• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • paul wheaton
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Piet Souris
Bartenders:
  • salvin francis
  • Mikalai Zaikin
  • Himai Minh

oscap in a docker based CI/CD pipeline

 
security forum advocate
Posts: 229
1
Android Flex Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see there is a oscap-docker project, but how does that work in a CI/CD pipeline? Does the live project dabble into that or is it just running oscap for the EC2 instances provisioned?
 
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sai,

This is an excellent question. The dockerized version of OpenSCAP is not covered in my liveProject, however in principal it is almost the same command-line tool and integrates nicely with CI/CD pipeline. What you would do once your Docker image is built (e.g. using the Containerfile/Dockerfile) is to run in your CI/CD step:

Some of the parameters would include e.g. the OpenSCAP profile and report/results file (that bit is covered in my liveProject). Based on the exit code of oscp-docker or the results file, your CI/CD would perform other steps (e.g. stop everything if there is vulnerability).

 
Saloon Keeper
Posts: 23515
161
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's worth noting that Ansible can do a very good job of installing and maintaining Docker images (since Ansible is also part of what this book is about).

I use it that way myself.
 
Sai Hegde
security forum advocate
Posts: 229
1
Android Flex Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cool.. So this is all good from the CI point, but what about containers out there? Do you do some kind of nightly jobs to determine which containers have newly discovered vulnerabilities?
 
Lucian Maly
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, you could scan image at night or you can also scan containers at runtime instead - e.g.:
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic