stackrox · vikin91 · Dec 15, 2025 · Dec 15, 2025 · Jan 6, 2026 · Jan 6, 2026
diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go
@@ -256,7 +256,7 @@ func (c *sensorConnection) Scrapes() scrape.Controller {
 }
 
 func (c *sensorConnection) InjectMessageIntoQueue(msg *central.MsgFromSensor) {
-	c.multiplexedPush(sac.WithAllAccess(withConnection(context.Background(), c)), msg, nil)
+	c.multiplexedPush(sac.WithAllAccess(WithConnection(context.Background(), c)), msg, nil)
 }
 
 func (c *sensorConnection) NetworkEntities() networkentities.Controller {

diff --git a/central/sensor/service/connection/context.go b/central/sensor/service/connection/context.go
@@ -10,6 +10,7 @@ func FromContext(ctx context.Context) SensorConnection {
 	return conn
 }
 
-func withConnection(ctx context.Context, conn SensorConnection) context.Context {
+// WithConnection returns a context with the given sensor connection attached.
+func WithConnection(ctx context.Context, conn SensorConnection) context.Context {
 	return context.WithValue(ctx, contextKey{}, conn)
 }
diff --git a/central/sensor/service/connection/manager_impl.go b/central/sensor/service/connection/manager_impl.go
@@ -279,7 +279,7 @@ func (m *manager) HandleConnection(ctx context.Context, sensorHello *central.Sen
 			m.complianceOperatorMgr,
 			m.initSyncMgr,
 		)
-	ctx = withConnection(ctx, conn)
+	ctx = WithConnection(ctx, conn)
 
 	oldConnection, err := m.replaceConnection(ctx, cluster, conn)
 	if err != nil {

diff --git a/central/sensor/service/pipeline/nodeindex/pipeline.go b/central/sensor/service/pipeline/nodeindex/pipeline.go
@@ -130,23 +130,30 @@ func sendComplianceAck(ctx context.Context, node *storage.Node, injector common.
 	if injector == nil {
 		return
 	}
-	reply := replyCompliance(node.GetClusterId(), node.GetName(), central.NodeInventoryACK_ACK)
-	if err := injector.InjectMessage(ctx, reply); err != nil {
-		log.Warnf("Failed sending node-indexing-ACK to Sensor for %s: %v", nodeDatastore.NodeString(node), err)
-	} else {
-		log.Debugf("Sent node-indexing-ACK for %s", nodeDatastore.NodeString(node))
+	// Always send SensorACK (new path).
+	if err := injector.InjectMessage(ctx, &central.MsgToSensor{
+		Msg: &central.MsgToSensor_SensorAck{
+			SensorAck: &central.SensorACK{
+				Action:      central.SensorACK_ACK,
+				MessageType: central.SensorACK_NODE_INDEX_REPORT,
+				ResourceId:  node.GetName(),
+			},
+		},
+	}); err != nil {
+		log.Warnf("Failed injecting SensorACK for node index report (node=%s): %v", node.GetName(), err)
 	}
-}
 
-func replyCompliance(clusterID, nodeName string, t central.NodeInventoryACK_Action) *central.MsgToSensor {
-	return &central.MsgToSensor{
+	// Always send legacy NodeInventoryACK for backward compatibility.
+	if err := injector.InjectMessage(ctx, &central.MsgToSensor{
 		Msg: &central.MsgToSensor_NodeInventoryAck{
 			NodeInventoryAck: &central.NodeInventoryACK{
-				ClusterId:   clusterID,
-				NodeName:    nodeName,
-				Action:      t,
+				ClusterId:   node.GetClusterId(),
+				NodeName:    node.GetName(),
+				Action:      central.NodeInventoryACK_ACK,
 				MessageType: central.NodeInventoryACK_NodeIndexer,
 			},
 		},
+	}); err != nil {
+		log.Warnf("Failed injecting legacy NodeInventoryACK for node index report (node=%s): %v", node.GetName(), err)
 	}
 }
diff --git a/central/sensor/service/pipeline/nodeindex/pipeline_test.go b/central/sensor/service/pipeline/nodeindex/pipeline_test.go
@@ -9,8 +9,10 @@ import (
 	"github.com/stackrox/rox/generated/internalapi/central"
 	v4 "github.com/stackrox/rox/generated/internalapi/scanner/v4"
 	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/concurrency"
 	"github.com/stackrox/rox/pkg/features"
 	nodesEnricherMocks "github.com/stackrox/rox/pkg/nodes/enricher/mocks"
+	"github.com/stackrox/rox/pkg/protoassert"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -77,6 +79,58 @@ func TestPipelineEnrichesAndUpserts(t *testing.T) {
 	}
 }
 
