Scanner Configuration Reference
The Ephor Scanner follows the 12-factor app methodology. All runtime configuration is provided through environment variables. When deployed with the Helm chart, these are set via values.yaml.
Ephor API
| Variable | Default | Description |
|---|---|---|
EPHOR_API_URL | (required) | Base URL of the Ephor API (e.g., http://ephor-api:8080) |
EPHOR_AUTH_HEADER | (none) | Custom authentication header name (e.g., X-API-Key, Authorization) |
EPHOR_AUTH_VALUE | (none) | Authentication header value |
Scan Settings
| Variable | Default | Description |
|---|---|---|
SCAN_NAMESPACES | (required) | Comma-separated list of Kubernetes namespaces to scan |
SCAN_CONCURRENCY | 3 | Number of parallel image scans |
SCAN_SEVERITY | CRITICAL,HIGH,MEDIUM,LOW | Comma-separated severity levels to include in results |
SCAN_WORKLOAD_TYPES | Deployment,StatefulSet,DaemonSet,CronJob | Comma-separated workload types to discover |
Concurrency
The SCAN_CONCURRENCY setting controls how many images are scanned in parallel. Each scan runs a Trivy process that loads the vulnerability database into memory. Higher concurrency increases memory usage proportionally. On resource-constrained nodes, consider reducing this to 1 or 2.
Severity Filtering
Results are filtered at scan time. Only vulnerabilities matching the configured severity levels are included in the payload sent to the Ephor API. To report only critical and high findings:
SCAN_SEVERITY=CRITICAL,HIGHWorkload Types
By default, the scanner discovers Deployments, StatefulSets, DaemonSets, and CronJobs. To limit discovery to specific types:
SCAN_WORKLOAD_TYPES=Deployment,StatefulSetTrivy
| Variable | Default | Description |
|---|---|---|
TRIVY_BINARY | trivy | Path to the Trivy executable |
TRIVY_CACHE_DIR | /tmp/trivy-cache | Directory for the Trivy vulnerability database cache |
TRIVY_TIMEOUT | 300 | Per-image scan timeout in seconds |
TRIVY_DB_UPDATE_TIMEOUT | 60 | Vulnerability database update timeout in seconds |
TRIVY_DB_REPO | (none) | Custom OCI repository for the Trivy database (for air-gapped environments) |
TRIVY_SKIP_DB_UPDATE | false | Skip the database update step. Use when the cache is pre-populated or managed externally. |
Timeouts
The TRIVY_TIMEOUT applies to each individual image scan. Large images with many installed packages may require a higher timeout. The TRIVY_DB_UPDATE_TIMEOUT applies to the initial database download or update before scanning begins.
Database Management
On each run, the scanner updates the Trivy vulnerability database from the public OCI registry (or a custom repository if TRIVY_DB_REPO is set). To avoid this step:
- Set
TRIVY_SKIP_DB_UPDATE=trueand ensure the cache directory contains a valid database. - Use a PersistentVolumeClaim (
cache.enabled=truein Helm) so the database persists between runs.
Logging
| Variable | Default | Description |
|---|---|---|
LOG_LEVEL | info | Log verbosity: debug, info, warn, error |
LOG_FORMAT | json | Output format: json for structured logging, text for human-readable |
Set LOG_LEVEL=debug to see detailed information about discovered workloads, deduplication decisions, and individual scan results. Use LOG_FORMAT=text for local development.