feat: kubevuln SBOM scanner sidecar support

[slashben]

Summary

• Adds opt-in kubevuln.sbomScanner.enabled flag (default: false) that deploys an sbom-scanner sidecar container alongside kubevuln
• Sidecar uses the same kubevuln image but runs /usr/bin/sbom-scanner binary
• Shared sbom-comm emptyDir volume for Unix domain socket IPC between containers
• GOMEMLIMIT set via downward API on the sidecar for Go runtime memory awareness

Companion PR

kubevuln code changes: kubescape/kubevuln#335

Values added

kubevuln:
  sbomScanner:
    enabled: false
    command:
      - /usr/bin/sbom-scanner
    resources:
      requests:
        cpu: 100m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 5Gi

Test plan

• helm lint passes with sidecar enabled and disabled
• helm template shows correct sidecar container, volumes, and env vars when enabled
• helm template shows no sidecar artifacts when disabled (backward compatible)
• E2E: kind cluster with kubevuln.sbomScanner.enabled=true — pod starts with both containers, scanner connected, SBOMs generated

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added optional SBOM scanner sidecar component to kubescape operator deployments. Disabled by default to ensure safe upgrades. When enabled via Helm configuration, deploys a dedicated scanner container with configurable resource limits (CPU/memory), custom command parameters, isolated inter-process communication channels, and enhanced security policies including read-only filesystem and non-root execution.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4726d343-a335-4d08-b1a8-03797f07abca

📥 Commits

Reviewing files that changed from the base of the PR and between a1eab50 and c642359.

📒 Files selected for processing (2)

• charts/kubescape-operator/templates/kubevuln/deployment.yaml
• charts/kubescape-operator/values.yaml

---

📝 Walkthrough

Walkthrough

The pull request adds optional sidecar support for an sbomScanner component in the kubescape-operator's kubevuln deployment. The main kubevuln container conditionally receives environment variables and volume mounts when enabled, while a new sidecar container is added with specific resource and security configurations, communicating via a shared emptyDir volume.

Changes

Cohort / File(s)	Summary
SBOM Scanner Configuration charts/kubescape-operator/templates/kubevuln/deployment.yaml	Added conditional wiring for optional sbomScanner sidecar: main container receives SBOM_SCANNER_SOCKET and SCANNER_MEMORY_LIMIT env vars plus volume mount; new sidecar container with command, resource limits, security context (no privilege escalation, read-only root FS, non-root user), and env vars including GOMEMLIMIT; shared sbom-comm emptyDir volume mounted on both containers.
SBOM Scanner Defaults charts/kubescape-operator/values.yaml	Added kubevuln.sbomScanner configuration block with disabled-by-default toggle, /usr/bin/sbom-scanner command, and explicit CPU/memory requests (100m/512Mi) and limits (1000m/5Gi) for the sidecar.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A scanner joins the fold today,
In volumes shared, they'll gently play,
With limits set and sockets bound,
Our SBOM's safety now is found!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding opt-in SBOM scanner sidecar support to kubevuln, which is the core feature across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/kubevuln-sbom-scanner-sidecar

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[matthyx]

approved, but we need to use the released tag