+func TestPipelineSendsSensorAndLegacyACKs(t *testing.T) {
+	t.Setenv(features.NodeIndexEnabled.EnvVar(), "true")
+	t.Setenv(features.ScannerV4.EnvVar(), "true")
+
+	ctrl := gomock.NewController(t)
+	clusterStore := clusterDatastoreMocks.NewMockDataStore(ctrl)
+	nodeDatastore := nodeDatastoreMocks.NewMockDataStore(ctrl)
+	riskManager := riskManagerMocks.NewMockManager(ctrl)
+	enricher := nodesEnricherMocks.NewMockNodeEnricher(ctrl)
+
+	node := storage.Node{
+		Id:        "1",
+		Name:      "node-name",
+		ClusterId: "cluster-id",
+	}
+	msg := createMsg(mockIndexReport)
+
+	gomock.InOrder(
+		nodeDatastore.EXPECT().GetNode(gomock.Any(), gomock.Eq(node.GetId())).Times(1).Return(&node, true, nil),
+		enricher.EXPECT().EnrichNodeWithVulnerabilities(gomock.Any(), nil, gomock.Any()).Times(1).Return(nil),
+		riskManager.EXPECT().CalculateRiskAndUpsertNode(gomock.Any()).Times(1).Return(nil),
+	)
+
+	injector := &recordingInjector{}
+	p := &pipelineImpl{
+		clusterStore:  clusterStore,
+		nodeDatastore: nodeDatastore,
+		riskManager:   riskManager,
+		enricher:      enricher,
+	}
+
+	err := p.Run(t.Context(), node.GetClusterId(), msg, injector)
+	assert.NoError(t, err)
+
+	protoassert.SlicesEqual(t, []*central.SensorACK{
+		{
+			Action:      central.SensorACK_ACK,
+			MessageType: central.SensorACK_NODE_INDEX_REPORT,
+			ResourceId:  node.GetName(),
+		},
+	}, injector.getSentSensorACKs())
+
+	protoassert.SlicesEqual(t, []*central.NodeInventoryACK{
+		{
+			ClusterId:   node.GetClusterId(),
+			NodeName:    node.GetName(),
+			Action:      central.NodeInventoryACK_ACK,
+			MessageType: central.NodeInventoryACK_NodeIndexer,
+		},
+	}, injector.getSentACKs())
+}
+
 func createMsg(ir *v4.IndexReport) *central.MsgFromSensor {
 	return &central.MsgFromSensor{
 		Msg: &central.MsgFromSensor_Event{
@@ -90,6 +144,43 @@ func createMsg(ir *v4.IndexReport) *central.MsgFromSensor {
 	}
 }
 
+type recordingInjector struct {
+	legacy []*central.NodeInventoryACK
+	sensor []*central.SensorACK
+}
+
+func (r *recordingInjector) InjectMessage(_ concurrency.Waitable, msg *central.MsgToSensor) error {
+	if ack := msg.GetNodeInventoryAck(); ack != nil {
+		r.legacy = append(r.legacy, ack.CloneVT())
+	}
+	if ack := msg.GetSensorAck(); ack != nil {
+		r.sensor = append(r.sensor, ack.CloneVT())
+	}
+	return nil
+}
+
+func (r *recordingInjector) InjectMessageIntoQueue(_ *central.MsgFromSensor) {}
+
+func (r *recordingInjector) getSentACKs() []*central.NodeInventoryACK {
+	out := make([]*central.NodeInventoryACK, 0, len(r.legacy))
+	for _, ack := range r.legacy {
+		if ack != nil {
+			out = append(out, ack)
+		}
+	}
+	return out
+}
+
+func (r *recordingInjector) getSentSensorACKs() []*central.SensorACK {
+	out := make([]*central.SensorACK, 0, len(r.sensor))
+	for _, ack := range r.sensor {
+		if ack != nil {
+			out = append(out, ack)
+		}
+	}
+	return out
+}
+
 var (
 	mockIndexReport = &v4.IndexReport{
 		HashId:  "",

diff --git a/central/sensor/service/pipeline/nodeinventory/pipeline.go b/central/sensor/service/pipeline/nodeinventory/pipeline.go
@@ -142,16 +142,29 @@ func sendComplianceAck(ctx context.Context, node *storage.Node, ninv *storage.No
 	if injector == nil {
 		return
 	}
-	reply := replyCompliance(node.GetClusterId(), ninv.GetNodeName(), central.NodeInventoryACK_ACK)
-	if err := injector.InjectMessage(ctx, reply); err != nil {
-		log.Warnf("Failed sending node-inventory-ACK to Sensor for %s: %v", nodeDatastore.NodeString(node), err)
-	} else {
-		log.Debugf("Sent node-inventory-ACK for %s", nodeDatastore.NodeString(node))
-	}
+	replyCompliance(ctx, node.GetClusterId(), ninv.GetNodeName(), central.NodeInventoryACK_ACK, injector)
 }
 
