Configuration

Internal Scanning can be deployed with many different options.

Configuration options can be set using CLI flags:


helm install detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  --namespace scanner \
  --set redis.deploy=false \
  --set config.redisUrl=rediss://redis.example.com:6379

Or using a values.yaml file:


redis:
  deploy: false
 
config:
  redisUrl: 'rediss://redis.example.com:6379'

Deployed with e.g.:


helm install detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  --namespace scanner \
  -f values.yaml

The install namespace is taken from helm -n; there is no namespace.name value in chart 2.0.0.

Values

Key	Default	Description
`secrets.licenseKey`	`""`	Detectify license key. Required unless `secrets.existingConfigSecret` is set.
`secrets.connectorApiKey`	`""`	Detectify connector API key. Required unless `secrets.existingConfigSecret` is set.
`secrets.registry.username`	`""`	Username for the Detectify docker registry. Required unless `secrets.existingRegistrySecret` is set.
`secrets.registry.password`	`""`	Password for the Detectify docker registry. Required unless `secrets.existingRegistrySecret` is set.
`secrets.existingConfigSecret`	`""`	Name of a pre-existing Opaque Secret in the release namespace holding `license-key`, `connector-api-key`, and `connector-url`. When set, the chart skips rendering `scanner-config` and the pods read directly from this Secret.
`secrets.existingRegistrySecret`	`""`	Name of a pre-existing `kubernetes.io/dockerconfigjson` Secret in the release namespace. When set, the chart skips rendering `detectify-registry` and wires this Secret into each pod’s `imagePullSecrets`.
`registry.server`	`"registry.detectify.com"`	Detectify container registry hostname
`registry.url`	`"registry.detectify.com/internal-scanning"`	Path prefix for scanner images within the registry
`replicaCount.scanScheduler`	`1`	Replicas for the scan scheduler
`replicaCount.scanManager`	`1`	Replicas for the scan manager
`replicaCount.chromeController`	`1`	Replicas for the chrome controller
`resources.scanScheduler`	`{ "limits": { "cpu": "1000m", "memory": "1Gi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }`	Resource requests and limits for the scan scheduler
`resources.scanManager`	`{ "limits": { "cpu": "1000m", "memory": "1Gi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }`	Resource requests and limits for the scan manager
`resources.chromeController`	`{ "limits": { "cpu": "1000m", "memory": "1Gi" }, "requests": { "cpu": "200m", "memory": "512Mi" } }`	Resource requests and limits for the chrome controller
`resources.redis`	`{ "limits": { "cpu": "500m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }`	Resource requests and limits for Redis
`autoscaling.enabled`	`false`	Enable Horizontal Pod Autoscaler for scanner components
`autoscaling.scanScheduler`	`{ "maxReplicas": 10, "minReplicas": 1, "targetCPUUtilizationPercentage": 70, "targetMemoryUtilizationPercentage": null }`	HPA settings for the scan scheduler
`autoscaling.scanManager`	`{ "maxReplicas": 20, "minReplicas": 1, "targetCPUUtilizationPercentage": 80, "targetMemoryUtilizationPercentage": null }`	HPA settings for the scan manager
`config.redisUrl`	`"redis://redis:6379"`	Redis connection URL
`config.redisTtlSeconds`	`"604800"`	Redis TTL in seconds for cached scan data (default: 7 days)
`config.connectorServerUrl`	`"https://connector.detectify.com"`	Detectify connector service URL. Used by the chart-managed `scanner-config` Secret and referenced by BYO `existingConfigSecret` via the `connector-url` key.
`config.licenseServerUrl`	`"https://license.detectify.com"`	Detectify license validation server URL
`config.logFormat`	`"json"`	Log output format: `json` for log aggregation, `text` for human readability
`config.scheduledScansPollIntervalSeconds`	`"300"`	How often (in seconds) to poll for new scans to run
`config.completedScansPollIntervalSeconds`	`"60"`	How often (in seconds) to poll for completed scans
`redis.deploy`	`true`	Deploy Redis as part of this release. Set to false to use an external Redis instance via `config.redisUrl`.
`redis.persistence`	`{ "enabled": true, "size": "8Gi", "storageClass": "" }`	Redis persistence settings
`redis.persistence.enabled`	`true`	Enable persistent storage for Redis data
`redis.persistence.size`	`"8Gi"`	Size of the persistent volume for Redis
`redis.persistence.storageClass`	`""`	StorageClass for the Redis persistent volume. Empty uses the cluster default
`service.type`	`"ClusterIP"`	Kubernetes Service type
`ingress.enabled`	`false`	Enable ingress. Required when triggering scans from outside the cluster (e.g., CI/CD pipelines)
`ingress.className`	`""`	Ingress class name (e.g., `nginx`, `traefik`, `alb`)
`ingress.annotations`	`{}`	Annotations for the ingress resource
`ingress.host`	`""`	Hostname for the scanner API
`ingress.path`	`"/"`	URL path for the scanner API
`ingress.pathType`	`"Prefix"`	Path matching type
`ingress.tls`	`{ "enabled": false, "secretName": "" }`	TLS configuration for the ingress
`ingress.tls.enabled`	`false`	Enable TLS for the ingress
`ingress.tls.secretName`	`""`	Name of the TLS secret (create manually or use cert-manager)
`priorityClass.enabled`	`true`	Enable PriorityClass to prevent eviction of scanner components under resource pressure
`priorityClass.value`	`1000000`	Priority value assigned to the PriorityClass (higher = more important)
`probes`	`{ "liveness": { "initialDelaySeconds": 30, "periodSeconds": 10 }, "readiness": { "initialDelaySeconds": 5, "periodSeconds": 5 } }`	Scan Scheduler Health check probe settings for liveness and readiness probes
`probes.liveness`	`{ "initialDelaySeconds": 30, "periodSeconds": 10 }`	Liveness probe configuration
`probes.readiness`	`{ "initialDelaySeconds": 5, "periodSeconds": 5 }`	Readiness probe configuration