I've enabled software inventory as well, but I don't see anything regarding CVE's?

have you gone through the steps to configure vulnerability processing: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md ?

Yeah this is confusing language, because I read it as "Set

FLEET_BETA_SOFTWARE_INVENTORY=1

OR using thhe app config" (which we don't use)

Yeah, It's confusing for me too since I'm not using config files and a Docker container to deploy the app. I don't know where the default config file is located

makes sense, we'll be retiring the env var soon. Apologies for the confusion

Why? For example it's easier for me to set the env vars declared directly on the docker compose.

@Tomas Touceda I'd second that env vars are way easier to configure Fleet via Docker. Especially, is there a reason you decided to put the vulnerability databases_path in the fleetctl applied config? For the Docker setup this is really cumbersome as I have to manually interact with the container after start and then restart again. This strikes my infrastructure as code approach 😕 An option would be that fleet binary would also allow to pass fleetctl config files (or am I missing this feature?).

the env var is there as a feature flag switch while the software inventory feature remains in beta. Most things within fleet is configured through fleetctl, we have seen a lot of success from people managing config as code alongside their packs and queries they apply

I can understand that one may want to manage query packs, osquery configs, etc via fleetctl. But the database_path is a infrastructure configuration, hence in my point of view it should belong in a config to be read on startup. I do not ask for an env var in particular, but that it is configurable like mysql or redis: https://github.com/fleetdm/fleet/blob/2df7c71749690a98652eaed34a733cff2fa062cd/docs/2-Deploying/2-Configuration.md#options

Totally agree, more usable on upgrades and rollbacks.

fair, I'll look into supporting that