2022-02-17 13:19:40 -05:00
---
stage: Configure
group: Configure
2022-03-08 04:17:44 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2022-02-17 13:19:40 -05:00
---
2022-06-08 14:09:19 -04:00
# Operational Container Scanning **(ULTIMATE)**
2022-02-17 13:19:40 -05:00
2022-03-01 10:22:06 -05:00
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6346) in GitLab 14.8.
2022-02-17 13:19:40 -05:00
To view cluster vulnerabilities, you can view the [vulnerability report ](../../application_security/vulnerabilities/index.md ).
You can also configure your agent so the vulnerabilities are displayed with other agent information in GitLab.
2022-06-21 14:09:35 -04:00
## Enable operational container scanning **(ULTIMATE)**
2022-02-17 13:19:40 -05:00
2022-06-21 14:09:35 -04:00
You can use operational container scanning
2022-02-17 13:19:40 -05:00
to scan container images in your cluster for security vulnerabilities.
To begin scanning all resources in your cluster, add a `starboard`
2022-05-12 14:08:38 -04:00
configuration block to your agent configuration with a `cadence` field
containing a CRON expression for when the scans will be run.
2022-02-17 13:19:40 -05:00
```yaml
starboard:
2022-05-25 11:08:05 -04:00
cadence: '0 0 * * *' # Daily at 00:00 (Kubernetes cluster time)
2022-02-17 13:19:40 -05:00
```
2022-05-12 14:08:38 -04:00
The `cadence` field is required. GitLab supports the following types of CRON syntax for the cadence field:
2022-02-17 13:19:40 -05:00
2022-05-12 14:08:38 -04:00
- A daily cadence of once per hour at a specified hour, for example: `0 18 * * *`
- A weekly cadence of once per week on a specified day and at a specified hour, for example: `0 13 * * 0`
2022-02-17 13:19:40 -05:00
2022-05-12 14:08:38 -04:00
It is possible that other elements of the CRON syntax will work in the cadence field, however, GitLab does not officially test or support them.
2022-02-17 13:19:40 -05:00
2022-06-21 14:09:35 -04:00
By default, operational container scanning will attempt to scan the workloads in all
2022-05-12 14:08:38 -04:00
namespaces for vulnerabilities. The `vulnerability_report` block has a `namespaces`
field which can be used to restrict which namespaces are scanned. For example,
if you would like to scan only the `development` , `staging` , and `production`
namespaces, you can use this configuration:
2022-02-17 13:19:40 -05:00
```yaml
starboard:
2022-05-25 11:08:05 -04:00
cadence: '0 0 * * *'
2022-02-17 13:19:40 -05:00
vulnerability_report:
namespaces:
2022-05-12 14:08:38 -04:00
- development
- staging
- production
2022-02-17 13:19:40 -05:00
```
2022-06-21 14:09:35 -04:00
## View cluster vulnerabilities
Prerequisite:
- You must have at least the Developer role.
To view vulnerability information in GitLab:
1. On the top bar, select **Menu > Projects** and find the project that contains the agent configuration file.
1. On the left sidebar, select **Infrastructure > Kubernetes clusters** .
1. Select the **Agent** tab.
1. Select an agent to view the cluster vulnerabilities.
This information can also be found under [operational vulnerabilities ](../../../user/application_security/vulnerability_report/index.md#operational-vulnerabilities ).
