RHACS CVE Manager¶
Self-service CVE management for OpenShift RHACS environments. Teams get namespace-scoped vulnerability views with a clear remediation path, while the security team gets organization-wide controls and reporting.
Platform Highlights¶
-
EPSS-first triage
Prioritize by exploit probability, CVSS, and runtime impact so teams focus on likely threats first.
-
Namespace-scoped access
Team visibility comes from
X-Forwarded-Namespaces(namespace:clusterpairs) in spoke/hub mode. -
Risk acceptance workflow
Track requests from creation to approval/rejection/expiry with comments and audit history.
-
Escalations and digests
Rule-driven escalation levels and weekly summaries keep unresolved risk visible.
-
Operational dashboards
Severity, EPSS matrix, cluster heatmap, trend, aging, and risk pipeline in one place.
-
Public SVG badges
Create namespace badges for dashboards and status pages without exposing API access.
Architecture Snapshot¶
graph TB
subgraph "Hub Cluster"
FE_HUB["Frontend SPA\n(React + PatternFly)"]
BE["FastAPI Backend"]
APP_DB[("App DB\nread-write")]
SX_DB[("StackRox Central DB\nread-only")]
end
subgraph "Spoke Cluster"
OAUTH["oauth-proxy"]
NR["auth-header-injector"]
FE_SPOKE["Spoke Frontend\nnginx + SPA"]
end
FE_HUB -->|"/api/*"| BE
BE --> APP_DB
BE --> SX_DB
OAUTH --> NR
NR --> FE_SPOKE
FE_SPOKE -->|"X-Api-Key + X-Forwarded-*"| BECore Design Rules¶
- CVE visibility for non-sec users is namespace-scoped.
- Threshold filtering is conjunctive (
min_cvss_scoreandmin_epss_score). - Prioritized CVEs and CVEs with active risk acceptances bypass threshold filtering.
image_cves_v2is the authoritative StackRox source for CVE data.
Documentation Map¶
- Getting Started: local setup, migration, and developer workflow
- Architecture: trust boundaries, auth modes, and data flow
- Configuration: all environment variables and runtime settings
- Deployment: hub and spoke deployment on OpenShift
- API: contracts and endpoint behavior