Self-Managed Kubernetes
Deploy the Internal Scanner to any Kubernetes cluster using our Helm chart. This option is for organizations running their own Kubernetes infrastructure, whether on-premises or on cloud providers without a dedicated Terraform module.
Helm Resources: Helm Charts | GitHub
When to Use This Option
- On-premises Kubernetes clusters
- Self-managed Kubernetes on any cloud provider
- Managed Kubernetes services not yet supported by our Terraform modules (e.g., DigitalOcean, Oracle Cloud)
- Existing clusters where you prefer Helm over Terraform
Prerequisites
Kubernetes Cluster
| Requirement | Minimum | Recommended |
|---|---|---|
| Kubernetes Version | 1.28+ | Latest stable |
| Nodes | 1 | 2+ (for HA) |
| CPU | 2 vCPU | 4+ vCPU |
| Memory | 8 Gi | 16 Gi |
| Storage | 8 Gi | 16 Gi |
Network Requirements
Your cluster needs:
- Outbound HTTPS (443) to
*.detectify.comfor API communication and container images - Internal load balancer capability (or ingress controller)
- Network access from scanner pods to your target applications
Tools
| Tool | Version | Purpose |
|---|---|---|
| kubectl | >= 1.28 | Cluster management |
| Helm | >= 3.0 | Chart deployment |
Detectify Credentials
From Internal Scanning Agents in the Detectify Platform:
- License Key
- Connector API Key
- Registry credentials (username and password)
Deployment Overview
The Helm chart deploys the following components:
┌─────────────────────────────────────────────────────────────────────────────┐
│ SCANNER COMPONENTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ scan-scheduler │ │ scan-manager │ │chrome-controller│ │
│ │ │ │ │ │ │ │
│ │ Receives scan │───►│ Orchestrates │───►│ Manages browser │ │
│ │ jobs from │ │ scan execution │ │ instances for │ │
│ │ Detectify │ │ │ │ DAST testing │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Redis │ │
│ │ │ │
│ │ Job queue and │ │
│ │ state storage │ │
│ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘Getting Started
Step 1: Get Your Credentials
Before deploying, you need credentials from the Detectify Platform. Navigate to Internal Scanning Agents in your Detectify account to obtain:
- License Key
- Connector API Key
- Registry credentials (username and password)
If you don’t have access to Internal Scanning, contact your Detectify account team or reach out to us .
Step 2: Prepare Your Cluster
Ensure your cluster meets the prerequisites above. Key items to verify:
# Check Kubernetes version
kubectl version
# Verify cluster connectivity
kubectl get nodes
# Check available resources
kubectl top nodesStep 3: Configure Networking
The scanner needs:
- Ingress or Load Balancer - To expose the scanner endpoint (internal only)
- TLS Certificate - For HTTPS communication
- DNS Record - Pointing to your scanner endpoint
Your specific configuration will depend on your infrastructure:
| Environment | Ingress Option | TLS Option |
|---|---|---|
| On-premises | NGINX Ingress, Traefik | cert-manager, manual certs |
| Cloud (generic) | Cloud load balancer | Cloud-managed certs, cert-manager |
Step 4: Deploy with Helm
Add the Detectify Helm repository and deploy:
# Add the Detectify Helm repository
helm repo add detectify https://detectify.github.io/helm-charts
helm repo update
# Create namespace
kubectl create namespace scanner
# Create secrets for credentials
kubectl create secret generic detectify-credentials \
--namespace scanner \
--from-literal=license-key='your-license-key' \
--from-literal=connector-api-key='your-connector-api-key'
kubectl create secret docker-registry detectify-registry \
--namespace scanner \
--docker-server=registry.detectify.com \
--docker-username='your-registry-username' \
--docker-password='your-registry-password'
# Install the chart
helm install internal-scanner detectify/internal-scanning-agent \
--namespace scanner \
--set ingress.enabled=true \
--set ingress.host=scanner.internal.example.comFor all available configuration options, see the chart documentation or the values.yaml on GitHub .
Step 5: Verify Deployment
# Check pods are running
kubectl get pods -n scanner
# Check scanner logs
kubectl logs -n scanner -l app=scan-scheduler
# Test the endpoint (from within your network)
curl https://your-scanner-url/healthConfiguration
The Helm chart supports configuration for:
- Resource requests and limits
- Replica counts for each component
- Autoscaling settings
- Custom ingress annotations
- TLS configuration
See the chart documentation for all available options, or view the default values.yaml on GitHub.
Compared to Terraform Modules
| Aspect | Terraform Module | Helm Chart |
|---|---|---|
| Infrastructure | Creates cluster + deploys scanner | Deploys to existing cluster |
| Complexity | Lower (all-in-one) | Higher (requires existing K8s) |
| Flexibility | Cloud-specific | Any Kubernetes cluster |
| DNS/TLS | Automated (Route53, ACM) | Manual configuration |
| Best for | New deployments on AWS/Azure/GCP | Existing clusters, on-premises |
Support
For assistance with Helm chart deployment:
- Review the chart documentation
- Check GitHub issues for known issues
- Contact your Detectify account team
- Email support@detectify.com
Next Steps
After deployment:
- Configure - Set up scan targets
- Scaling - Capacity planning
- Troubleshooting - Common issues