Note well: don't forget to checkout Kubewarden's documentation for more information
The Audit scanner inspects the resources defined in the cluster and identifies the ones that are violating Kubewarden policies.
The results of the scan can be made available via PolicyReport objects. Each Namespace
has its own dedicated PolicyReport. Cluster-wide resources compliance is available via
the ClusterPolicyReport resource.
Instead of relying on PolicyReport objects, one can also configure Audit scanner to
save all this information in-memory only, by specifying --store memory.
We recommend to rely on the kubewarden-controller and the Kubernetes Custom Resources provided by it to deploy the Kubewarden stack.
You can use the container image we maintain inside of our GitHub Container Registry.
Alternatively, the audit-scanner binary can be built in this way:
$ make buildHave a look at CONTRIBUTING.md for more developer information.
For implementation details, see RFC-11, RFC-12.
Audit scanner has its software bill of materials (SBOM) published every release. It follows the SPDX version 2.2 format and it can be found together with the signature and certificate used to signed it in the release assets
The Kubewarden team is security conscious. You can find our threat model assessment and responsible disclosure approach in our Kubewarden docs.