projectatomic/atomic
1
0
Fork 0
mirror of https://github.com/projectatomic/atomic.git synced 2026-02-07 06:44:52 +01:00
Code Issues Releases Activity
Files
c64d77f883db7f5ab5ea94dece18dcf1d245a96a
atomic/docs/atomic-scan.1.md
baude 9a5497f93d Atomic/scan.py: Add ability to remediate 
In the case of some scanners, they generate a script to remediate the
images|containers they have scanned.  We needed to provide a hook
for this ability. We now read the scanner's configuration file looking
for a "remediation_script" key, whose value should be a fq path to the
remediation script.  The remediation script should be delivered via
the scanning image via atomic install.

As of now, we pass the id of the scanned object and its results directory
as named arguments to the remediation script.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1090
Approved by: baude
2017-09-22 15:53:57 +00:00

105 lines
3.1 KiB
Markdown
Raw Blame History

% ATOMIC(1) Atomic Man Pages
% Brent Baude
% September 2015
# NAME
atomic-scan - Scan for CVEs in a container or image
# SYNOPSIS
**atomic scan**
[**-h**|**--help**]
[**--list**]
[**--scanner**]
[**--scan_type**]
[**--verbose**]
[**--all** | **--images** | **--containers** | **--rootfs** rootfs path to scan|
IMAGE or CONTAINER names ...]
# DESCRIPTION
**atomic scan** will scan the a container or image looking for known Common Vulnerabilities and Exposures(CVEs) by default. It can also scan
paths on the host filesystem as well using the _--rootfs_ option.
The architecture for _atomic scan_ is very plug-in friendly. You can define additional scanners to use via the plug-in interface. To list the
available scanners setup on your system, you can use _--list_. To use a different scanner, you simple pass its name with the _--scanner_ switch.
You can also select a different scan type using the _--scan_type_ switch.
# OPTIONS
**-h** **--help**
Print usage statement
**--verbose**
Show more verbose output. Specifically the stdout from the image scanner itself.
**--list**
Show all scanners configured for atomic and their scan types.
**--scanner**
Select as scanner other than the default.
**--scan_type**
Select a scan_type other than the default.
**--scanner_args**
Provide additional arguments for the scanner, for example specify a compliance profile.
**--all**
Instead of providing image or container names, scan all images (excluding intermediate image layers) and containers
**--images**
Scan all images (excluding intermediate layers). Similar to the results of `docker images`.
**--containers**
Scan all containers. Similar to the results of `docker ps -a`
**--rootfs**
Rootfs path to scan. Can provide _--rootfs_ multiple times.
Note: SELinux separation will be disabled for --rootfs scans, but all other container
separation will still be in place.
**--remediate**
Allows the scanner to run a remediation script when scanning is complete. The remediation script is provided
by the scanner itself.
**Note:** not all scanners provide remediation scripts.
# EXAMPLES
List all the scanners atomic knows about and display their default scan types.
atomic scan --list
Scan an image named 'foo1'.
atomic scan foo1
Scan and remediate an image named 'foo1'.
atomic scan --remediate foo1
Scan images named 'foo1' and 'foo2' and produce a detailed report.
atomic scan foo1 foo2
Scan all containers.
atomic scan --containers
Scan all containers and images and create a detailed report.
atomic scan --all
Scan a rootfs mounted at /tmp/chroot
atomic scan --rootfs /tmp/chroot
Scan an image called 'foo1' with a scanner called 'custom_scanner' and its default scan_type
atomic scan --scanner custom_scanner foo1
Scan an image called 'foo1' with a scanner called 'custom_scanner' and a scan type of 'list_rpms'
atomic scan --scanner custom_scanner --scan_type list_rpms foo1
# HISTORY
Initial revision by Brent Baude (bbaude at redhat dot com) September 2015
Updated for new atomic scan architecture by Brent Baude (bbaude at redhat dot com) May 2016
View Git Blame Copy Permalink