From bb676f3d8b1e5537f8f51515b1a030248d312e34 Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
Date: Mon, 13 Apr 2026 13:40:44 +0200
Subject: [PATCH 1/4] Update debian packages to reduce number of warns about
 missing drivers

Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
---
 scanners/screenshooter/scanner/Dockerfile | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scanners/screenshooter/scanner/Dockerfile b/scanners/screenshooter/scanner/Dockerfile
index 457fa61fe..5ac69a31c 100644
--- a/scanners/screenshooter/scanner/Dockerfile
+++ b/scanners/screenshooter/scanner/Dockerfile
@@ -5,7 +5,14 @@
 # This is using debian rather than alpine, as firefox on alpine seems to be missing some crucial fonts.
 # This lets the screenshots taken on alpine look weird
 FROM debian:13.4
-RUN apt-get update && apt-get install firefox-esr -y
+RUN apt-get update && apt-get install -y \
+    firefox-esr \
+    libpci-dev \
+    libgl1-mesa-dri \
+    libglx-mesa0 \
+    libdbus-glib-1-2 \
+    && rm -rf /var/lib/apt/lists/*
+
 RUN groupadd -g 1001 screenshooter \
     && useradd -M -u 1001 -g 1001 securecodebox
 COPY wrapper.sh ./

From 24583958c3a4995a4999cbad521273829384b316 Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
Date: Mon, 13 Apr 2026 13:41:21 +0200
Subject: [PATCH 2/4] Set firefox flags to run wihout linux namespace support

Setting them via env so people can overwrite them more easily

Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
---
 scanners/screenshooter/README.md                  |  2 +-
 scanners/screenshooter/docs/README.ArtifactHub.md |  2 +-
 scanners/screenshooter/values.yaml                | 10 ++++++++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/scanners/screenshooter/README.md b/scanners/screenshooter/README.md
index 2d79bdf6e..eaf7d6380 100644
--- a/scanners/screenshooter/README.md
+++ b/scanners/screenshooter/README.md
@@ -76,7 +76,7 @@ Kubernetes: `>=v1.11.0-0`
 | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
 | scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
 | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
-| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
+| scanner.env | list | `[{"name":"MOZ_HEADLESS","value":"1"},{"name":"MOZ_DISABLE_CONTENT_SANDBOX","value":"1"},{"name":"MOZ_ENABLE_WAYLAND","value":"0"}]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox. |
 | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
 | scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
diff --git a/scanners/screenshooter/docs/README.ArtifactHub.md b/scanners/screenshooter/docs/README.ArtifactHub.md
index 9b4c7bc49..d910818be 100644
--- a/scanners/screenshooter/docs/README.ArtifactHub.md
+++ b/scanners/screenshooter/docs/README.ArtifactHub.md
@@ -81,7 +81,7 @@ Kubernetes: `>=v1.11.0-0`
 | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
 | scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
 | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
-| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
+| scanner.env | list | `[{"name":"MOZ_HEADLESS","value":"1"},{"name":"MOZ_DISABLE_CONTENT_SANDBOX","value":"1"},{"name":"MOZ_ENABLE_WAYLAND","value":"0"}]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox. |
 | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
 | scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
diff --git a/scanners/screenshooter/values.yaml b/scanners/screenshooter/values.yaml
index 2f57966b6..e35fc1959 100644
--- a/scanners/screenshooter/values.yaml
+++ b/scanners/screenshooter/values.yaml
@@ -65,8 +65,14 @@ scanner:
   #       memory: "512Mi"
   #       cpu: "500m"
 
-  # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
-  env: []
+  # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Has default env vars set to run firefox without sandboxing. (the container is already sandboxed.) If you have a cluster with proper linux namespace support you might be able to use it without disabling the sandbox.
+  env:
+    - name: MOZ_HEADLESS
+      value: "1"
+    - name: MOZ_DISABLE_CONTENT_SANDBOX
+      value: "1"
+    - name: MOZ_ENABLE_WAYLAND
+      value: "0"
 
   # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
   extraVolumes: []

From 5d6ece9f1ce8b126d19fd7d2523fa0c8d0cb6fa5 Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
Date: Mon, 13 Apr 2026 13:49:57 +0200
Subject: [PATCH 3/4] Add ARM64 builds for out first party scanner image

Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
---
 .github/workflows/release-build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
index f7fb8f5ab..1b24040eb 100644
--- a/.github/workflows/release-build.yaml
+++ b/.github/workflows/release-build.yaml
@@ -523,7 +523,7 @@ jobs:
           file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile
           build-args: |
             baseImageTag=${{ env.baseImageTag }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}

From 796c30d2dd8ca50ec3417b06b4776a35e5a74ec9 Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
Date: Mon, 13 Apr 2026 13:51:50 +0200
Subject: [PATCH 4/4] Consistently use supported-platforms label

Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
---
 scanners/test-scan/Chart.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scanners/test-scan/Chart.yaml b/scanners/test-scan/Chart.yaml
index de6ef2f5f..078a48e33 100644
--- a/scanners/test-scan/Chart.yaml
+++ b/scanners/test-scan/Chart.yaml
@@ -12,6 +12,9 @@ version: v3.1.0-alpha1
 appVersion: "1.0"
 kubeVersion: ">=v1.11.0-0"
 
+annotations:
+  supported-platforms: linux/amd64,linux/arm64
+
 keywords:
   - security
   - scanner