Alauda Security Service
  • English

    • Using Alauda Security Service in Offline Mode

    Alauda Security Service can be deployed in environments without internet access. In offline mode, Central and Scanner continue to operate without reaching public endpoints, but vulnerability definitions must be supplied manually.

    TOC

    Enabling Offline ModeUpdating Vulnerability DefinitionsDownloading the DefinitionsUploading the Definitions to CentralUsing an API TokenUsing a PasswordOperational Notes

    Enabling Offline Mode

    When installing the Central service by using the operator custom resource, set the egress connectivity policy to offline:

    spec:
  egress:
    connectivityPolicy: Offline

    This setting matches the installation flow documented in Alauda Security Service for StackRox Installation.

    Updating Vulnerability Definitions

    Scanner maintains a local vulnerability database. In online mode, Central retrieves the latest vulnerability data from the internet, and Scanner syncs with Central. In offline mode, you must manually update the vulnerability data by uploading a definitions file to Central, which Scanner then retrieves.

    • Scanner checks for new data from Central every 5 minutes by default.
    • The offline data source is updated approximately every 3 hours.

    Downloading the Definitions

    Uploading the Definitions to Central

    You can upload the vulnerability definitions database to Central by using either an API token or an administrator password.

    Using an API Token

    • Prerequisites:

      • API token with administrator role
      • roxctl CLI installed

    • Procedure:

      export ROX_API_TOKEN=<api_token>
export ROX_CENTRAL_ADDRESS=<address>:<port_number>
roxctl scanner upload-db \
  -e "$ROX_CENTRAL_ADDRESS" \
  --scanner-db-file=<compressed_scanner_definitions.zip>

    Using a Password

    roxctl scanner upload-db \
  -e <address>:<port_number> \
  --scanner-db-file=<compressed_scanner_definitions.zip> \
  --password <admin_password>

    Operational Notes

    • Keep the downloaded bundle file in your offline software distribution path so that it can be promoted alongside image content and deployment manifests.
    • In larger environments, update the bundle on a regular schedule to reduce drift between actual scanner results and current vulnerability definitions.
    • Recent releases handle offline vulnerability bundles more efficiently, but the upload workflow remains the same from an operator perspective.