Skip to content

Releases: kubescape/node-agent

Release v0.3.113

12 May 12:22
@github-actions github-actions
v0.3.113
cc59fa0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.113 Latest
Latest

Summary by CodeRabbit

  • Bug Fixes
    • Improved validation messaging for rules with missing profile configurations. Consolidated multiple individual error logs into a single aggregated warning message for clearer feedback and reduced log noise.

Review Change Stack

Assets 2
Loading

Release v0.3.112

06 May 15:44
@github-actions github-actions
v0.3.112
2d768cb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.112

Summary by CodeRabbit

  • Chores
    • Service discovery now supports the API_URL environment variable for dynamic endpoint configuration, defaulting to api.armosec.io when unset.
Loading

Release v0.3.111

04 May 13:26
@github-actions github-actions
v0.3.111
11e632f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.111

Summary by CodeRabbit

  • New Features

    • Profile projection: compact projected container profiles and projection spec compilation/install with immediate reprojection on spec changes
    • Rules can declare which profile fields they require
    • Config toggle to enable detailed projection/memory-savings metrics

  • Behavior Changes

    • CEL helpers now consult projected profiles; exec/open/network checks focus on path/address (args/flags/port-protocol matching de-scoped)

  • Chores

    • Added projection and memory-savings metrics plus no-op/mock implementations

  • Tests

    • Many tests updated/added to cover projection, compilation, application, cache, and concurrency behavior
Loading

Release v0.3.108

29 Apr 14:09
@github-actions github-actions
v0.3.108
dbe9a16
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.108

Memory-reduction rollout (NAUT-1283)

Reduces node-agent + kubevuln scan peak RSS by 30.7% on gitlab-ee
(1,621 MB → 1,123 MB), fitting a 1.5 GB cgroup with 377 MB margin.

Measured deltas (gitlab-ee, 113,836 files; kernel peak RSS via /usr/bin/time -v)

Variant Peak RSS Δ vs main+all-cats
main + all catalogers 1,621 MB baseline
main + file-cats off 1,419 MB −202 MB
selective + file-cats off 1,184 MB −437 MB
combined + file-cats off 1,123 MB −498 MB (−30.7%)

Initiative status

  • Initiative 1 — disable file catalogers (this PR for node-agent / kubevuln)
  • Initiative 2 — binary-cataloger prefilter (in kubescape/syft v1.32.0-ks.2)
  • Initiative 3 — selective indexing (in kubescape/syft v1.32.0-ks.2)
  • Initiative 4 — parallelism = 1 (already in place: node-agent uses workerpool.New(1); kubevuln scanConcurrency defaults to 1)
  • Initiative 5 — GOMEMLIMIT at 80% of cgroup (this PR for helm-charts)

Cross-repo PRs

  • helm-charts: kubescape/helm-charts#PENDING_HELM
  • node-agent: kubescape/node-agent#PENDING_NA
  • kubevuln: kubescape/kubevuln#PENDING_KV

Audit

Pre-merge audit confirmed no production-path consumer reads
sbom.Files[*].Digests or sbom.Files[*].Metadata in node-agent,
kubevuln, or kubescape/storage. The two storage consumers
(containerprofile_processor.go:172, applicationprofile_processor.go:67)
only read f.Location.RealPath, which the directory walker still
populates regardless of file-cataloger disable. Selective indexing also
keeps 99.9% of the file-path coverage on gitlab-ee
(113,265 of 113,382 paths).

