Skip to content

Fix Sandboxing Issues and ARM Builds for Screenshooter #3600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Weltraumschaf merged 4 commits into from
Apr 14, 2026
Merged

Fix Sandboxing Issues and ARM Builds for Screenshooter #3600

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bb676f3
Update debian packages to reduce number of warns about missing drivers
J12934 Apr 13, 2026
2458395
Set firefox flags to run wihout linux namespace support
J12934 Apr 13, 2026
5d6ece9
Add ARM64 builds for out first party scanner image
J12934 Apr 13, 2026
796c30d
Consistently use supported-platforms label
J12934 Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/release-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -523,7 +523,7 @@ jobs:
file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile
build-args: |
baseImageTag=${{ env.baseImageTag }}
platforms: linux/amd64
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
Expand Down
2 changes: 1 addition & 1 deletion scanners/screenshooter/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ Kubernetes: `>=v1.11.0-0`
| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scanner.env | list | `[{"name":"MOZ_HEADLESS","value":"1"},{"name":"MOZ_DISABLE_CONTENT_SANDBOX","value":"1"},{"name":"MOZ_ENABLE_WAYLAND","value":"0"}]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox. |
| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
Expand Down
2 changes: 1 addition & 1 deletion scanners/screenshooter/docs/README.ArtifactHub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ Kubernetes: `>=v1.11.0-0`
| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scanner.env | list | `[{"name":"MOZ_HEADLESS","value":"1"},{"name":"MOZ_DISABLE_CONTENT_SANDBOX","value":"1"},{"name":"MOZ_ENABLE_WAYLAND","value":"0"}]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox. |
| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
Expand Down
9 changes: 8 additions & 1 deletion scanners/screenshooter/scanner/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,14 @@
# This is using debian rather than alpine, as firefox on alpine seems to be missing some crucial fonts.
# This lets the screenshots taken on alpine look weird
FROM debian:13.4
RUN apt-get update && apt-get install firefox-esr -y
RUN apt-get update && apt-get install -y \
firefox-esr \
libpci-dev \
libgl1-mesa-dri \
libglx-mesa0 \
libdbus-glib-1-2 \
&& rm -rf /var/lib/apt/lists/*

RUN groupadd -g 1001 screenshooter \
&& useradd -M -u 1001 -g 1001 securecodebox
COPY wrapper.sh ./
Expand Down
10 changes: 8 additions & 2 deletions scanners/screenshooter/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,14 @@ scanner:
# memory: "512Mi"
# cpu: "500m"

# scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []
# scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox.
env:
- name: MOZ_HEADLESS
value: "1"
- name: MOZ_DISABLE_CONTENT_SANDBOX
value: "1"
- name: MOZ_ENABLE_WAYLAND
value: "0"

# scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []
Expand Down
3 changes: 3 additions & 0 deletions scanners/test-scan/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ version: v3.1.0-alpha1
appVersion: "1.0"
kubeVersion: ">=v1.11.0-0"

annotations:
supported-platforms: linux/amd64,linux/arm64

keywords:
- security
- scanner
Expand Down
Loading