{"id":46488501,"url":"https://github.com/dadav/rhacs-manager","last_synced_at":"2026-05-30T23:02:27.200Z","repository":{"id":341897951,"uuid":"1168845280","full_name":"dadav/rhacs-manager","owner":"dadav","description":"RHACS Manager is an alternative frontend for RHACS with tenancy and EPSS based CVE managment in mind.","archived":false,"fork":false,"pushed_at":"2026-05-15T18:14:11.000Z","size":64837,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-15T20:51:03.941Z","etag":null,"topics":["openshift","rhacs"],"latest_commit_sha":null,"homepage":"https://dadav.github.io/rhacs-manager/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadav.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-27T21:35:00.000Z","updated_at":"2026-05-15T18:14:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dadav/rhacs-manager","commit_stats":null,"previous_names":["dadav/rhacs-manager"],"tags_count":73,"template":false,"template_full_name":null,"purl":"pkg:github/dadav/rhacs-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Frhacs-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Frhacs-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Frhacs-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Frhacs-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadav","download_url":"https://codeload.github.com/dadav/rhacs-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Frhacs-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33712580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openshift","rhacs"],"created_at":"2026-03-06T10:12:51.227Z","updated_at":"2026-05-30T23:02:27.176Z","avatar_url":"https://github.com/dadav.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003eRHACS Manager\u003c/h1\u003e\n  \u003cp align=\"center\"\u003e\n    Self-service CVE management for OpenShift RHACS with EPSS-driven prioritization\n  \u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/python-3.12-3776AB?logo=python\u0026logoColor=white\" alt=\"Python 3.12\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/FastAPI-009688?logo=fastapi\u0026logoColor=white\" alt=\"FastAPI\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/React_19-61DAFB?logo=react\u0026logoColor=black\" alt=\"React 19\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/TypeScript-3178C6?logo=typescript\u0026logoColor=white\" alt=\"TypeScript\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/PatternFly_6-004080?logo=redhat\u0026logoColor=white\" alt=\"PatternFly 6\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/PostgreSQL-4169E1?logo=postgresql\u0026logoColor=white\" alt=\"PostgreSQL\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/OpenShift-EE0000?logo=redhatopenshift\u0026logoColor=white\" alt=\"OpenShift\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-Apache License 2.0-blue\" alt=\"License\" /\u003e\n\u003c/p\u003e\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"ui.png\"\u003e\n    \u003cimg src=\"ui.png\" alt=\"RHACS Manager Dashboard\" width=\"700\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cbr /\u003e\n\n## Overview\n\nRHACS Manager provides namespace-scoped CVE visibility derived from Kubernetes RBAC. Security teams get org-wide oversight while regular users see only CVEs affecting their namespaces. EPSS probability scoring drives prioritization, helping teams focus on the vulnerabilities that matter most.\n\n## Key Features\n\n- **EPSS-driven prioritization** — Focus on exploitable CVEs, not just severity\n- **K8s RBAC scoping** — Automatic namespace access from cluster annotations\n- **Risk acceptance workflows** — Request, approve, and track CVE risk acceptances\n- **Escalation management** — Namespace-scoped escalation tracking with auto-escalation\n- **Live dashboards** — EPSS risk matrix, cluster heatmap, CVE aging, severity distribution\n- **Hub-spoke architecture** — Central backend with lightweight spoke proxies per cluster\n- **Email notifications** — Configurable digests and escalation alerts via SMTP\n- **Embeddable badges** — SVG status badges for dashboards and docs\n\n## Architecture\n\n```\nSpoke Cluster                                    Hub Cluster\n┌──────────────────────────────────────┐        ┌──────────────────────┐\n│ Route → OAuth Proxy → Namespace     │        │ Route → FastAPI      │\n│          (OIDC)       Auth Header Injector (Go) │───────▶│        ├─ StackRox DB│\n│                       → Nginx (SPA) │ API    │        └─ App DB     │\n└──────────────────────────────────────┘        └──────────────────────┘\n```\n\n## Quick Start\n\n```bash\n# Prerequisites: PostgreSQL, Bun, Python 3.12, uv, just\n\n# Start dev server (sec team user)\njust dev\n\n# Start as regular user with namespace access\njust dev user payments:cluster-a\n\n# Run tests\njust test\n\n# Lint\njust lint\n```\n\n## Tech Stack\n\n| Layer     | Technology                                                    |\n| --------- | ------------------------------------------------------------- |\n| Frontend  | React 19, Vite, PatternFly 6, TanStack Query 5, react-i18next |\n| Backend   | FastAPI, SQLAlchemy 2 (async), Alembic, Pydantic v2           |\n| Runtime   | Python 3.12, uv                                               |\n| Databases | PostgreSQL (app) + StackRox Central DB (read-only)            |\n| Auth      | OpenShift OAuth / OIDC JWT / Dev mode                         |\n| Deploy    | Helm, OpenShift, multi-stage container builds                 |\n\n## RHACS Compatibility\n\n| RHACS Version | Status |\n| ------------- | ------ |\n| 4.10.x        | Tested |\n\nRHACS Manager reads directly from the StackRox Central database. Schema changes in future RHACS versions may require query updates. If you encounter issues with a newer version, please open an issue.\n\n## Deployment\n\n```bash\n# Hub prerequisite: copy StackRox central DB password secret into rhacs-manager namespace\noc get secret central-db-password -n stackrox -o json \\\n  | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp)' \\\n  | oc apply -n rhacs-manager -f -\n\n# Hub\nhelm upgrade --install rhacs-manager deploy/helm/rhacs-manager \\\n  -n rhacs-manager --create-namespace \\\n  --set frontend.oauthProxy.cookieSecret='\u003cbase64-32-byte-secret\u003e'\n\n# Spoke\nhelm upgrade --install rhacs-manager-spoke deploy/helm/rhacs-manager \\\n  -n rhacs-manager --create-namespace \\\n  --set mode=spoke \\\n  --set spoke.oauthProxy.cookieSecret='\u003cbase64-32-byte-secret\u003e'\n\n# Plain YAML (without Helm on cluster)\njust render-hub | oc apply -f -\njust render-spoke | oc apply -f -\n```\n\n## Project Structure\n\n```\n├── backend/           FastAPI backend (hub only)\n│   ├── app/\n│   │   ├── routers/   API endpoints\n│   │   ├── models/    SQLAlchemy ORM models\n│   │   ├── stackrox/  Read-only StackRox queries\n│   │   └── tasks/     Background jobs\n│   └── alembic/       Database migrations\n├── frontend/          React SPA\n│   └── src/\n│       ├── pages/     One file per route\n│       ├── components/Reusable UI\n│       └── i18n/      German translations\n├── auth-header-injector/Go sidecar for K8s RBAC\n├── deploy/            Deployment artifacts\n│   └── helm/          Helm chart (hub + spoke)\n└── justfile           Dev workflow commands\n```\n\n## LICENSE\n\n[APACHE 2](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadav%2Frhacs-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadav%2Frhacs-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadav%2Frhacs-manager/lists"}