https://github.com/dadav/rhacs-manager

RHACS Manager is an alternative frontend for RHACS with tenancy and EPSS based CVE managment in mind.
https://github.com/dadav/rhacs-manager

openshift rhacs

Last synced: 17 days ago
JSON representation

RHACS Manager is an alternative frontend for RHACS with tenancy and EPSS based CVE managment in mind.

• Host: GitHub
• URL: https://github.com/dadav/rhacs-manager
• Owner: dadav
• License: apache-2.0
• Created: 2026-02-27T21:35:00.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2026-05-15T18:14:11.000Z (about 1 month ago)
• Last Synced: 2026-05-15T20:51:03.941Z (about 1 month ago)
• Topics: openshift, rhacs
• Language: Python
• Homepage: https://dadav.github.io/rhacs-manager/
• Size: 61.8 MB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Security: docs/security.md

Awesome Lists containing this project

README

          


  
RHACS Manager

  


    Self-service CVE management for OpenShift RHACS with EPSS-driven prioritization

  




  

  

  

  

  

  

  

  








  

    

  






## Overview

RHACS Manager provides namespace-scoped CVE visibility derived from Kubernetes RBAC. Security teams get org-wide oversight while regular users see only CVEs affecting their namespaces. EPSS probability scoring drives prioritization, helping teams focus on the vulnerabilities that matter most.

## Key Features

- **EPSS-driven prioritization** — Focus on exploitable CVEs, not just severity

- **K8s RBAC scoping** — Automatic namespace access from cluster annotations

- **Risk acceptance workflows** — Request, approve, and track CVE risk acceptances

- **Escalation management** — Namespace-scoped escalation tracking with auto-escalation

- **Live dashboards** — EPSS risk matrix, cluster heatmap, CVE aging, severity distribution

- **Hub-spoke architecture** — Central backend with lightweight spoke proxies per cluster

- **Email notifications** — Configurable digests and escalation alerts via SMTP

- **Embeddable badges** — SVG status badges for dashboards and docs

## Architecture

```

Spoke Cluster                                    Hub Cluster

┌──────────────────────────────────────┐        ┌──────────────────────┐

│ Route → OAuth Proxy → Namespace     │        │ Route → FastAPI      │

│          (OIDC)       Auth Header Injector (Go) │───────▶│        ├─ StackRox DB│

│                       → Nginx (SPA) │ API    │        └─ App DB     │

└──────────────────────────────────────┘        └──────────────────────┘

```

## Quick Start

```bash

# Prerequisites: PostgreSQL, Bun, Python 3.12, uv, just

# Start dev server (sec team user)

just dev

# Start as regular user with namespace access

just dev user payments:cluster-a

# Run tests

just test

# Lint

just lint

```

## Tech Stack

| Layer     | Technology                                                    |

| --------- | ------------------------------------------------------------- |

| Frontend  | React 19, Vite, PatternFly 6, TanStack Query 5, react-i18next |

| Backend   | FastAPI, SQLAlchemy 2 (async), Alembic, Pydantic v2           |

| Runtime   | Python 3.12, uv                                               |

| Databases | PostgreSQL (app) + StackRox Central DB (read-only)            |

| Auth      | OpenShift OAuth / OIDC JWT / Dev mode                         |

| Deploy    | Helm, OpenShift, multi-stage container builds                 |

## RHACS Compatibility

| RHACS Version | Status |

| ------------- | ------ |

| 4.10.x        | Tested |

RHACS Manager reads directly from the StackRox Central database. Schema changes in future RHACS versions may require query updates. If you encounter issues with a newer version, please open an issue.

## Deployment

```bash

# Hub prerequisite: copy StackRox central DB password secret into rhacs-manager namespace

oc get secret central-db-password -n stackrox -o json \

  | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp)' \

  | oc apply -n rhacs-manager -f -

# Hub

helm upgrade --install rhacs-manager deploy/helm/rhacs-manager \

  -n rhacs-manager --create-namespace \

  --set frontend.oauthProxy.cookieSecret=''

# Spoke

helm upgrade --install rhacs-manager-spoke deploy/helm/rhacs-manager \

  -n rhacs-manager --create-namespace \

  --set mode=spoke \

  --set spoke.oauthProxy.cookieSecret=''

# Plain YAML (without Helm on cluster)

just render-hub | oc apply -f -

just render-spoke | oc apply -f -

```

## Project Structure

```

├── backend/           FastAPI backend (hub only)

│   ├── app/

│   │   ├── routers/   API endpoints

│   │   ├── models/    SQLAlchemy ORM models

│   │   ├── stackrox/  Read-only StackRox queries

│   │   └── tasks/     Background jobs

│   └── alembic/       Database migrations

├── frontend/          React SPA

│   └── src/

│       ├── pages/     One file per route

│       ├── components/Reusable UI

│       └── i18n/      German translations

├── auth-header-injector/Go sidecar for K8s RBAC

├── deploy/            Deployment artifacts

│   └── helm/          Helm chart (hub + spoke)

└── justfile           Dev workflow commands

```

## LICENSE

[APACHE 2](./LICENSE)