Merge pull request #3702 from replicatedhq/security-page-improvements

AmberAlston · web-flow · commit dd54dee90eb6 · 2025-12-09T12:46:23.000-07:00
Security Center page improvements
diff --git a/docs/vendor/security-center-about.mdx b/docs/vendor/security-center-about.mdx
@@ -10,17 +10,20 @@ The Security Center is Alpha. To get access to the Security Center, reach out to
 
 The Security Center helps you strengthen security enablement in your application delivery process by making it easier for both you and your enterprise customers to monitor security risks, assess known vulnerabilities, and view security information for each application release.
 
-The Security Center is powered by Replicated’s [SecureBuild](https://securebuild.com/) technology. Every image is scanned continuously, not just at release time. Customers can see the same application version security information that you do, driving customer transparency, reduced security questionnaire burden, and adoption of newer, more secure versions of your application. 
+The Security Center is powered by Replicated’s [SecureBuild](https://securebuild.com/) technology. With SecureBuild, every image is scanned continuously (not just at release time) using the open source vulnerability scanner [grype](https://github.com/anchore/grype).
 
-## Requirements
+The Security Center surfaces the results of image scans in both the Vendor Portal and the Enterprise Portal so that your customers can see the same security information that you do for each application version. This results in greater transparency, reduced security questionnaire burden, and the adoption of newer, more secure versions of your application.
 
+## Requirements
 * Access to the Security Center Alpha requires a feature flag be turned on for your team. For more information, reach out to your Replicated account representative.
-* Display and reporting of application images requires the [Replicated SDK version 1.8.0](/release-notes/rn-replicated-sdk#180) or later.
-* Display and reporting of Embedded Cluster images requires the [Replicated SDK version 1.9.0](/release-notes/rn-replicated-sdk#190) or later.
-* For Helm CLI installations, to include all container images observed in the cluster in the Security Center reports (rather than application images only), set the Replicated SDK to [Report All Images](/vendor/replicated-sdk-customizing#report-all-images). This setting is automatically enabled for Embedded Cluster installations.
-* Each Helm chart in the release must have a unique [HelmChart](/reference/custom-resource-helmchart-v2) custom resource. The HelmChart custom resource is required to create the list of images that are scanned and reported on in the Security Center. This HelmChart custom resource requirement applies to both Helm CLI and Embedded Cluster installations.
+* Version 1.9.0 or later of the [Replicated SDK](/vendor/replicated-sdk-installing#install-the-sdk-as-a-subchart) is required to report CVE information from specific customer instances back to the Vendor Portal. For more information, see [Customer-Specific CVE Information](#customer-specific-cve-information) below.
+  * For Helm CLI installations, additionally set the Replicated SDK to [Report All Images](/vendor/replicated-sdk-customizing#report-all-images). This ensures that the Security Center reports all container images observed in the cluster. This settting is enabled by default for Embedded Cluster installations.
+* Each Helm chart in the release must have a unique [HelmChart](/reference/custom-resource-helmchart-v2) custom resource. The HelmChart custom resource is required for both Embedded Cluster and Helm CLI installations in online (internet-connected) or air-gapped environments to create the list of images that are scanned and reported on in the Security Center.
   
-   The following is an example HelmChart custom resource for a chart named `examplechart` with a chart version of `1.0.0`:
+    :::note
+    For Embedded Cluster and air gap installations, you do not need to make any changes to your existing HelmChart custom resource(s) to support Security Center image scanning.
+
+    For Helm CLI installations in online environments, note that only the HelmChart `chart.name` and `chart.chartVersion` fields are required to support Security Center image scanning for the given chart. For example:
 
     ```yaml
     apiVersion: kots.io/v1beta2
@@ -34,57 +37,80 @@ The Security Center is powered by Replicated’s [SecureBuild](https://securebui
         # chartVersion must match the version of the chart
         chartVersion: 1.0.0
     ```
-    For more information about the HelmChart custom resource, see [HelmChart v2](/reference/custom-resource-helmchart-v2).
+    :::
 
 ## Limitations
+
 * The Security Center is Alpha. The features and functionality of the Security Center are subject to change.
+
 * Security Center reporting is available only for Embedded Cluster and Helm CLI installations. It is not available for kURL installations or for KOTS installations in an existing cluster.
+
 * If you have configured the [`builder`](/reference/custom-resource-helmchart-v2#builder) key in any of the HelmChart custom resources in your release, note that the Security Center uses the Helm values provided in the `builder` key to create the list of images that are scanned and reported on for the given Helm chart. The Security Center will scan and report on this same list of images for both air gap and online installations. If there are any images that you want reported on in the Security Center, ensure that they are exposed by the values provided in the `builder` key.
 
