#Using Alauda Security Service in Offline Mode

Alauda Security Service can be deployed in environments without internet access. In offline mode, Central and Scanner continue to operate without reaching public endpoints, but vulnerability definitions must be supplied manually.

#Enabling Offline Mode

When installing the Central service by using the operator custom resource, set the egress connectivity policy to offline:

spec:
  egress:
    connectivityPolicy: Offline

This setting matches the installation flow documented in Alauda Security Service for StackRox Installation.

#Updating Vulnerability Definitions

Scanner maintains a local vulnerability database. In online mode, Central retrieves the latest vulnerability data from the internet, and Scanner syncs with Central. In offline mode, you must manually update the vulnerability data by uploading a definitions file to Central, which Scanner then retrieves.

• Scanner checks for new data from Central every 5 minutes by default.
• The offline data source is updated approximately every 3 hours.

#Downloading the Definitions

• Use the following command to download the definitions:

  roxctl scanner download-db --scanner-db-file scanner-vuln-updates.zip
• Alternatively, download from:
  https://install.stackrox.io/scanner/scanner-vuln-updates.zip

#Uploading the Definitions to Central

You can upload the vulnerability definitions database to Central by using either an API token or an administrator password.

#Using an API Token

• Prerequisites:

  • API token with administrator role
  • roxctl CLI installed

• Procedure:

  export ROX_API_TOKEN=<api_token>
  export ROX_CENTRAL_ADDRESS=<address>:<port_number>
  roxctl scanner upload-db \
    -e "$ROX_CENTRAL_ADDRESS" \
    --scanner-db-file=<compressed_scanner_definitions.zip>

#Using a Password

roxctl scanner upload-db \
  -e <address>:<port_number> \
  --scanner-db-file=<compressed_scanner_definitions.zip> \
  --password <admin_password>

#Operational Notes

• Keep the downloaded bundle file in your offline software distribution path so that it can be promoted alongside image content and deployment manifests.
• In larger environments, update the bundle on a regular schedule to reduce drift between actual scanner results and current vulnerability definitions.
• Recent releases handle offline vulnerability bundles more efficiently, but the upload workflow remains the same from an operator perspective.