-func replyCompliance(clusterID, nodeName string, t central.NodeInventoryACK_Action) *central.MsgToSensor {
-	return &central.MsgToSensor{
+func replyCompliance(ctx context.Context, clusterID, nodeName string, t central.NodeInventoryACK_Action, injector common.MessageInjector) {
+	if injector == nil {
+		return
+	}
+
+	// Always send SensorACK (new path).
+	if err := injector.InjectMessage(ctx, &central.MsgToSensor{
+		Msg: &central.MsgToSensor_SensorAck{
+			SensorAck: &central.SensorACK{
+				Action:      convertLegacyActionToSensor(t),
+				MessageType: central.SensorACK_NODE_INVENTORY,
+				ResourceId:  nodeName,
+			},
+		},
+	}); err != nil {
+		log.Warnf("Failed injecting SensorACK for node inventory (clusterID=%s, nodeName=%s): %v", clusterID, nodeName, err)
+	}
+
+	// Always send legacy NodeInventoryACK for backward compatibility.
+	if err := injector.InjectMessage(ctx, &central.MsgToSensor{
 		Msg: &central.MsgToSensor_NodeInventoryAck{
 			NodeInventoryAck: &central.NodeInventoryACK{
 				ClusterId:   clusterID,
@@ -160,7 +173,16 @@ func replyCompliance(clusterID, nodeName string, t central.NodeInventoryACK_Acti
 				MessageType: central.NodeInventoryACK_NodeInventory,
 			},
 		},
+	}); err != nil {
+		log.Warnf("Failed injecting legacy NodeInventoryACK for node inventory (clusterID=%s, nodeName=%s): %v", clusterID, nodeName, err)
 	}
 }
 
 func (p *pipelineImpl) OnFinish(_ string) {}
+
+func convertLegacyActionToSensor(action central.NodeInventoryACK_Action) central.SensorACK_Action {
+	if action == central.NodeInventoryACK_ACK {
+		return central.SensorACK_ACK
+	}
+	return central.SensorACK_NACK
+}
diff --git a/central/sensor/service/pipeline/nodeinventory/pipeline_test.go b/central/sensor/service/pipeline/nodeinventory/pipeline_test.go
@@ -82,7 +82,9 @@ func Test_pipelineImpl_Run(t *testing.T) {
 					m.riskManager.EXPECT().CalculateRiskAndUpsertNode(gomock.Any()).Times(1).Return(nil),
 				)
 			},
-			wantInjectorContain: []*central.NodeInventoryACK{{Action: central.NodeInventoryACK_ACK}},
+			wantInjectorContain: []*central.NodeInventoryACK{
+				{Action: central.NodeInventoryACK_ACK},
+			},
 		},
 		{
 			name: "when event has inventory then enrich and upsert with risk",
@@ -167,24 +169,92 @@ func Test_pipelineImpl_Run(t *testing.T) {
 				if len(tt.wantInjectorContain) == 0 {
 					assert.Len(t, inj.getSentACKs(), 0)
 				} else {
-					protoassert.SlicesEqual(t, tt.wantInjectorContain, inj.getSentACKs())
+					protoassert.SlicesEqual(t, tt.wantInjectorContain, inj.getSentACKs(), "sent ACKs: %v", inj.getSentACKs())
 				}
 			}
 		})
 	}
 }
 
