That image embed :
- OpenSCAP, an open tool for checking Linux vunlerabilities from SCAP datas
- OpenScap4Docker script, a script provided by openscap developers to run against Docker images and containers
The idea is to use Docker's lightweight isolation to have an auto-sufficient image that embed OpenSCAP4Docker and its dependencies, even if it only need bash as dependency...
From here, just pre-download the image from the registry :
$ docker pull dduportal/oscap4docker:1.0.0
It is strongly recommended to use tags, even if dduportal/oscap4docker will work as latest tag is implied.
Then you have to choices : running directly your test or build your own, which enable you to embed your tests.
To print out the usage of the embeded docker-oscap script, just run without arguments :
$ docker run dduportal/oscap4docker:1.0.0
...Note that you have to provide to your container :
- A docker binary in
/usr/bin/docker(be carefull on the version) - AND the configuration to communicate to remote Docker Daemon.
Exemple, sharing the Docker client binary (to ensure version) and the local Unix socket :
$ docker run \
-v $(which docker):/usr/bin/docker \
-v /var/run/docker.sock:/var/run/docker.sock \
dduportal/oscap4docker:1.0.0 \
image-cve dduportal/oscap4docker:1.0.0
If you want gather locally the results generated by docker-oscap, you can
-
Share a local folder at run to
/data:$ docker run \ -v $(which docker):/usr/bin/docker \ -v $(pwd):/reports \ dduportal/oscap4docker:1.0.0 \ image-cve dduportal/oscap4docker:1.0.0 \ --results /reports/oval-results-file.xml \ --report /reports/oval-report.html ... $ ls oval-results-file.xml oval-report.html
-
Acces the /data volumes afterwards (We are in data volume as workdir by default) :
$ CID=$(docker run \ -d \ -v $(which docker):/usr/bin/docker \ dduportal/oscap4docker:1.0.0 \ image-cve dduportal/oscap4docker:1.0.0 \ --results oval-results-file.xml ) $ docker logs "${CID}" ... $ ls -l $(docker insepct -f '{{ index .Volumes "/data"}}' "${CID}") oval-results-file.xml
The goal here is to embed to tests in order to version them or share them, and providing the 'all-in-one' box (e.g. OpenSCAP4Docker + deps. + your tests) as a Docker image artefact :
$ cat Dockerfile
FROM dduportal/oscap4docker:1.0.0
MAINTAINER <your name>
ADD ./your-tests /app/oscap4docker-tests
RUN yum install -y -q <your dependencies>
CMD ["/app/oscap4docker-tests/"]
$ docker build -t my-tests ./
...
$ docker run -t my-tests
...
Since this image just need bats and little dependencies, we use Centos Linux 7 as a base image.
We embed a set of basic packages :
- bash : It's a OpenSCAP4Docker dependency,
- wget (and ca-certificates): because the default embeded wget does not handle HTTPS
Do not hesitate to contribute by forking this repository
Pick at least one :
-
Implement tests in
/tests/bats/ -
Write the Dockerfile
-
(Re)Write the documentation corrections
Finnaly, open the Pull Request : CircleCi will automatically build and test for you