Reference: shared-designs-and-docs/syft-memory-improvement/2026-04-28-rollout-design.md

Summary by CodeRabbit

  • Dependencies

    • Updated golang.org/x/tools to v0.43.0
    • Adjusted syft dependency to a specific compatible build

  • Improvements

    • SBOM generation now skips certain file-related analysis steps to reduce redundant file-level scanning
Loading

Release v0.3.97

23 Apr 11:24
@github-actions github-actions
v0.3.97
c4e492f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.97

Summary by CodeRabbit

  • Refactor
    • Improved IO uring event data field reading mechanism for enhanced reliability.
Loading

Release v0.3.94

20 Apr 16:18
@github-actions github-actions
v0.3.94
d6fb040
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.94

Summary by CodeRabbit

  • Bug Fixes
    • Improved handling of host container events to ensure they are processed correctly through standard filtering logic rather than being skipped.
Loading

Release v0.3.91

15 Apr 17:12
@github-actions github-actions
v0.3.91
c34943b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.91

Adds package-level documentation to the dedupcache package. Trigger for release.

Loading

Release v0.3.79

03 Apr 07:08
@github-actions github-actions
v0.3.79
9a09420
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.79

Summary

Report SBOM generation failures to POST /k8s/v2/scanFailure (careportreceiver) so users receive Slack/Teams notifications via the existing scan failure pipeline (event-ingester → UNS).

Changes

New files:

File Purpose
pkg/sbommanager/sbom_failure_reporter.go SbomFailureReporter interface (single method)
pkg/sbommanager/v1/http_failure_reporter.go HTTPSbomFailureReporter — POSTs to careportreceiver with X-API-KEY auth

Modified files:

File Change
pkg/sbommanager/v1/sbom_manager.go Added reportFailure() helper, instrumented 7 failure paths
cmd/main.go Create reporter when EVENT_RECEIVER_REST_URL env var is set

Instrumented failure paths:

Failure Reason Code Path
Sidecar OOM after max retries scanner_oom_killed Sidecar
Sidecar scan error sbom_generation_failed Sidecar
Image too large for source image_too_large In-process
Syft SBOM generation failed sbom_generation_failed In-process
SBOM exceeds size limit sbom_too_large Both
Failed to save SBOM sbom_storage_failed Both

Design

  • Same ScanFailureReport struct and endpoint as kubevuln (#334)
  • Enabled via EVENT_RECEIVER_REST_URL env var (Helm chart sets this)
  • Fire-and-forget: reporting in goroutine with 10s timeout, errors logged
  • No env var = no reporter = no reporting (backward compatible)
  • Uses access key from /etc/credentials for X-API-KEY header

Related

Test plan

  • GOOS=linux go build ./cmd/... passes
  • GOOS=linux go build ./pkg/sbommanager/... passes
  • No go.mod/go.sum changes (uses existing armoapi-go v0.0.693)
  • E2E: deploy with EVENT_RECEIVER_REST_URL set, trigger SBOM failure, verify Slack notification

Summary by CodeRabbit

  • New Features

    • SBOM generation now emits failure reports to a configurable backend when a receiver URL is set.
    • Added a failure-reporting contract and an HTTP reporter that can include account/cluster identifiers and an optional API key.

  • Tests

    • Added unit tests validating HTTP reporting behavior, headers, payloads, and error handling.

  • Chores

    • Added a PR image build workflow to build and push test images for pull requests.
Loading

Release v0.3.75

31 Mar 08:05
@github-actions github-actions
v0.3.75
0627d26
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.75

Summary by CodeRabbit

  • Bug Fixes
    • Improved hardlink and symlink monitoring compatibility on arm64 architecture systems.
Loading

Release v0.3.71

27 Mar 12:48
@github-actions github-actions
v0.3.71
2b05e16
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.3.71

Summary by CodeRabbit

  • Chores
    • Updated numerous third‑party dependencies for compatibility, stability, and observability.
    • Refined metadata label handling and validation for more consistent resource metadata (including cloud account identifier normalization) and switched workload metadata sourcing for improved consistency.
    • Added an optional label-overrides capability to allow explicit label adjustments.
    • Added additional informational logging when container profiles are enqueued/saved to improve observability.
  • Tests
    • Updated a unit test input to exercise case/format variations in instance IDs.
Loading