+## Vendor Portal Security Center Interfaces
 
-## Security Center Interfaces
+### Security Center Dashboard
 
-The Security Center is accessible through the following interfaces:
-* Vendor-facing dashboard available in the Replicated Vendor Portal. See [Vendor Portal](#vendor-portal) below.
-* Enterprise customer-facing dashboard available in the Replicated Enterprise Portal (optionally enabled per customer license). See [Enterprise Portal](#enterprise-portal) below. 
+The Security Center dashboard is available in the Vendor Portal at **[App name] > Security**. 
+ 
+The following shows an example of the Security Center dashboard:
 
-### Vendor Portal 
+![Security Center dashboard](/images/security-center-dashboard.png)
 
-The Vendor Portal Security Center gives you access to the following key security insights for your releases:
-* Known vulnerabilities in container images 
-* CVE details 
-* A summary of top security risks based on the assessed severity of the vulnerability
+[View a larger version of this image](/images/security-center-dashboard.png)
 
-The following shows an example of the vendor-facing Security Center dashboard in the Vendor Portal:
+You can filter for the information on the Security Center dashboard by release type (Linux/Embedded Cluster or Helm) and release channel. The information displayed on the Security Center dashboard applies to the currently promoted release of the selected type on the selected channel.
 
-![Security Center dashboard](/images/security-center-dashboard.png)
+The Security Center dashboard includes the following:
+* An overview of vulnerabilities present in the release, including a breakdown of CVE severity (Critical, High, Medium, Low) and a detailed list of the top security risks
+* On the **Container images** tab, a complete list of scanned images with vulnerability counts per image
+* On the **CVE details** tab, for each CVE identified:
+  * The CVE identifier and description
+  * The CVSS score and severity rating
+  * A list of images affected by the CVE
+  * Fixed versions (when available)
 
-[View a larger version of this image](/images/security-center-dashboard.png)
+### Release-Specific CVE Information
+
+CVE details are available for all current and previously promoted application release versions. To view CVE information for a specifc release, go to **Releases > [Release Version] >  Security**.
 
-This dashboard displays an overview of vulnerabilities present in the release for the selected channel and installation type. When a channel is selected, the information displayed is for the promoted release for that channel. 
+### Customer-Specific CVE Information
 
-Additionally, CVE details are available at the individual release level for all current and previously promoted application release versions. To view CVE information for a specifc release go to **Releases > [Release Version] >  Security**.
+You can view CVE details at the customer level for active instances running the Replicated SDK verson 1.9.0 or later. This gives you visibility into all container images running alongside your application, helping you identify security risks and urgent upgrade needs across your customer base.
 
-You can also view CVE details at the individual customer level for active instances. To view CVE information for a specific customer instance go to **Customers > [Customer] > [Instance] > Security**. Instances must be running the Replicated SDK verson 1.8.0 or later. 
+To view CVE information for a specific customer instance go to **Customers > [Customer] > [Instance] > Security**.
 
-### Enterprise Portal 
+## Enterprise Portal Security Center Interface
 
 The Enterprise Portal Security Center allows you to provide key security information to your enterprise customers alongside your application releases.
 
+The **Security Center** tab of the Enterprise Portal is not enabled by default. See [Enable the Enterprise Portal Security Center](#enable-the-enterprise-portal-security-center). When enabled, the Security Center intelligently filters data based on the customer's installation type, ensuring that customers only see relevant security information.
+
 On the **Security Center** tab of the Enterprise Portal, for each available release version, customers can:
-* View a detailed report of known CVEs
-* Download the Software Bill of Materials (SBOM)
+* View a CVE report with the complete list of known vulnerabilities and their severity levels
+* View details about the vulnerabilities identified for each image
+* Understand how many CVEs are fixed by upgrading to newer versions
+* Download the Software Bill of Materials (SBOM) in SPDX format for compliance and security audits
 
 The following shows an example of the Security Center dashboard in the Enterprise Portal:
 
 ![Enterprise Portal Security Center dashboard](/images/ep-security-center-dashboard.png)
 
 [View a larger version of this image](/images/ep-security-center-dashboard.png)
 
-#### Enable the Enterprise Portal Security Center
+
+### Enable the Enterprise Portal Security Center
 
 The **Security Center** tab in the Enterprise Portal is not enabled by default. If the Security Center feature flag is enabled for your Vendor Portal team, you can optionally enable the Enterprise Portal **Security Center** tab on a per-customer basis or globally for all customers.
 
 To enable the **Security Center** tab in a customer's Enterprise Portal, go to **Customers > [Customer] > Enterprise Portal access**.
 
 To enable the **Security Center** tab for all customers using the Enterprise Portal, go to **Enterprise Portal > Portal Settings > Optional Features** and enable the **Enable Security Center** feature toggle.
+
+## Include and Exclude Images From Security Center Scans
+
+You can explicitly include or exclude images from being scanned by the Security Center:
+
+* To exclude images from being scanned in Helm CLI installations, use the [installer-only annotation](/vendor/packaging-include-resources#installer-only). This is useful if your application has any charts and resources that are only relevant to Embedded Cluster installations and should not be shown to customers that install with the Helm CLI.
+
+* If there are any images that are _not_ referenced in the PodSpecs for your application but should be included in Security Center image scans, list those images in the Application custom resource [additionalImages](/vendor/operator-defining-additional-images#define-additional-images-for-air-gap-bundles) field.
