Kubernetes Installation

Running Codeward on Kubernetes is ideal for scalable, container-native CI/CD pipelines. You can run scans as a one-off Job or a scheduled CronJob.

1. Basic Job with Persistent Volume

This example runs a single scan on source code stored in a Persistent Volume Claim (PVC).

apiVersion: batch/v1
kind: Job
metadata:
  name: codeward-scan
  labels:
    app: codeward
spec:
  ttlSecondsAfterFinished: 600
  backoffLimit: 0
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: scanner
          image: ghcr.io/codeward-io/scan:v0.2.0
          volumeMounts:
            # Mount your source code PVC to /main
            - mountPath: /main
              name: source-code
              readOnly: true
      volumes:
        - name: source-code
          persistentVolumeClaim:
            claimName: my-source-pvc-name

2. Scheduled Scans (CronJob)

Use a CronJob to run periodic scans (e.g., nightly builds or compliance checks).

apiVersion: batch/v1
kind: CronJob
metadata:
  name: codeward-nightly-scan
spec:
  schedule: "0 2 * * *"  # Run daily at 2:00 AM
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          containers:
            - name: scanner
              image: ghcr.io/codeward-io/scan:v0.2.0
              volumeMounts:
                - mountPath: /main
                  name: source-code
                  readOnly: true
          volumes:
            - name: source-code
              persistentVolumeClaim:
                claimName: my-source-pvc-name

3. Scanning Host Filesystem

To scan files on the underlying Kubernetes node (e.g., for node compliance or local files), use a hostPath volume.

warning

Security: hostPath allows access to the node's filesystem. Ensure your Pod Security Policies allow this.

apiVersion: batch/v1
kind: Job
metadata:
  name: codeward-host-scan
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: scanner
          image: ghcr.io/codeward-io/scan:v0.2.0
          volumeMounts:
            # Mount a directory from the host node
            - mountPath: /main
              name: host-fs
              readOnly: true
      volumes:
        - name: host-fs
          hostPath:
            path: /var/lib/jenkins/workspace  # Path on the node
            type: Directory

4. Configuration via ConfigMap

You can manage your .codeward.json configuration in a ConfigMap and mount it into the container. This provides a centralized way to update policies without rebuilding images.

Create the ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: codeward-config
data:
  .codeward.json: |
    {
      "global": {
        "ignore": [
          { "paths": ["**/*.test.js"] }
        ]
      },
      "vulnerability": [
        {
           "rules": [{ "field": "Severity", "type": "eq", "value": "CRITICAL" }],
           "actions": { "new": "block", "existing": "warn" }
        }
      ]
    }

Mount the ConfigMap

Mount the config file and tell Codeward where to find it using CODEWARD_CONFIG_PATH.

apiVersion: batch/v1
kind: Job
metadata:
  name: codeward-configured-scan
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: scanner
          image: ghcr.io/codeward-io/scan:v0.2.0
          env:
            # Point to the mounted config file
            - name: CODEWARD_CONFIG_PATH
              value: "/config/.codeward.json"
          volumeMounts:
            - mountPath: /main
              name: source-code
            # Mount the config file
            - mountPath: /config
              name: config-volume
              readOnly: true
      volumes:
        - name: source-code
          persistentVolumeClaim:
            claimName: my-source-pvc-name
        - name: config-volume
          configMap:
            name: codeward-config

1. Basic Job with Persistent Volume​

2. Scheduled Scans (CronJob)​

3. Scanning Host Filesystem​

4. Configuration via ConfigMap​

Create the ConfigMap​

Mount the ConfigMap​