+func Test_pipelineImpl_Run_SendsSensorAndLegacyACKs(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	clusterStore := clusterDatastoreMocks.NewMockDataStore(ctrl)
+	nodeDatastore := nodeDatastoreMocks.NewMockDataStore(ctrl)
+	riskManager := riskManagerMocks.NewMockManager(ctrl)
+	enricher := nodesEnricherMocks.NewMockNodeEnricher(ctrl)
+
+	clusterID := "cluster-1"
+	nodeName := "node-name"
+	node := storage.Node{
+		Id:        "node-id",
+		ClusterId: clusterID,
+	}
+	msg := &central.MsgFromSensor{
+		Msg: &central.MsgFromSensor_Event{
+			Event: &central.SensorEvent{
+				Action: central.ResourceAction_CREATE_RESOURCE,
+				Resource: &central.SensorEvent_NodeInventory{
+					NodeInventory: &storage.NodeInventory{
+						NodeId:   node.GetId(),
+						NodeName: nodeName,
+					},
+				},
+			},
+		},
+	}
+	injector := &recordingInjector{}
+
+	gomock.InOrder(
+		nodeDatastore.EXPECT().GetNode(gomock.Any(), gomock.Eq(node.GetId())).Times(1).Return(&node, true, nil),
+		enricher.EXPECT().EnrichNodeWithVulnerabilities(gomock.Any(), gomock.Any(), nil).Times(1).Return(nil),
+		riskManager.EXPECT().CalculateRiskAndUpsertNode(gomock.Any()).Times(1).Return(nil),
+	)
+
+	p := &pipelineImpl{
+		clusterStore:  clusterStore,
+		nodeDatastore: nodeDatastore,
+		enricher:      enricher,
+		riskManager:   riskManager,
+	}
+
+	err := p.Run(context.Background(), clusterID, msg, injector)
+	assert.NoError(t, err)
+
+	protoassert.SlicesEqual(t, []*central.NodeInventoryACK{
+		{
+			ClusterId:   clusterID,
+			NodeName:    nodeName,
+			Action:      central.NodeInventoryACK_ACK,
+			MessageType: central.NodeInventoryACK_NodeInventory,
+		},
+	}, injector.getSentACKs(), "legacy ACKs")
+
+	protoassert.SlicesEqual(t, []*central.SensorACK{
+		{
+			Action:      central.SensorACK_ACK,
+			MessageType: central.SensorACK_NODE_INVENTORY,
+			ResourceId:  nodeName,
+		},
+	}, injector.getSentSensorACKs(), "sensor ACKs")
+}
+
 var _ common.MessageInjector = (*recordingInjector)(nil)
 
 type recordingInjector struct {
 	lock     sync.Mutex
 	messages []*central.NodeInventoryACK
+	sensor   []*central.SensorACK
 }
 
 func (r *recordingInjector) InjectMessage(_ concurrency.Waitable, msg *central.MsgToSensor) error {
 	r.lock.Lock()
 	defer r.lock.Unlock()
-	r.messages = append(r.messages, msg.GetNodeInventoryAck().CloneVT())
+	if ack := msg.GetNodeInventoryAck(); ack != nil {
+		r.messages = append(r.messages, ack.CloneVT())
+	}
+	if ack := msg.GetSensorAck(); ack != nil {
+		r.sensor = append(r.sensor, ack.CloneVT())
+	}
 	return nil
 }
 
@@ -194,6 +264,22 @@ func (r *recordingInjector) getSentACKs() []*central.NodeInventoryACK {
 	r.lock.Lock()
 	defer r.lock.Unlock()
 	copied := make([]*central.NodeInventoryACK, 0, len(r.messages))
-	copied = append(copied, r.messages...)
+	for _, m := range r.messages {
+		if m != nil {
+			copied = append(copied, m)
+		}
+	}
+	return copied
+}
+
+func (r *recordingInjector) getSentSensorACKs() []*central.SensorACK {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	copied := make([]*central.SensorACK, 0, len(r.sensor))
+	for _, m := range r.sensor {
+		if m != nil {
+			copied = append(copied, m)
+		}
+	}
 	return copied
 }
diff --git a/compliance/cmd/compliance/main.go b/compliance/cmd/compliance/main.go
@@ -38,6 +38,7 @@ func main() {
 	defer cancel()
 	umhNodeInv := handler.NewUnconfirmedMessageHandler(ctx, "node-inventory", env.NodeScanningAckDeadlineBase.DurationSetting())
 	umhNodeIndex := handler.NewUnconfirmedMessageHandler(ctx, "node-index", env.NodeScanningAckDeadlineBase.DurationSetting())
-	c := compliance.NewComplianceApp(np, scanner, cachedNodeIndexer, umhNodeInv, umhNodeIndex)
+	umhVMIndex := handler.NewUnconfirmedMessageHandler(ctx, "vm-index", env.NodeScanningAckDeadlineBase.DurationSetting())
+	c := compliance.NewComplianceApp(np, scanner, cachedNodeIndexer, umhNodeInv, umhNodeIndex, umhVMIndex)
 	c.Start()
 }