Win a copy of Node.js Design Patterns: Design and implement production-grade Node.js applications using proven patterns and techniques this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

oscap in a docker based CI/CD pipeline

 
security forum advocate
Posts: 229
1
Android Flex Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see there is a oscap-docker project, but how does that work in a CI/CD pipeline? Does the live project dabble into that or is it just running oscap for the EC2 instances provisioned?
 
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sai,

This is an excellent question. The dockerized version of OpenSCAP is not covered in my liveProject, however in principal it is almost the same command-line tool and integrates nicely with CI/CD pipeline. What you would do once your Docker image is built (e.g. using the Containerfile/Dockerfile) is to run in your CI/CD step:

Some of the parameters would include e.g. the OpenSCAP profile and report/results file (that bit is covered in my liveProject). Based on the exit code of oscp-docker or the results file, your CI/CD would perform other steps (e.g. stop everything if there is vulnerability).

 
Saloon Keeper
Posts: 24334
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's worth noting that Ansible can do a very good job of installing and maintaining Docker images (since Ansible is also part of what this book is about).

I use it that way myself.
 
Sai Hegde
security forum advocate
Posts: 229
1
Android Flex Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cool.. So this is all good from the CI point, but what about containers out there? Do you do some kind of nightly jobs to determine which containers have newly discovered vulnerabilities?
 
Lucian Maly
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, you could scan image at night or you can also scan containers at runtime instead - e.g.:
reply
    Bookmark Topic Watch Topic
  • New Topic