Self-service CVE management for OpenShift RHACS with EPSS-driven prioritization
RHACS Manager provides namespace-scoped CVE visibility derived from Kubernetes RBAC. Security teams get org-wide oversight while regular users see only CVEs affecting their namespaces. EPSS probability scoring drives prioritization, helping teams focus on the vulnerabilities that matter most.
- EPSS-driven prioritization — Focus on exploitable CVEs, not just severity
- K8s RBAC scoping — Automatic namespace access from cluster annotations
- Risk acceptance workflows — Request, approve, and track CVE risk acceptances
- Escalation management — Namespace-scoped escalation tracking with auto-escalation
- Live dashboards — EPSS risk matrix, cluster heatmap, CVE aging, severity distribution
- Hub-spoke architecture — Central backend with lightweight spoke proxies per cluster
- Email notifications — Configurable digests and escalation alerts via SMTP
- Embeddable badges — SVG status badges for dashboards and docs
Spoke Cluster Hub Cluster
┌──────────────────────────────────────┐ ┌──────────────────────┐
│ Route → OAuth Proxy → Namespace │ │ Route → FastAPI │
│ (OIDC) Auth Header Injector (Go) │───────▶│ ├─ StackRox DB│
│ → Nginx (SPA) │ API │ └─ App DB │
└──────────────────────────────────────┘ └──────────────────────┘
# Prerequisites: PostgreSQL, Bun, Python 3.12, uv, just
# Start dev server (sec team user)
just dev
# Start as regular user with namespace access
just dev user payments:cluster-a
# Run tests
just test
# Lint
just lint| Layer | Technology |
|---|---|
| Frontend | React 19, Vite, PatternFly 6, TanStack Query 5, react-i18next |
| Backend | FastAPI, SQLAlchemy 2 (async), Alembic, Pydantic v2 |
| Runtime | Python 3.12, uv |
| Databases | PostgreSQL (app) + StackRox Central DB (read-only) |
| Auth | OpenShift OAuth / OIDC JWT / Dev mode |
| Deploy | Helm, OpenShift, multi-stage container builds |
| RHACS Version | Status |
|---|---|
| 4.10.x | Tested |
RHACS Manager reads directly from the StackRox Central database. Schema changes in future RHACS versions may require query updates. If you encounter issues with a newer version, please open an issue.
# Hub prerequisite: copy StackRox central DB password secret into rhacs-manager namespace
oc get secret central-db-password -n stackrox -o json \
| jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp)' \
| oc apply -n rhacs-manager -f -
# Hub
helm upgrade --install rhacs-manager deploy/helm/rhacs-manager \
-n rhacs-manager --create-namespace \
--set frontend.oauthProxy.cookieSecret='<base64-32-byte-secret>'
# Spoke
helm upgrade --install rhacs-manager-spoke deploy/helm/rhacs-manager \
-n rhacs-manager --create-namespace \
--set mode=spoke \
--set spoke.oauthProxy.cookieSecret='<base64-32-byte-secret>'
# Plain YAML (without Helm on cluster)
just render-hub | oc apply -f -
just render-spoke | oc apply -f -├── backend/ FastAPI backend (hub only)
│ ├── app/
│ │ ├── routers/ API endpoints
│ │ ├── models/ SQLAlchemy ORM models
│ │ ├── stackrox/ Read-only StackRox queries
│ │ └── tasks/ Background jobs
│ └── alembic/ Database migrations
├── frontend/ React SPA
│ └── src/
│ ├── pages/ One file per route
│ ├── components/Reusable UI
│ └── i18n/ German translations
├── auth-header-injector/Go sidecar for K8s RBAC
├── deploy/ Deployment artifacts
│ └── helm/ Helm chart (hub + spoke)
└── justfile Dev workflow commands