Skip to content

Connectivity and Network considerations

Tunnel requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Tunnel from working correctly. This document explains Tunnel's network connectivity requirements, and how to configure Tunnel to work in restricted networks environments, including completely air-gapped environments.

The following table lists all external resources that are required by Tunnel:

External Resource Feature Details
Vulnerability Database Vulnerability scanning Tunnel DB
Java Vulnerability Database Java vulnerability scanning Tunnel Java DB
Checks Bundle Misconfigurations scanning Tunnel Checks
VEX Hub VEX Hub VEX Hub
Maven Central / Remote Repositories Java vulnerability scanning Java Scanner/Remote Repositories

Note

Tunnel is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Tunnel attempts to connect to external resources.

The rest of this document details each resource's connectivity requirements and network related considerations.

OCI Databases

Tunnel's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.

Connectivity requirements

The specific registries and locations are detailed in the databases document.

Communication with OCI Registries follows the OCI Distribution spec.

The following hosts are known to be used by the default container registries:

Registry Hosts Additional info
Google Artifact Registry
  • mirror.gcr.io
  • googlecode.l.googleusercontent.com
 Google's IP addresses
GitHub Container Registry
  • ghcr.io
  • pkg-containers.githubusercontent.com
 GitHub's IP addresses

Self-hosting

You can host Tunnel's databases in your own container registry. Please refer to Self-hosting document for a detailed guide.

Embedded Checks

Checks Bundle is embedded in the Tunnel binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Tunnel release you are using.

VEX Hub

Connectivity Requirements

VEX Hub is hosted as at https://github.com/khulnasoft/vexhub.

Tunnel is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.

The following hosts are known to be used by GitHub's services:

  • api.github.com
  • codeload.github.com

For more information about GitHub connectivity (including specific IP addresses), please refer to GitHub's connectivity troubleshooting guide.

Self-hosting

You can host a copy of VEX Hub on your own internal server. Please refer to the self-hosting document for a detailed guide.

Maven Central / Remote Repositories

Tunnel might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.

Connectivity requirements

Tunnel might attempt to connect (over HTTPS) to the following URLs:

  • https://repo.maven.apache.org/maven2

Offline mode

There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Tunnel from trying to connect to it by using the --offline-scan flag.