atomic.d/openscap

type: scanner
scanner_name: openscap
image_name: rhel7/openscap
default_scan: cve
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '-j1'],
        description: "Performs a CVE scan based on known CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan', '-j1'],
        description: "Performs a standard scan"
      }
]
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`type: scanner`
			`scanner_name: openscap`
Define openscap image The fully qualified name of the openscap image is: registry.access.redhat.com/rhel7/openscap Closes: #407 Approved by: baude 2016-06-03 15:40:15 -05:00			`image_name: rhel7/openscap`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`default_scan: cve`
atomic.d/openscap - use custom_args to expose config file for openscap-daemon Closes: #413 Approved by: baude 2016-06-06 14:43:54 -04:00			`custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']`
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`scans: [`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`{ name: cve,`
atomic.d/openscap: Fix race condition (bz #1368896) There is a race condition in oscpd where it sometimes fails to scan because of a threading issue. While that is resolved upstream, we set the max number of threads to 1 to avoid it. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1368896 Closes: #692 Approved by: rhatdan 2016-10-10 15:46:20 -05:00			`args: ['oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '-j1'],`
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`description: "Performs a CVE scan based on known CVE data"},`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`{ name: standards_compliance,`
atomic.d/openscap: Fix race condition (bz #1368896) There is a race condition in oscpd where it sometimes fails to scan because of a threading issue. While that is resolved upstream, we set the max number of threads to 1 to avoid it. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1368896 Closes: #692 Approved by: rhatdan 2016-10-10 15:46:20 -05:00			`args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],`
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`description: "Performs a standard scan"`
			`}`
			`]`