{"id":40561005,"url":"https://github.com/giantswarm/starboard-exporter","last_synced_at":"2026-01-21T01:00:59.620Z","repository":{"id":36985221,"uuid":"427012535","full_name":"giantswarm/starboard-exporter","owner":"giantswarm","description":"A standalone exporter for vulnerability reports and other CRs created by Trivy Operator (formerly Starboard).","archived":false,"fork":false,"pushed_at":"2026-01-16T01:03:53.000Z","size":1007,"stargazers_count":62,"open_issues_count":11,"forks_count":24,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-01-16T10:56:04.171Z","etag":null,"topics":["kubernetes","prometheus","prometheus-exporter","security","starboard","trivy","trivy-operator"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giantswarm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":"DCO","cla":null}},"created_at":"2021-11-11T13:33:06.000Z","updated_at":"2026-01-08T14:25:42.000Z","dependencies_parsed_at":"2025-12-18T09:02:52.002Z","dependency_job_id":null,"html_url":"https://github.com/giantswarm/starboard-exporter","commit_stats":null,"previous_names":[],"tags_count":36,"template":false,"template_full_name":null,"purl":"pkg:github/giantswarm/starboard-exporter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fstarboard-exporter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fstarboard-exporter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fstarboard-exporter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fstarboard-exporter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giantswarm","download_url":"https://codeload.github.com/giantswarm/starboard-exporter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fstarboard-exporter/sbom","scorecard":{"id":1236994,"data":{"date":"2025-09-04T15:26:51Z","repo":{"name":"github.com/giantswarm/starboard-exporter","commit":"3d57b3d683ccedcea7bdc99baec2bb5e94f2da32"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":7.8,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json5:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":10,"reason":"26 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/zz_generated.add-team-labels.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.add-to-project-board.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.check_values_schema.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.create_release.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.create_release_pr.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.fix_vulnerabilities.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.gitleaks.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.run_ossf_scorecard.yaml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/zz_generated.validate_changelog.yaml:16","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":8,"reason":"Found 5/6 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:23: pin your Docker image by updating gcr.io/distroless/static:nonroot to gcr.io/distroless/static:nonroot@sha256:a9f88e0d99c1ceedbce565fad7d3f96744d15e6919c19c7dafe84a6dd9a80c61","Info:  12 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"SAST","score":9,"reason":"SAST tool is not run on all commits -- score normalized to 9","details":["Warn: 28 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"29 out of 29 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 4 contributing companies or organizations","details":["Info: found contributions from: KoelnAPI, giant swarm, giantswarm, netzbegruenung"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-09-04T17:33:56.203Z","repository_id":36985221,"created_at":"2025-09-04T17:33:56.203Z","updated_at":"2025-09-04T17:33:56.203Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28620572,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T23:49:58.628Z","status":"ssl_error","status_checked_at":"2026-01-20T23:47:29.996Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","prometheus","prometheus-exporter","security","starboard","trivy","trivy-operator"],"created_at":"2026-01-21T01:00:27.878Z","updated_at":"2026-01-21T01:00:59.592Z","avatar_url":"https://github.com/giantswarm.