Ctrlk
Book a demo

OX Runtime Sensor

Runtime Sensor is an OX capability for Kubernetes clusters, Linux hosts, and AWS ECS environments that collects runtime signals from your applications and turns them into actionable insights in OX.

Runtime Sensor detects which third-party libraries are actually loaded in memory at runtime. When a known vulnerability affects a library in your codebase, knowing whether that library is loaded gives you a stronger indication of urgency during triage.

Supported runtimes and package types:

  • JavaScript (Node.js)

  • Python

  • Java

  • Go

  • C#

  • Ruby

  • PHP

  • Native packages (shared libraries)

Insights appear in OX in the Active Issues page as severity factors. You can see whether a dependency is loaded at runtime or not, with evidence you can review. This context lets you prioritize fixes that reduce real, current risk in your running services.

In the SBOM page you can view the runtime status of each asset.

You can deploy the OX Runtime Sensor using the following methods:

  • Kubernetes: As a DaemonSet, one pod per node.

  • Linux host: As a systemd service.

  • AWS EC2: As a systemd service, with automatic instanceId enrichment using IMDSv2.

  • AWS ECS: As a Daemon service, one task per EC2 container instance.

In every deployment mode, the sensor uses eBPF to observe file access at the kernel level, no code changes, no sidecars, and no application restarts required.

The sensor authenticates to OX with an API key over outbound TLS. It does not write data to the host and does not require persistent storage. CPU, memory, and disk usage are minimal.

The following is the runtime installation and connection process. For advanced configuration, security requirements, and deployment customization, see Runtime Sensor Advanced Configuration.

Prerequisites

Common to all deployment methods:

Requirement
Details

Linux kernel

v5.10 and later with BTF enabled (any Linux distribution)

Network

Outbound HTTPS (port 443) access to api.cloud.ox.security. If your environment routes traffic through a proxy, see Proxy configuration.

OX API key

See Step 1: Create a new API key

Method-specific requirements:

Deployment method
Requirements

Kubernetes (Helm)

EKS / AKS / GKE or self-managed Kubernetes v1.20+; Helm 3

Linux host

Docker or containerd running on the host; sudo access

AWS EC2

EC2 instance with IMDSv2 reachable; Docker or containerd; sudo access

AWS ECS (Terraform)

ECS cluster backed by EC2 (not Fargate); Terraform v1.3+; AWS credentials with ECS, IAM, CloudWatch Logs, and Secrets Manager permissions

Step 1: Create a new API key

  1. From the left pane of OX dashboard, select Settings > API Key Settings.

  2. In the API Key Settings window, select CREATE API KEY.

  1. In the Create API Key box, set the following and select CREATE:

  • API Key Name: Add a meaningful name that is easy to identify. It is good practice to include the key's intended purpose in the name.

  • API Key Type: Select K8 Inspector/Runtime Sensor Integration.

  • Expiration Date: Until when you can use this key.

  1. Copy the key that appears and save the key in a safe location. This is the only time when you can see and copy the actual key.

  2. Select CLOSE. The new key appears in the API Key Settings page.

Step 2: Deploy the Runtime Sensor

Select the deployment method that matches your environment:

Each page lists the method's specific requirements, installation steps, verification commands, and configuration reference.

Step 3: Connect to OX Runtime Sensor

Note: Before connecting, make sure the sensor is running in your environment.

  1. In the OX platform, go to the Connectors page.

  2. Select Add Connector and search for OX Runtime Sensor.

  3. In the Configure your OX Runtime Sensor credentials dialog, select CONNECT.

To use eBPF programs, OX complies with the GPL.

Last updated