This commit enables scanning images and containers
for configuration compliance with security profiles
provided by SCAP Security Guide.
Note: This feature requires latest OpenSCAP Daemon from upstream
installed in the underlying "rhel7/openscap" container.
Closes: #1027
Approved by: baude
If the openscap file that defines the scanner image name uses the
short-name, i.e. rhel7/openscap, the on first use of atomic scan,
atomic will pull the scanning image. However, atomic will name
the image with its fully qualified name, because it had to look it
up. Therefore, in the local dockerd, the scanner will be named
with its full name. The next time the scanner is run, it will
again attempt to pull down the short-named version.
We should just switch to the fq name to avoid this mess. This issue
was reported in https://github.com/projectatomic/atomic/issues/797.
Closes: #857
Approved by: baude
There is a race condition in oscpd where it sometimes fails to scan
because of a threading issue. While that is resolved upstream, we
set the max number of threads to 1 to avoid it.
This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1368896
Closes: #692
Approved by: rhatdan
As more scanners besides openscap become available, atomic
can now begin to leverage them. The new scan function has
been broken out into its on file (scan.py).
The scan command itself now defaults to openscap but can
also be switched to blackduck with --scanner.
Atomic now can use a configuration file which is stored
in /etc/atomic.conf. The location of the atomic conf
file can be overriden with the environment variable
'ATOMIC_CONF'. In the case of the scan function,
we need the scanner defined in the configuration file
as well as the fully qualified image name and the
scan arguments. Optionally, you can provide additional
custom docker arguments for the scanner as well
