Add configuration compliance scan to "atomic scan"

This commit enables scanning images and containers
for configuration compliance with security profiles
provided by SCAP Security Guide.
Note: This feature requires latest OpenSCAP Daemon from upstream
installed in the underlying "rhel7/openscap" container.

Closes: #1027
Approved by: baude

Atomic/scan.py

@@ -12,14 +12,15 @@ def cli(subparser):
     # atomic scan
     scanners = util.get_scanners()
     scanp = subparser.add_parser(
-        "scan", help=_("scan an image or container for CVEs"),
-        epilog="atomic scan <input> scans a container or image for CVEs")
+        "scan", help=_("scan an image or container for CVEs or configuration compliance"),
+        epilog="atomic scan <input> scans a container or image for CVEs or configuration compliance")
     scanp.set_defaults(_class=Scan, func='scan')
     scan_group = scanp.add_mutually_exclusive_group()
     scanp.add_argument("scan_targets", nargs='*', help=_("container image"))
     scanp.add_argument("--scanner", choices=[x['scanner_name'] for x in scanners], default=None, help=_("define the intended scanner"))
     scanp.add_argument("--scan_type", default=None, help=_("define the intended scan type"))
     scanp.add_argument("--list", action='store_true', default=False, help=_("List available scanners"))
+    scanp.add_argument("--scanner_args", default=None, help=_("Specify arguments to be passed to the scanner"))
     disp_group = scanp.add_mutually_exclusive_group()
     disp_group.add_argument("--verbose", action='store_true', default=False, help=_("Show more output from scanning container"))
     disp_group.add_argument("--json", action='store_true', default=False, help=_("Output results in JSON format"))
@@ -82,6 +83,17 @@ class Scan(Atomic):
             if self.scanner not in [x['scanner_name'] for x in self.scanners]:
                 raise ValueError("Unknown scanner '{}' defined in {}".format(self.scanner, util.ATOMIC_CONF))
 
+        def get_additional_args():
+            if self.args.scanner_args is None:
+                return []
+            additional_args = []
+            for pair in self.args.scanner_args.split(","):
+                key, _, value = pair.partition("=")
+                additional_args.append("--" + key.strip())
+                if value:
+                    additional_args.append(value.strip())
+            return additional_args
+
         if self.args.debug:
             self.debug = True
 
@@ -140,7 +152,7 @@ class Scan(Atomic):
         scan_cmd = docker_args + security_args
         if custom_args is not None:
             scan_cmd = scan_cmd + custom_args
-        scan_cmd = scan_cmd + [scanner_image_name] + scanner_args
+        scan_cmd = scan_cmd + [scanner_image_name] + scanner_args + get_additional_args()
         scan_cmd = self.sub_env_strings(" ".join(scan_cmd))
 
         # Show the command being run

atomic.d/openscap

@@ -9,7 +9,11 @@ scans: [
         description: "Performs a CVE scan based on Red Hat relesead CVE OVAL. !WARNING! This CVE is built into container image and it might be out-of-date. Change config.ini to configure the scanner to fetch latest CVE data"},
       { name: standards_compliance,
         args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan', '-j1'],
-        description: "Performs scan with Standard Profile, as present in Scap Security Guide shipped in Red Hat Enterprise Linux"
+        description: "!DEPRECATED! Performs scan with Standard Profile, as present in SCAP Security Guide shipped in Red Hat Enterprise Linux"
+      },
+      { name: configuration_compliance,
+        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan', '-j1'],
+        description: "Performs a configuration compliance scan according to selected profile from SCAP Security Guide shipped in Red Hat Enterprise Linux."
       }
 ]
     

bash/atomic

@@ -253,6 +253,7 @@ _atomic_scan() {
 		--scanner
 		--scan_type
 		--verbose
+		--scanner_args
 	"
 	[ "$command" = "scan" ] && all_options="$all_options"
 

docs/atomic-scan.1.md

@@ -38,6 +38,9 @@ Select as scanner other than the default.
 **--scan_type**
 Select a scan_type other than the default.
 
+**--scanner_args**
+  Provide additional arguments for the scanner, for example specify a compliance profile.
+
 **--all**
   Instead of providing image or container names, scan all images (excluding intermediate image layers) and containers