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![CircleCI](https://circleci.com/gh/giantswarm/starboard-exporter.svg?style=shield)](https://circleci.com/gh/giantswarm/starboard-exporter)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/giantswarm/starboard-exporter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/giantswarm/starboard-exporter)\n\n# starboard-exporter\n\nExposes Prometheus metrics from [Trivy Operator][trivy-operator-upstream]'s `VulnerabilityReport`, `ConfigAuditReport`, [Kubescape][kubescape-operator-upstream]'s `VulnerabilityManifest`, and other custom resources (CRs).\n\n## Metrics\n\nThis exporter exposes several types of metrics:\n\n### CIS Benchmarks\n\n#### Report Summary\n\nA report summary series exposes the count of checks of each status reported in a given `CISKubeBenchReport`. For example:\n\n```shell\nstarboard_exporter_ciskubebenchreport_report_summary_count{\n    node_name=\"bj56o-master-bj56o-000000\"\n    status=\"FAIL\"\n    } 31\n```\n\n#### Section Summary\n\nFor slightly more granular reporting, a section summary series exposes the count of checks of each status reported in a given `CISKubeBenchSection`. For example:\n\n```shell\nstarboard_exporter_ciskubebenchreport_section_summary_count{\n    node_name=\"bj56o-master-bj56o-000000\"\n    node_type=\"controlplane\"\n    section_name=\"Control Plane Configuration\"\n    status=\"WARN\"\n    } 4\n```\n\n#### Result Detail\n\nA CIS benchmark result info series exposes fields from each instance of an Aqua `CISKubeBenchResult`. For example:\n\n```shell\nstarboard_exporter_ciskubebenchreport_result_info{\n    node_name=\"bj56o-master-bj56o-000000\"\n    node_type=\"controlplane\"\n    pod=\"starboard-exporter-859955f485-cwkj6\"\n    section_name=\"Control Plane Configuration\"\n    test_desc=\"Client certificate authentication should not be used for users (Manual)\"\n    test_number=\"3.1.1\"\n    test_status=\"WARN\"\n    } 1\n```\n\n### Vulnerability Reports\n\nVulnerability reports are supported from both Trivy Operator (`VulnerabilityReport`) and Kubescape (`VulnerabilityManifest`). Both scanners produce the same metric names, distinguished by the `scanner` label.\n\n#### Report Summary\n\nA summary series exposes the count of CVEs of each severity reported in a given vulnerability report. The `scanner` label indicates the source: `\"trivy\"` for Trivy Operator reports or `\"kubescape\"` for Kubescape reports.\n\n```shell\nstarboard_exporter_vulnerabilityreport_image_vulnerability_severity_count{\n    image_digest=\"\",\n    image_namespace=\"demo\",\n    image_registry=\"quay.io\",\n    image_repository=\"giantswarm/starboard-operator\",\n    image_tag=\"0.11.0\",\n    report_name=\"replicaset-starboard-app-6894945788-starboard-app\",\n    scanner=\"trivy\",\n    severity=\"MEDIUM\"\n    } 4\n```\n\nThis indicates that the `giantswarm/starboard-operator` image in the `demo` namespace contains 4 medium-severity vulnerabilities.\n\n#### Vulnerability Details\n\nA \"detail\" or \"vulnerability\" series exposes fields from each instance of a vulnerability. The value of the metric is the CVSS score for the vulnerability. The `scanner` label distinguishes between Trivy and Kubescape sources.\n\n```shell\nstarboard_exporter_vulnerabilityreport_image_vulnerability{\n    fixed_resource_version=\"1.1.1l-r0\",\n    image_digest=\"\",\n    image_namespace=\"demo\",\n    image_registry=\"quay.io\",\n    image_repository=\"giantswarm/starboard-operator\",\n    image_tag=\"0.11.0\",\n    installed_resource_version=\"1.1.1k-r0\",\n    report_name=\"replicaset-starboard-app-6894945788-starboard-app\",\n    scanner=\"trivy\",\n    severity=\"HIGH\",\n    vulnerability_id=\"CVE-2021-3712\",\n    vulnerability_link=\"https://avd.aquasec.com/nvd/cve-2021-3712\",\n    vulnerability_title=\"openssl: Read buffer overruns processing ASN.1 strings\",\n    vulnerable_resource_name=\"libssl1.1\"\n    } 7.4\n```\n\nThis indicates that the vulnerability with the id `CVE-2021-3712` was found in the `giantswarm/starboard-operator` image in the `demo` namespace, and it has a CVSS 3.x score of 7.4.\n\nAn additional series would be exposed for every combination of those labels.