Public | Automated Build

Last pushed: 3 years ago
Short Description
Short description is empty for this repo.
Full Description

OpenSCAP4Docker Docker image

Description

That image embed :

  • OpenSCAP, an open tool for checking Linux vunlerabilities from SCAP datas
  • OpenScap4Docker script, a script provided by openscap developers to run against Docker images and containers

The idea is to use Docker's lightweight isolation to have an auto-sufficient image that embed OpenSCAP4Docker and its dependencies, even if it only need bash as dependency...

Usage

From here, just pre-download the image from the registry :

$ docker pull dduportal/oscap4docker:1.0.0

It is strongly recommended to use tags, even if dduportal/oscap4docker will work as latest tag is implied.

Then you have to choices : running directly your test or build your own, which enable you to embed your tests.

Inline run

To print out the usage of the embeded docker-oscap script, just run without arguments :

$ docker run dduportal/oscap4docker:1.0.0
...

Note that you have to provide to your container :

  • A docker binary in /usr/bin/docker (be carefull on the version)
  • AND the configuration to communicate to remote Docker Daemon.

Exemple, sharing the Docker client binary (to ensure version) and the local Unix socket :

$ docker run \
    -v $(which docker):/usr/bin/docker \
    -v /var/run/docker.sock:/var/run/docker.sock \
    dduportal/oscap4docker:1.0.0 \
        image-cve dduportal/oscap4docker:1.0.0

If you want gather locally the results generated by docker-oscap, you can

  • Share a local folder at run to /data :

      $ docker run \
          -v $(which docker):/usr/bin/docker \
          -v $(pwd):/reports \
          dduportal/oscap4docker:1.0.0 \
              image-cve dduportal/oscap4docker:1.0.0 \
              --results /reports/oval-results-file.xml \
              --report /reports/oval-report.html
      ...
      $ ls
      oval-results-file.xml oval-report.html
    
  • Acces the /data volumes afterwards (We are in data volume as workdir by default) :

      $ CID=$(docker run \
          -d \
          -v $(which docker):/usr/bin/docker \
          dduportal/oscap4docker:1.0.0 \
              image-cve dduportal/oscap4docker:1.0.0 \
              --results oval-results-file.xml )
      $ docker logs "${CID}"
      ...
      $ ls -l $(docker insepct -f '{{ index .Volumes "/data"}}' "${CID}")
      oval-results-file.xml
    

Build your own testing image

The goal here is to embed to tests in order to version them or share them, and providing the 'all-in-one' box (e.g. OpenSCAP4Docker + deps. + your tests) as a Docker image artefact :

$ cat Dockerfile
FROM dduportal/oscap4docker:1.0.0
MAINTAINER <your name>
ADD ./your-tests /app/oscap4docker-tests
RUN yum install -y -q <your dependencies>
CMD ["/app/oscap4docker-tests/"]
$ docker build -t my-tests ./
...
$ docker run -t my-tests
...

Image content and considerations

Base image

Since this image just need bats and little dependencies, we use Centos Linux 7 as a base image.

Already installed package

We embed a set of basic packages :

  • bash : It's a OpenSCAP4Docker dependency,
  • wget (and ca-certificates): because the default embeded wget does not handle HTTPS

Contributing

Do not hesitate to contribute by forking this repository

Pick at least one :

  • Implement tests in /tests/bats/

  • Write the Dockerfile

  • (Re)Write the documentation corrections

Finnaly, open the Pull Request : CircleCi will automatically build and test for you

Docker Pull Command
Owner
dduportal