stackrox · davdhacs · Mar 25, 2026 · Mar 26, 2026
@@ -41,7 +41,6 @@ cp "${INPUT_ROOT}/scripts/entrypoint.sh"               "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/import-additional-cas"       "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/restore-all-dir-contents"    "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/save-dir-contents"           "${OUTPUT_DIR}/scripts"
-cp "${INPUT_ROOT}/scripts/trust-root-ca"               "${OUTPUT_DIR}/scripts"
 
 # =============================================================================
 # Add binaries and data files to be included in the Dockerfile here. This

@@ -4,6 +4,5 @@ set -euo pipefail
 
 /restore-all-dir-contents
 /import-additional-cas
-/trust-root-ca
 
 exec /scanner
@@ -22,6 +22,14 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
+# Copy the StackRox root CA if available (mounted by the operator).
+# Only copy ca.pem — the mount also contains server cert and key which
+# should not be added as trusted CA anchors.
+CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
+echo "Copying StackRox root CA from '${CA_PATH}'"
+# For RHEL
+cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
+
 echo "Updating CA trust"
 # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
 # will create the necessary directories with the required permissions if the `--output` flag is used.