This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuration

API server

Environment VariableRequiredDefaultValuesDescription
OPENCLARITY_APISERVER_LISTEN_ADDRESS0.0.0.0:8888Address of the API Server to send requests to. Example: localhost:8890
OPENCLARITY_APISERVER_HEALTHCHECK_ADDRESS0.0.0.0:8081Bind address to used by the API Server for healthz endpoint. Example: localhost:8082 which will make the health endpoints be available at localhost:8082/healthz/live and localhost:8082/healthz/ready.
OPENCLARITY_APISERVER_DATABASE_DRIVERyesLOCALLOCAL, POSTGRESDatabase driver type. LOCAL = SQLite, POSTGRES = PostgreSQL.
OPENCLARITY_APISERVER_DB_NAMEIf OPENCLARITY_APISERVER_DATABASE_DRIVER is POSTGRESDatabase name.
OPENCLARITY_APISERVER_DB_USERIf OPENCLARITY_APISERVER_DATABASE_DRIVER is POSTGRESDatabase user.
OPENCLARITY_APISERVER_DB_PASSIf OPENCLARITY_APISERVER_DATABASE_DRIVER is POSTGRESDatabase user password.
OPENCLARITY_APISERVER_DB_HOSTIf OPENCLARITY_APISERVER_DATABASE_DRIVER is POSTGRESDatabase host, e.g. postgresql.
OPENCLARITY_APISERVER_DB_PORTIf OPENCLARITY_APISERVER_DATABASE_DRIVER is POSTGRESDatabase port, e.g. 5432.
OPENCLARITY_APISERVER_ENABLE_DB_INFO_LOGSfalseBoolean value whether to enable info logs of the database or not.
OPENCLARITY_APISERVER_LOCAL_DB_PATHIf OPENCLARITY_APISERVER_DATABASE_DRIVER is LOCALPath of the database, if LOCAL is used as databse driver, e.g. /data/openclarity.db.

Orchestrator

Environment VariableRequiredDefaultValuesDescription
OPENCLARITY_ORCHESTRATOR_PROVIDERyesawsaws, azure, gcp, dockerProvider used for Asset discovery and scans.
OPENCLARITY_ORCHESTRATOR_APISERVER_ADDRESSyesThe URL for the API Server used by the Orchestrator to interact with the API. Example: https://apiserver.example.com:8888/api
OPENCLARITY_ORCHESTRATOR_HEALTHCHECK_ADDRESS:8082Bind address to used by the Orchestrator for healthz endpoint. Example: localhost:8082 which will make the health endpoints be available at localhost:8082/healthz/live and localhost:8082/healthz/ready.
OPENCLARITY_ORCHESTRATOR_DISCOVERY_INTERVAL2mHow frequently the Discovery perform discovery of Assets.
OPENCLARITY_ORCHESTRATOR_CONTROLLER_STARTUP_DELAY7sThe time interval to wait between controller startups. Do NOT change this parameter unless you know what you are doing.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_POLL_PERIOD15sHow frequently poll the API for events related AssetScan objects.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_RECONCILE_TIMEOUT5mTime period for reconciling a AssetScan event is allowed to run.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_ABORT_TIMEOUT10mTime period to wait for the Scanner to gracefully stop on-going scan for AssetScan before setting the state of the AssetScan to Failed.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_DELETE_POLICYAlwaysAlways, Never, OnSuccessWhether to delete resources (disk snapshot, container snapshot/images) or not based on the status of the AssetScan. Always means the AssetScan is deleted no matter if it failed or not. Never skip cleaning up the resources created for scanning. OnSuccess means that cleanup is happening only iun case the AssetScan was successful.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_CONTAINER_IMAGEyesThe Scanner container image used for running scans.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_FRESHCLAM_MIRROR
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_APISERVER_ADDRESSThe URL for the API Server used by the Scanner to interact with the API. Example: https://apiserver.example.com:8888/api
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_EXPLOITSDB_ADDRESSThe URL for the ExploitsDB Server used by the Scanner.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_TRIVY_SERVER_ADDRESSThe URL for the Trivy Server used by the Scanner.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_TRIVY_SERVER_TIMEOUT5m
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_GRYPE_SERVER_ADDRESSThe URL for the Grype Server used by the Scanner.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_GRYPE_SERVER_TIMEOUT2m
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_YARA_RULE_SERVER_ADDRESSThe URL for the Yara Rule Server used by the Scanner.
OPENCLARITY_ORCHESTRATOR_SCANCONFIG_WATCHER_POLL_PERIODHow frequently the ScanConfig Watcher poll the API for events related ScanConfig objects.
OPENCLARITY_ORCHESTRATOR_SCANCONFIG_WATCHER_RECONCILE_TIMEOUTTime period which a reconciliation for a ScanConfig event is allowed to run.
OPENCLARITY_ORCHESTRATOR_SCAN_WATCHER_POLL_PERIODHow frequently the AssetScan Watcher poll the API for events related Scan objects.
OPENCLARITY_ORCHESTRATOR_SCAN_WATCHER_RECONCILE_TIMEOUTTime period for reconciling a Scan event is allowed to run.
OPENCLARITY_ORCHESTRATOR_SCAN_WATCHER_SCAN_TIMEOUTTime period to wait for the Scan finish before marked it’s state as Failed with Timeout as a reason.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_PROCESSOR_POLL_PERIODHow frequently the AssetScan Processor poll the API for events related AssetScan objects.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_PROCESSOR_RECONCILE_TIMEOUTTime period for processing for a AssetScan result is allowed to run.
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_ESTIMATION_WATCHER_POLL_PERIOD5s
OPENCLARITY_ORCHESTRATOR_ASSETSCAN_ESTIMATION_WATCHER_RECONCILE_TIMEOUT15s
OPENCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_POLL_PERIOD5s
OPENCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_RECONCILE_TIMEOUT2m
OPENCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_ESTIMATION_TIMEOUT48h

