Container Security Operator

Kubernetes operator that brings Quay/Clair security metadata to clusters. Watches pods, queries registries for vulnerabilities, exposes findings via ImageManifestVuln CRDs.

Quick Reference

Task	Command
Build	`make build`
Run locally	`make run`
Install CRDs	`make installcrds`
Run tests	`go test -v ./...`
Regenerate code	`make codegen`

Project Structure

cmd/security-labeller/  # Entrypoint
labeller/               # Core controller (informers, reconciliation)
secscan/                # Registry client for vulnerability data
image/                  # Container image ID parsing
apis/secscan/v1alpha1/  # CRD types
generated/              # Auto-generated clients (do not edit)
bundle/                 # OLM deployment manifests

Key Flow

Labeller watches Pod events via informers
Parses container image IDs from running pods
Queries registry's .well-known/app-capabilities endpoint
Fetches vulnerability data from Clair via manifest-security API
Creates/updates ImageManifestVuln resources
Garbage collects orphaned manifests on pod deletion

Detailed Documentation

For specific topics, see:

@agent_docs/architecture.md - Component details, CRD structure, configuration
@agent_docs/development.md - Building, testing, code generation
@agent_docs/deployment.md - OLM deployment, container builds

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Container Security Operator

Quick Reference

Project Structure

Key Flow

Detailed Documentation

FilesExpand file tree

AGENTS.md

Latest commit

History

AGENTS.md

File metadata and controls

Container Security Operator

Quick Reference

Project Structure

Key Flow

Detailed Documentation