.0-rc1.yaml --version=0.10.0-rc1 --wait=true rancher-sbomscanner /home/shell/helm/sbomscanner-0.10.0-rc1.tgz

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Kubewarden Admission Controller

    Status

    No status
    SBOMscanner

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions