Documentation
SIG Academy Sphere Community Contact support Sigrid website Contribute to docs Sign in

Open Source Health knowledge base for Sigrid On-Premise

This documentation covers on-premise Sigrid. It is not applicable for cloud-based Sigrid.

Prerequisites

If you’re not pulling softwareimprovementgroup/osh-kb-updater directly from our ECR, make sure to pull it from ECR and push it to your local registry for deployment.

Introduction

Sigrid continuously measures and reports on the quality, security, and maintainability of software systems. Part of this capability is Open Source Health (OSH), which focuses on identifying open source dependencies and assessing whether these dependencies are affected by known vulnerabilities.

In Sigrid SaaS deployments, OSH results are determined by consulting public and vendor-maintained vulnerability knowledge sources. However, for Sigrid On-Premise deployments, this is usually not possible. On-premise environments are commonly isolated from the internet or restricted by security and compliance requirements, which prevents access to external vulnerability databases.

As a result, Sigrid On-Premise cannot rely on public knowledge sources to determine vulnerabilities in open source dependencies.

To enable OSH in on-premise environments, Sigrid provides a dedicated Open Source Health knowledge base.

Accurate OSH results depend on a frequently updated vulnerability database. Without access to such knowledge, OSH findings cannot be produced.

OSH knowledge base for On-Premise deployments

For Sigrid On-Premise, the vulnerability database is provided through a local OSH knowledge base.

The OSH knowledge base is delivered as a separate, optional container that maintains a curated set of vulnerability data. During import of the dependencies that were identified in the analysis, Sigrid queries this local knowledge base instead of public sources.

Key characteristics:

It is strongly recommended to update the OSH knowledge base container daily, if possible.

Creating the OSH knowledge base user

This step is only necessary when setting up the OSH knowledge base for Sigrid On-Premise deployments completed before 2026. Newer deployments already have this user, as it is created by the sigriddb-init script during the initial PostgreSQL database setup.

Run the following commands on your PostgreSQL database:

CREATE USER osh_kb_updater_user WITH
    PASSWORD '${OSH_KB_UPDATER_PASSWD}'
    CREATEROLE
    NOINHERIT
    ;
GRANT CONNECT, TEMP ON DATABASE sigriddb TO osh_kb_updater_user;
GRANT USAGE ON SCHEMA osh_knowledge_base TO osh_kb_updater_user;
-- For tables existing in osh_knowledge_base, grant SELECT, INSERT, UPDATE
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA osh_knowledge_base TO osh_kb_updater_user;
-- For sequences existing in osh_knowledge_base, grant SELECT, INSERT, UPDATE
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA osh_knowledge_base TO osh_kb_updater_user;

Enabling the OSH knowledge base updater

The OSH knowledge base updater is enabled in the global section of your Sigrid On-Premise deployment configuration.

Add the following configuration to the global section:

global:
  onPremise:
    oshKbUpdater:
      enabled: true
      updaterImage:
        repository: softwareimprovementgroup/osh-kb-updater
        tag: 1.0.20260107 # e.g. use Renovate to update this tag regularly
      pgHost: "postgres.example.com"
      pgSecretName: "osh-kb-updater-job-postgres-secret" # secret containing the password for the database user
      pgSecretPasswordKey: "" # 
      cronJobschedule: "0 9 * * *" # by default the cronjob will trigger at 9:00 UTC

Contact and support

Feel free to contact SIG’s support department for any questions or issues you may have after reading this document, or when using Sigrid or Sigrid-Multi-Analyzer. Users in Europe can also contact us by phone at +31 20 314 0953.

Terms of use Privacy statement © 2025 Software Improvement Group

On this page