fix: add /tmp emptyDir volume to SBOM scanner sidecar

[slashben]

Summary

• Adds an emptyDir volume (sbom-scanner-tmp) mounted at /tmp to the node-agent SBOM scanner sidecar
• Syft's Java cataloger needs writable temp space to process JAR archives (Go's archive/zip requires io.ReaderAt, which uses temp files for random access)
• Without /tmp, Java packages are silently dropped from SBOMs (e.g., nginx SBOM missing libintl at /usr/share/java/libintl-0.21.jar — 142 packages instead of 143)
• readOnlyRootFilesystem: true stays in place — the emptyDir provides writable temp space without weakening security
• The kubevuln sidecar already has /tmp mounted correctly; only the node-agent sidecar was missing it

Test plan

• helm unittest charts/kubescape-operator/ — all 12 tests, 656 snapshots pass
• helm template with nodeAgent.sbomScanner.enabled=true confirms /tmp volumeMount and sbom-scanner-tmp volume render correctly
• Deploy to test cluster and verify Java packages appear in SBOM output

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated SBOM scanner component configuration to provide dedicated temporary storage support.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Helm chart values configuration for the nodeAgent.sbomScanner sidecar container has been updated to include a writable temporary directory mount point. A new volume mount referencing /tmp and a corresponding empty directory volume have been added to support the SBOM scanner's operational needs.

Changes

Cohort / File(s)	Summary
Helm Chart Configuration charts/kubescape-operator/values.yaml	Added volumeMount entry mountPath: /tmp named sbom-scanner-tmp and corresponding emptyDir volume definition to nodeAgent.sbomScanner sidecar container configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• feat: add SBOM scanner sidecar container to node-agent pod #802: Modifies the same nodeAgent.sbomScanner sidecar configuration with volumeMounts and volumes adjustments.

Suggested reviewers

• matthyx

Poem

🐰 A hop and a bound, a tmp dir so fine,
For SBOM scanning to shine and align,
emptyDir magic, no storage to keep,
The scanner hops safe through data so deep! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a /tmp emptyDir volume to the SBOM scanner sidecar. It is concise, clear, and directly reflects the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sbom-scanner-sidecar-tmp-volume

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

charts/kubescape-operator/values.yaml (1)

790-791: Consider bounding /tmp growth for safer node-level behavior.

emptyDir: {} is valid, but adding a sizeLimit can reduce eviction risk during large image/JAR processing spikes.

Suggested values tweak

     volumes:
       - name: sbom-comm
         emptyDir:
           medium: Memory
           sizeLimit: 10Mi
       - name: sbom-scanner-tmp
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: 2Gi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/values.yaml` around lines 790 - 791, The emptyDir
volume named "sbom-scanner-tmp" currently uses an unbounded emptyDir (emptyDir:
{}); change it to a bounded emptyDir by adding a sizeLimit (and optionally
medium if you want memory-backed tmpfs) so the sbom-scanner-tmp volume cannot
grow unbounded and cause node evictions—update the sbom-scanner-tmp emptyDir
stanza to include a sensible sizeLimit (for example "1Gi" or another
cluster-appropriate value).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/kubescape-operator/values.yaml`:
- Around line 790-791: The emptyDir volume named "sbom-scanner-tmp" currently
uses an unbounded emptyDir (emptyDir: {}); change it to a bounded emptyDir by
adding a sizeLimit (and optionally medium if you want memory-backed tmpfs) so
the sbom-scanner-tmp volume cannot grow unbounded and cause node
evictions—update the sbom-scanner-tmp emptyDir stanza to include a sensible
sizeLimit (for example "1Gi" or another cluster-appropriate value).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e6ffdd5-5bbf-430d-8d07-d85185d53ae0

📥 Commits

Reviewing files that changed from the base of the PR and between cdac526 and 6008b5c.

📒 Files selected for processing (1)

• charts/kubescape-operator/values.yaml

[matthyx]

@slashben good catch ! Validated on my side, looking good 👍