\n\n### Config Audit Reports\n\n#### Report Summary\n\nA summary series exposes the count of checks of each severity reported in a given `ConfigAuditReport`. For example:\n\n```shell\nstarboard_exporter_configauditreport_resource_checks_summary_count{\n  resource_name=\"replicaset-chart-operator-748f756847\",\n  resource_namespace=\"giantswarm\",\n  severity=\"LOW\"\n  } 7\n```\n\n#### A Note on Cardinality\n\nFor some use cases, it is helpful to export additional fields from vulnerability report CRs (both `VulnerabilityReport` and `VulnerabilityManifest`). However, because many fields contain unbounded arbitrary data, including them in Prometheus metrics can lead to extremely high cardinality. This can drastically impact Prometheus performance. For this reason, we only expose summary data by default and allow users to opt-in to higher-cardinality fields.\n\n### Sharding Reports\n\nIn large clusters or environments with many reports and/or vulnerabilities, a single exporter can consume a large amount of memory, and Prometheus may need a long time to scrape the exporter, leading to scrape timeouts. To help spread resource consumption and scrape effort, `starboard-exporter` watches its own service endpoints and will shard metrics for all report types across the available endpoints. In other words, if there are 3 exporter instances, each instance will serve roughly 1/3 of the metrics. This behavior is enabled by default and does not require any additional configuration. To use it, simply change the number of replicas in the Deployment. However, you should read the section on cardinality and be aware that consuming large amounts of high-cardinality data can have performance impacts on Prometheus.\n\n## Customization\n\nSummary metrics of the format described above are always enabled.\n\nTo enable an additional detail series *per Vulnerability*, use the `--target-labels` flag to specify which labels should be exposed. For example:\n\n```shell\n# Expose only select image and CVE fields.\n--target-labels=image_namespace,image_repository,image_tag,vulnerability_id\n\n# Run with (almost) all fields exposed as labels, if you're feeling really wild.\n--target-labels=all\n```\n\nTarget labels can also be set via Helm values:\n\n```yaml\nexporter:\n  vulnerabilityReports:\n    targetLabels:\n      - image_namespace\n      - image_repository\n      - image_tag\n      - vulnerability_id\n      - ...\n\n    # Enable/disable individual scanners\n    scanners:\n      trivy:\n        enabled: true\n      kubescape:\n        enabled: true\n```\n\nThe same can be done for CIS Benchmark Results. To enable an additional detail series *per CIS Benchmark Result*, use the `--cis-detail-report-labels` flag to specify which labels should be exposed. For example:\n\n```shell\n# Expose only section_name, test_name and test_status\n--cis-detail-report-labels=section_name,test_name,test_status\n\n# Run with (almost) all fields exposed as labels.\n--cis-detail-report-labels=all\n```\n\nCIS detail target labels can also be set via Helm values:\n\n```yaml\nexporter:\n  CISKubeBenchReports:\n    targetLabels:\n      - node_name\n      - node_type\n      - section_name\n      - test_name\n      - test_status\n      - ...\n```\n\n## Helm\n\nHow to install the starboard-exporter using helm:\n\n```shell\nhelm repo add giantswarm https://giantswarm.github.io/giantswarm-catalog\nhelm repo update\nhelm upgrade -i starboard-exporter --namespace \u003coperator namespace\u003e giantswarm/starboard-exporter\n```\n\n## Scaling for Prometheus scrape timeouts\n\nWhen exporting a large volume of metrics, Prometheus might time out before retrieving them all from a single exporter instance. It is possible to automatically scale the number of exporters to keep the scrape time below the configured timeout. To enable HPA scaling based on Prometheus metrics, [here](./docs/custom_metrics_hpa.md)\n\n\n[trivy-operator-upstream]: https://github.com/aquasecurity/trivy-operator\n[kubescape-operator-upstream]: https://github.com/kubescape/operator\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiantswarm%2Fstarboard-exporter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiantswarm%2Fstarboard-exporter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiantswarm%2Fstarboard-exporter/lists"}