Job Execution
Scan jobs are the core workflow of RedactedWorld. The platform supports two execution modes: on-demand real-time scans with live terminal output, and scheduled scans that run automatically on a cron cadence.
On-Demand Real-Time Scan Flow
When a user clicks "Start Scan" in the UI, the following sequence executes. The key feature is live terminal output -- the user sees scan tool output in real time, as if they were running the tool locally.
Key Design Decisions
Kubernetes Jobs over long-running workers: Each scan runs in a fresh, isolated pod. This provides process-level isolation, prevents resource leaks, and enables per-scan resource limits (CPU, memory, network).
NATS as the streaming backbone: Scan output is published line-by-line to NATS subjects keyed by scan ID. This decouples the Job pod from the WebSocket connection -- if the user disconnects and reconnects, they can resume the stream from the last received sequence number using JetStream replay.
WebSocket for last-mile delivery: The API Gateway maintains a WebSocket connection per client session. When a scan starts, the gateway subscribes to the corresponding NATS subject and forwards chunks to the browser. The Angular frontend renders them in an xterm.js terminal emulator.
Scheduled Scan Flow
Users can configure recurring scans that run automatically. The scan-service manages scheduling internally using a cron-based system.
Schedule Configuration
Users configure schedules through the UI or API:
| Field | Description | Example |
|---|---|---|
domain | Target domain (must be verified) | example.com |
tool | Scan tool to use | nmap |
profile | Tool-specific scan profile | standard |
cron | Cron expression for scheduling | 0 2 * * 1 (Monday at 02:00 UTC) |
notify | Notification preference | on_findings / always / never |
enabled | Whether the schedule is active | true |
Differences from On-Demand Scans
| Aspect | On-Demand | Scheduled |
|---|---|---|
| Trigger | User clicks "Start Scan" | Cron scheduler in scan-service |
| Live output | Yes, streamed via WebSocket | No (results available after completion) |
| Notification | In-app only | Email + in-app based on user preference |
| Concurrency | One scan per user per domain | Up to 3 concurrent scheduled scans per organization |
| Timeout | 30 minutes (configurable per tool) | Same |
Resource Limits
Each scan Job pod has resource limits to prevent runaway processes:
| Tool | CPU Request | CPU Limit | Memory Request | Memory Limit | Timeout |
|---|---|---|---|---|---|
| nmap | 250m | 1000m | 256Mi | 1Gi | 30 min |
| ZAP | 500m | 2000m | 512Mi | 2Gi | 60 min |
| sslyze | 100m | 500m | 128Mi | 512Mi | 10 min |
| DNS Recon | 100m | 500m | 128Mi | 512Mi | 15 min |