Docs/Security Scanning

Security Scanning

Generate SBOMs, CBOMs, and malware reports from running containers.

This guide covers CLI commands for testing and one-off scans. For automated scanning, see Scheduling.

Find Your Workloads

List pods that reel can operate on:

reel get workloads -n <namespace>

SBOM (Software Bill of Materials)

Generate a full software inventory with vulnerability and secret detection using Trivy.

# S3
reel export sbom <pod> -n <namespace> --dest s3://bucket/sboms/
# Local file
reel export sbom <pod> -n <namespace> --dest sbom.json

By default this runs all scanners. Use --scanners vuln or --scanners secret to run specific ones. See S3 Exports for bucket configuration.

Output is CycloneDX 1.5 JSON, compatible with Dependency-Track, OWASP tools, and most SBOM platforms.

CBOM (Cryptographic Bill of Materials)

Identify cryptographic assets for quantum readiness assessment.

reel export cbom <pod> -n <namespace> --dest cbom.json

What It Detects

CategoryExamples
AlgorithmsAES, RSA, SHA-256, ECDSA
CertificatesX.509 certs with expiration dates
ProtocolsTLS/SSH configurations
KeysPublic/private key files

Malware Scanning

Scan container filesystems with ClamAV.

reel export malware <pod> -n <namespace> --dest malware.json

Scan specific path:

reel export malware my-app /var/www -n production --dest malware.json

Detects: Viruses, trojans, rootkits, suspicious executables, and known malicious patterns.

ClamAV sidecar must be enabled in the Helm values. Check status with reel health

Scheduled Scanning

Daily SBOM + Weekly CBOM

annotations:
# reel.io/s3-bucket, reel.io/s3-region, reel.io/s3-secret...
reel.io/schedule: |
0 2 * * * | export sbom --scanners vuln
0 2 * * 0 | export cbom

See Scheduling for full configuration and S3 Exports for authentication setup.

Layer BackupForensics