You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
kubevuln is alive and processing its queue (grype DB loads fine at startup; thousands of scan started), but no image carries any vulnerability data. Verified against live prod (2026-07-04):
vulnerabilitymanifestsummaries: 109/109 show .all=0 and.relevant=0, with vulnerabilitiesRef.all and .relevant both empty (kind:"", name:"").
vulnerabilitymanifests: 197/197 have zero payload.matches and no tool.name β SBOM shells with no grype match phase ever recorded.
Dominant kubevuln log (~815Γ/24h): service warning - ScanCP β¦ container profile is partial (workload restart required).
ScanCP is the scan-with-container-profile (relevancy) path β and it is the only path wired. It aborts before grype runs because the ApplicationProfile never reaches completed (123/288 profiles are still partial), so neither.allnor.relevant is ever written. Real registry errors (ScanCVE i/o timeout on postgres:latest) are rare (3Γ/24h) β this is not a grype-DB or registry-auth failure.
Consequence: the cluster is not genuinely 0-CVE, and #2149 ("reduce reachable CVEs flagged by Kubescape") currently has nothing to act on β nothing is being flagged.
Proposed direction (CVE = both β settled with the maintainer)
Get grype output flowing now β decouple/enable a full non-relevancy scan (the .all view) so grype produces CVE matches regardless of ApplicationProfile completion state. Confirm the kubevuln/node-agent config that governs the relevancy-vs-full scan path (relevancy on but not gating the .all write).
Complete the profiles for the reachable view β a controlled, batched rollout of the 123 partial-profile workloads so ScanCP completes and the .relevant view (the ~90%-noise-reduction reachable-CVE list) populates. Batch it; do not mass-restart prod at once.
Part of #2447.
Problem
kubevuln is alive and processing its queue (grype DB loads fine at startup; thousands of
scan started), but no image carries any vulnerability data. Verified against live prod (2026-07-04):vulnerabilitymanifestsummaries: 109/109 show.all=0 and.relevant=0, withvulnerabilitiesRef.alland.relevantboth empty (kind:"",name:"").vulnerabilitymanifests: 197/197 have zeropayload.matchesand notool.nameβ SBOM shells with no grype match phase ever recorded.service warning - ScanCP β¦ container profile is partial (workload restart required).ScanCPis the scan-with-container-profile (relevancy) path β and it is the only path wired. It aborts before grype runs because the ApplicationProfile never reachescompleted(123/288 profiles are stillpartial), so neither.allnor.relevantis ever written. Real registry errors (ScanCVEi/o timeout onpostgres:latest) are rare (3Γ/24h) β this is not a grype-DB or registry-auth failure.Consequence: the cluster is not genuinely 0-CVE, and #2149 ("reduce reachable CVEs flagged by Kubescape") currently has nothing to act on β nothing is being flagged.
Proposed direction (CVE = both β settled with the maintainer)
.allview) so grype produces CVE matches regardless of ApplicationProfile completion state. Confirm the kubevuln/node-agent config that governs the relevancy-vs-full scan path (relevancy on but not gating the.allwrite).ScanCPcompletes and the.relevantview (the ~90%-noise-reduction reachable-CVE list) populates. Batch it; do not mass-restart prod at once.capabilities.vexGeneration) so a downstream CI gate can suppress non-reachable CVEs (feeds Reduce reachable base-image CVEs: pin/refresh operator-managed images flagged by KubescapeΒ #2149 and the reachable-CVE CI gate).Rough size
M (investigation of the scan-path config is the main unknown; the profile rollout is operational and staged).
Acceptance criteria
vulnerabilitymanifestscarry real grype matches and atool.name; summaries show non-empty.all..relevantview populates for completed workloads.