Assessment Deployment Guide

Prerequisites

The CRA assessment engine is built into Fleet. No separate deployment is needed — it activates when the assessment database tables exist and the API routes are accessed.

Base Fleet requirements still apply:

PostgreSQL 16+
S3-compatible storage (RustFS, MinIO, AWS S3)
Fleet server binary

Database Migration

Run the assessment migrations:

fleet-server

psql $DATABASE_URL < migrations/004_assessment_schema.sql
psql $DATABASE_URL < migrations/005_finding_overrides.sql

This creates 11 tables: rulesets, assessed_products, scans, findings, evidence_records, assessment_entries, questionnaire_sessions, questionnaire_answers, sbom_records, finding_overrides, remediations.

Environment Variables

In addition to base Fleet env vars:

Variable	Required	Default	Purpose
`ANTHROPIC_API_KEY`	No	-	Claude LLM backend
`OPENAI_API_KEY`	No	-	OpenAI LLM backend
`FLEET_LLM_OLLAMA_URL`	No	`http://localhost:11434`	Ollama endpoint
`FLEET_LLM_OLLAMA_MODEL`	No	`llama3.1:8b`	Ollama model
`FLEET_LLM_CLAUDE_MODEL`	No	`claude-sonnet-4-6`	Claude model

API Key Scopes

Assessment endpoints require these scopes on the API key:

Scope	Grants
`assessment:read`	View products, scans, findings, evidence, gaps, rulesets
`assessment:write`	Create products, ingest scans, upload evidence, manage overrides/remediations, triage

Create an API key with assessment scopes:

fleet-tui  # Use TUI to create API key with assessment scopes
curl -X POST /api/v1/admin/api-keys \
  -d '{"name": "ci-scanner", "scopes": ["assessment:read", "assessment:write"]}'

Dashboard Deployment

The dashboard is a separate React application:

cd dashboard
pnpm install
pnpm build

Serve the dashboard/dist/ directory via:

Nginx / Caddy / any static file server
Or npx serve dashboard/dist -l 3000

Configure the API URL:

VITE_API_URL=https://fleet.example.com/api/v1 pnpm build

Docker Compose Addition

Add to your existing docker-compose.yml:

services:
  fleet-server:
    # ... existing config ...
    environment:
      # Assessment LLM (optional)
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}

  dashboard:
    build:
      context: ./dashboard
      dockerfile: Dockerfile
    ports:
      - "3000:3000"
    environment:
      - VITE_API_URL=http://fleet-server:8080/api/v1

  # Optional: local LLM
  ollama:
    image: ollama/ollama:latest
    ports:
      - "11434:11434"
    volumes:
      - ollama-data:/root/.ollama
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities: [gpu]

volumes:
  ollama-data:

Production Checklist

Migrations 004 + 005 applied
API key created with assessment:read + assessment:write scopes
Default ruleset loaded (first scan auto-loads from embedded catalog)
Dashboard deployed and accessible
CI integration configured (GitHub Action / GitLab template / etc.)
LLM backend configured (if using AI review)
S3 bucket configured for evidence artifact storage
Backup strategy covers evidence_records table (10-year retention)
fleet scan --path . --output pretty works from CLI