Vulnerabilities Scanning

RepoFlow includes built-in vulnerability scanning to help identify security risks in packages. Currently, we use Grype to scan packages, with plans to support additional scanners in the future.

How It Works

By default, vulnerability scanning is enabled, but it remains optional. If needed, you can disable it via the server environment settings. More details on configuring the server environment can be found here.

Note: Vulnerability scanning can increase CPU and RAM usage during scans. Ensure that your system has sufficient resources to handle scanning operations efficiently.

Grype Integration

Grype is bundled as part of the RepoFlow Docker image, ensuring seamless scanning without additional setup. The Helm chart provisions a dedicated volume for vulnerability scanning data, preventing the server from downloading it each time. If desired, you can disable this volume through Helm chart or Docker Compose configurations. Additionally, the automatic update of vulnerability data can be turned off via server environment variables.

Support for Air-Gapped Environments

For environments without internet access, we provide a dedicated air-gapped Docker image tagged as airgapped. This version includes the latest vulnerability database at the time of release, ensuring security scanning remains effective even in isolated environments.

Supported Package Types

Currently, RepoFlow supports vulnerability scanning for the following package types:

Docker
PyPI
Maven
Go
RPM
Debian

Additional package types will be supported in future updates.

How It Works​

Grype Integration​

Support for Air-Gapped Environments​

Supported Package Types​

How It Works

Grype Integration

Support for Air-Gapped Environments

Supported Package Types