Documentation
¶
Index ¶
Constants ¶
const ( ReasonSBOMGenerationFailed = "sbom_generation_failed" ReasonImageTooLarge = "image_too_large" ReasonSBOMTooLarge = "sbom_too_large" ReasonSBOMIncomplete = "sbom_incomplete" ReasonImageAuthFailed = "image_auth_failed" ReasonImageNotFound = "image_not_found" ReasonCVEMatchingFailed = "cve_matching_failed" ReasonResultUploadFailed = "result_upload_failed" ReasonSBOMStorageFailed = "sbom_storage_failed" ReasonScannerOOMKilled = "scanner_oom_killed" ReasonScanTimeout = "scan_timeout" ReasonUnexpected = "unexpected_error" )
Failure reason codes sent by scanners (kubevuln, node-agent) in FailureReason. These are short enum-like codes — the notification service (UNS) maps them to human-friendly text at render time, so notification wording can be changed without redeploying in-cluster scanners.
Variables ¶
This section is empty.
Functions ¶
func ReasonFriendlyText ¶ added in v0.0.692
ReasonFriendlyText returns the human-friendly notification text for a reason code. Empty codes fall back to the unexpected error text. Unknown non-empty codes are returned as-is (forward-compat for new scanner versions).
Types ¶
type ScanFailureCase ¶
type ScanFailureCase int
ScanFailureCase enumerates the known reasons a scan can fail.
const ( // ScanFailureUnknown is the zero value; used when no specific case applies. ScanFailureUnknown ScanFailureCase = 0 // ScanFailureCVE — have SBOM, can't match against vulnerability DBs. ScanFailureCVE ScanFailureCase = 1 // ScanFailureSBOMGeneration — can't build SBOM from image. ScanFailureSBOMGeneration ScanFailureCase = 2 // ScanFailureOOMKilled — scanner process was OOM-killed. ScanFailureOOMKilled ScanFailureCase = 3 // ScanFailureBackendPost — scan succeeded but results couldn't be posted. ScanFailureBackendPost ScanFailureCase = 4 )
func (ScanFailureCase) String ¶
func (f ScanFailureCase) String() string
String returns a human-readable description of the failure case.
type ScanFailureReport ¶
type ScanFailureReport struct {
CustomerGUID string `json:"customerGUID" bson:"customerGUID"`
Workloads []WorkloadIdentifier `json:"workloads,omitempty" bson:"workloads,omitempty"`
ImageTag string `json:"imageTag" bson:"imageTag"`
FailureCase ScanFailureCase `json:"failureCase" bson:"failureCase"`
FailureReason string `json:"failureReason" bson:"failureReason"`
// Error holds the raw error string for R&D debugging. Not rendered in user-facing
// notifications (Slack/Teams templates use FailureReason only). Producers must avoid
// including secrets (tokens, credentials) — redact sensitive data before populating.
Error string `json:"error,omitempty" bson:"error,omitempty"`
Timestamp time.Time `json:"timestamp" bson:"timestamp"`
ImageHash string `json:"imageHash,omitempty" bson:"imageHash,omitempty"`
JobID string `json:"jobID,omitempty" bson:"jobID,omitempty"`
// Registry scan context (no workloads).
RegistryName string `json:"registryName,omitempty" bson:"registryName,omitempty"`
IsRegistryScan bool `json:"isRegistryScan,omitempty" bson:"isRegistryScan,omitempty"`
}
ScanFailureReport is emitted by the scanner when a scan fails. The scanner sends ONE report per failed image with all affected workloads listed. Downstream services (event-ingester, UNS) fan out per workload for notifications. For registry scans, Workloads is nil/empty and RegistryName is populated.
type WorkloadIdentifier ¶
type WorkloadIdentifier struct {
ClusterName string `json:"clusterName" bson:"clusterName"`
Namespace string `json:"namespace" bson:"namespace"`
WorkloadKind string `json:"workloadKind" bson:"workloadKind"`
WorkloadName string `json:"workloadName" bson:"workloadName"`
ContainerName string `json:"containerName,omitempty" bson:"containerName,omitempty"`
}
WorkloadIdentifier identifies a single Kubernetes workload affected by a scan failure. A failed image may be used by multiple workloads, so the report carries a list of these.
Source Files