Provider

AWS

Environment VariableRequiredDefaultDescription
OPENCLARITY_AWS_REGIONyesRegion where the Scanner instance needs to be created
OPENCLARITY_AWS_SUBNET_IDyesSubnetID where the Scanner instance needs to be created
OPENCLARITY_AWS_SECURITY_GROUP_IDyesSecurityGroupId which needs to be attached to the Scanner instance
OPENCLARITY_AWS_KEYPAIR_NAMEName of the SSH KeyPair to use for Scanner instance launch
OPENCLARITY_AWS_SCANNER_INSTANCE_ARCHITECTUREx86_64Architecture to be used for Scanner instance. The Provider will use this value to lookup for instance details in OPENCLARITY_AWS_SCANNER_INSTANCE_ARCHITECTURE_TO_TYPE_MAPPING and OPENCLARITY_AWS_SCANNER_INSTANCE_ARCHITECTURE_TO_AMI_MAPPING.
OPENCLARITY_AWS_SCANNER_INSTANCE_ARCHITECTURE_TO_TYPE_MAPPINGx86_64:t3.large,arm64:t4g.largeComma separated list of architecture:instance_type pairs used for OpenClarity Scanner instance
OPENCLARITY_AWS_SCANNER_INSTANCE_ARCHITECTURE_TO_AMI_MAPPINGx86_64:ami-03f1cc6c8b9c0b899,arm64:ami-06972d841707cc4cfComma separated list of architecture:ami_id pairs used for OpenClarity Scanner instance
OPENCLARITY_AWS_BLOCK_DEVICE_NAMExvdhBlock device name used for attaching Scanner volume to the Scanner instance

UI backend

Environment VariableRequiredDefaultValuesDescription
OPENCLARITY_UIBACKEND_APISERVER_ADDRESSyesThe URL for the API Server used by the UI backend to interact with the API. Example: https://apiserver.example.com:8888/api
OPENCLARITY_UIBACKEND_LISTEN_ADDRESS0.0.0.0:8890Address of the UI backend to send requests to. Example: localhost:8890
OPENCLARITY_UIBACKEND_HEALTHCHECK_ADDRESS0.0.0.0:8083Bind address to used by the UI backend for healthz endpoint. Example: localhost:8082 which will make the health endpoints be available at localhost:8083/healthz/live and localhost:8083/healthz/ready.