Version: Latest

Kubernetes Installation

Run Codeward on Kubernetes as a Job or CronJob for scalable, container-native scanning.

Basic Job

Scan source code from a PersistentVolumeClaim:

apiVersion: batch/v1
kind: Job
metadata:
  name: codeward-scan
spec:
  ttlSecondsAfterFinished: 600
  backoffLimit: 0
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: scanner
          image: ghcr.io/codeward-io/scan:v0.3.0
          volumeMounts:
            - mountPath: /main
              name: source-code
              readOnly: true
      volumes:
        - name: source-code
          persistentVolumeClaim:
            claimName: my-source-pvc

Scheduled Scans (CronJob)

apiVersion: batch/v1
kind: CronJob
metadata:
  name: codeward-nightly
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          containers:
            - name: scanner
              image: ghcr.io/codeward-io/scan:v0.3.0
              volumeMounts:
                - mountPath: /main
                  name: source-code
                  readOnly: true
          volumes:
            - name: source-code
              persistentVolumeClaim:
                claimName: my-source-pvc

Configuration via ConfigMap

Manage your config centrally. Supports both YAML and JSON formats.

Create the ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: codeward-config
data:
  .codeward.yaml: |
    vulnerability:
      - rules:
          - field: Severity
            type: eq
            value: CRITICAL
        actions:
          new: block
          existing: warn

Mount It

apiVersion: batch/v1
kind: Job
metadata:
  name: codeward-configured-scan
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: scanner
          image: ghcr.io/codeward-io/scan:v0.3.0
          env:
            - name: CODEWARD_CONFIG_PATH
              value: "/config/.codeward.yaml"
            - name: CODEWARD_CACHE_DIR
              value: "/cache"
          volumeMounts:
            - mountPath: /main
              name: source-code
            - mountPath: /config
              name: config-volume
              readOnly: true
            - mountPath: /cache
              name: cache
      volumes:
        - name: source-code
          persistentVolumeClaim:
            claimName: my-source-pvc
        - name: config-volume
          configMap:
            name: codeward-config
        - name: cache
          emptyDir: {}

Host Filesystem Scan

warning

hostPath grants access to the node's filesystem. Ensure Pod Security Policies allow this.

volumes:
  - name: host-fs
    hostPath:
      path: /var/lib/jenkins/workspace
      type: Directory

Docker — Direct Docker usage
Configuration — Full config reference
CLI & Environment Variables — All env vars

Basic Job​

Scheduled Scans (CronJob)​

Configuration via ConfigMap​

Create the ConfigMap​

Mount It​

Host Filesystem Scan​

Related​