mirror of
https://github.com/projectatomic/atomic.git
synced 2026-02-06 03:45:28 +01:00
0d04058ebf
This commit enables scanning images and containers for configuration compliance with security profiles provided by SCAP Security Guide. Note: This feature requires latest OpenSCAP Daemon from upstream installed in the underlying "rhel7/openscap" container. Closes: #1027 Approved by: baude
20 lines
1.2 KiB
Plaintext
20 lines
1.2 KiB
Plaintext
type: scanner
|
|
scanner_name: openscap
|
|
image_name: registry.access.redhat.com/rhel7/openscap
|
|
default_scan: cve
|
|
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
|
|
scans: [
|
|
{ name: cve,
|
|
args: ['oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '-j1'],
|
|
description: "Performs a CVE scan based on Red Hat relesead CVE OVAL. !WARNING! This CVE is built into container image and it might be out-of-date. Change config.ini to configure the scanner to fetch latest CVE data"},
|
|
{ name: standards_compliance,
|
|
args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],
|
|
description: "!DEPRECATED! Performs scan with Standard Profile, as present in SCAP Security Guide shipped in Red Hat Enterprise Linux"
|
|
},
|
|
{ name: configuration_compliance,
|
|
args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],
|
|
description: "Performs a configuration compliance scan according to selected profile from SCAP Security Guide shipped in Red Hat Enterprise Linux."
|
|
}
|
|
]
|
|
|