Self-Managed Kubernetes

Deploy the Internal Scanner to any Kubernetes cluster using our Helm chart. This option is for organizations running their own Kubernetes infrastructure, whether on-premises or on cloud providers without a dedicated Terraform module.

Helm Resources: Helm Charts | GitHub

When to Use This Option

On-premises Kubernetes clusters
Self-managed Kubernetes on any cloud provider
Managed Kubernetes services without a dedicated Terraform module (e.g., DigitalOcean, Oracle Cloud)

Deploying on AWS EKS instead? The AWS Terraform module wraps this chart and provisions the cluster, networking, and observability for you.

Getting Started

Prepare Your Cluster

Ensure your cluster meets the prerequisites. Key items to verify:


# Check Kubernetes version (1.29+ required)
kubectl version
 
# Verify cluster connectivity
kubectl get nodes

The chart derives its install namespace from helm -n. The examples below use scanner, but any non-default namespace works — pick whatever matches your conventions (e.g. detectify, security-tools, or a per-tenant name).

The chart refuses to install into the default namespace. Always pass -n <namespace> (and --create-namespace on first install).

Add Detectify Helm Chart Repository


helm repo add detectify https://detectify.github.io/helm-charts
helm repo update detectify

Deploy with Helm

Install the chart, pinning the major version and passing credentials under secrets.*:


helm install detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  --namespace scanner \
  --create-namespace \
  --set secrets.licenseKey='your-license-key' \
  --set secrets.connectorApiKey='your-connector-api-key' \
  --set secrets.registry.username='your-registry-username' \
  --set secrets.registry.password='your-registry-password'

For larger setups, keep the credentials in a values file instead:


# my-values.yaml
secrets:
  licenseKey: 'your-license-key'
  connectorApiKey: 'your-connector-api-key'
  registry:
    username: 'your-registry-username'
    password: 'your-registry-password'


helm install detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  --namespace scanner \
  --create-namespace \
  -f my-values.yaml

If you’d rather keep credentials out of Helm values entirely, see Secrets Management for bring-your-own Secret recipes (kubectl, external-secrets-operator, sealed-secrets, AWS Secrets Manager).

For a full list of values, see Configuration.

Verify Deployment


# Check pods are running
kubectl get pods -n scanner
 
# Check scanner logs
kubectl logs -n scanner -l app=scan-scheduler

Upgrading from Chart 1.x

Chart 2.0.0 is a breaking release — credentials moved under secrets.*, namespace.name was removed, and config.imagePullSecret / registry.imagePullSecrets no longer exist. Follow the 1.x to 2.0 migration guide before running helm upgrade.

Next Steps

After deployment:

Secrets Management - Bring-your-own Secret recipes
Detectify Configuration - Set up scan profiles in the Detectify UI
Scaling - Capacity planning
Troubleshooting - Common issues