github stackrox/stackrox 4.7.0
on GitHub

latest releases: 4.8.x-nightly-20250317, 4.8.x-nightly-20250314
4 days ago

Added Features

  • ROX-26847: RHCOS Node Scanning with Scanner V4
    • ROX-27719: is now enabled by default on all secured clusters and will be preferred over the Stackrox Scanner if Scanner V4 is installed and connected to Central.
    • ROX-25625: can now detect vulnerabilities for the containerized image of the RHCOS itself.
    • ROX-26849: uses report caching to avoid repeated IO load on the nodes.
  • ROX-25638: Introduce configurable log rotation. ROX_LOGGING_MAX_ROTATION_FILES and ROX_LOGGING_MAX_SIZE_MB variables allow for configuring the number and the size of a central log rotation file.
  • ROX-14332: Automatic service certificate renewal for Secured Clusters installed using Helm or operator.
  • Scanner V4 adds supports for openSUSE Leap 15.5 and 15.6
  • ROX-26088: Introduced Cluster Registration Secrets (CRS) as a successor to init bundles for registering Secured Clusters.
  • ROX-24052: Tech Preview - SBOMs can now be generated from Scanner V4 image scans via the UI, CLI (roxctl image sbom), and API (/api/v1/images/sbom). Only scans executed via Central are supported, delegated scans will be supported in a future release. This feature can be disabled by setting ROX_SBOM_GENERATION to false.
  • ROX-21529: Short-lived token authentication for Azure integrations with Azure workload or managed identities.
  • ROX-23735: Distinct autogenerated image integrations will now be created for the OCP global pull secret (the "pull-secret" secret in the "openshift-config" namespace). This can be disabled by setting ROX_AUTOGENERATE_GLOBAL_PULLSEC_REGISTRIES to false on Central and Sensor.

Removed Features

  • Scanner V4 drops support for openSUSE Leap 15.0 and 15.1
  • ROX-18384 Slim Mode for Collector has been removed following deprecation in 4.5. Any Clusters configured to use slim mode will be converted to use regular Collector images.
    • RELATED_IMAGE_COLLECTOR_SLIM and RELATED_IMAGE_COLLECTOR_FULL environment variables have been removed, in favor of RELATED_IMAGE_COLLECTOR. Users that set these variables
      to override Collector images should either use the new environment variable or use other image override mechanisms for your chosen installation method.

Deprecated Features

  • The Azure integration payload in /v1/imageintegrations has been changed from {..., "type": "azure", "docker": {...}} to {..., "type": "azure", "azure": {...}}. The former schema is still supported, but is now considered deprecated. If delegated scanning is used in combination with new or updated Azure image integrations, make sure that both Central and Secured Clusters are upgraded to ACS version >= 4.7.

Technical Changes

  • Scanner V4 now uses Red Hat's VEX files instead of the CVE map for vulnerability data related to non-RPM content inside of official Red Hat images.
  • ROX_NODE_INDEX_CONTAINER_API is no longer a valid environment variable to set in the Compliance pod.
    • The node scanner never reached out to the Red Hat Container Catalog, so this variable was never used.
  • ROX-27253: Scanner V4 now reads Red Hat's CSAF data to alleviate inconsistent Red Hat advisory (RHSA/RHBA/RHEA) data.
    • Use of this data may be disabled by setting ROX_SCANNER_V4_RED_HAT_CSAF to false in Scanner V4 Matcher.
    • ROX-27916 ROX-27985 ROX-27986: Replace links to docs in console UI
      • from docs dot openshift dot com
      • to docs dot redhat dot com
  • ROX-26763: identify defunct processes before they induce parsing errors in Collector.
Check out latest releases or
releases around stackrox/stackrox 4.7.0

Don't miss a new stackrox release

NewReleases is sending notifications on new releases.

Get notifications