Skip to content

RHACS CVE Manager

Self-service CVE management for OpenShift RHACS environments. Teams get namespace-scoped vulnerability views with a clear remediation path, while the security team gets organization-wide controls and reporting.

Get Started Deployment Guide API Endpoints

Platform Highlights

  • EPSS-first triage

    Prioritize by exploit probability, CVSS, and runtime impact so teams focus on likely threats first.

  • Namespace-scoped access

    Team visibility comes from X-Forwarded-Namespaces (namespace:cluster pairs) in spoke/hub mode.

  • Risk acceptance workflow

    Track requests from creation to approval/rejection/expiry with comments and audit history.

  • Escalations and digests

    Rule-driven escalation levels and weekly summaries keep unresolved risk visible.

  • Operational dashboards

    Severity, EPSS matrix, cluster heatmap, trend, aging, and risk pipeline in one place.

  • Public SVG badges

    Create namespace badges for dashboards and status pages without exposing API access.

Architecture Snapshot

graph TB
    subgraph "Hub Cluster"
        FE_HUB["Frontend SPA\n(React + PatternFly)"]
        BE["FastAPI Backend"]
        APP_DB[("App DB\nread-write")]
        SX_DB[("StackRox Central DB\nread-only")]
    end

    subgraph "Spoke Cluster"
        OAUTH["oauth-proxy"]
        NR["auth-header-injector"]
        FE_SPOKE["Spoke Frontend\nnginx + SPA"]
    end

    FE_HUB -->|"/api/*"| BE
    BE --> APP_DB
    BE --> SX_DB

    OAUTH --> NR
    NR --> FE_SPOKE
    FE_SPOKE -->|"X-Api-Key + X-Forwarded-*"| BE

RHACS Compatibility

RHACS Version Status
4.10.x Tested

RHACS Manager reads directly from the StackRox Central database. Schema changes in future RHACS versions may require updates to the queries in this project. If you encounter issues with a newer RHACS version, please open an issue.

Core Design Rules

  • CVE visibility for non-sec users is namespace-scoped.
  • Threshold filtering is conjunctive (min_cvss_score and min_epss_score).
  • Prioritized CVEs and CVEs with active risk acceptances bypass threshold filtering.
  • image_cves_v2 is the authoritative StackRox source for CVE data.

Documentation Map

  • Getting Started: local setup, migration, and developer workflow
  • Architecture: trust boundaries, auth modes, and data flow
  • Configuration: all environment variables and runtime settings
  • Deployment: hub and spoke deployment on OpenShift
  • API: contracts and endpoint behavior