Closed itewk closed 3 years ago
perfmoed manual push of buildah and oscap images.
CONFIRMATION
IMAGES: tssc-tool-containers tssc-tool-openscap
IMAGE VERSION: edge
IMAGE TAGS: edge sha-369193b1
REGISTRY REPOSITORY: tssc
REGISTRY_URI: quay.io
issue
currently we install the
scap-security-guide
rpm which supplies oscap compliance profiles to/usr/share/xml/scap/ssg/content
as part of thetssc-tool-openscap
container image. The problem is that now teams may reference that content in an old copy of this image which then means the compliance data is out of date. the workflow should assume all content is coming from other sources and not baked into the CI tool images.solution
dont install
scap-security-guide
rpm. for "connected" users they can reference https://atopathways.redhatgov.io/compliance-as-code/scap/ which has a super set of the input files and profiles installed form thescap-security-guide
rpm.For "disconnected" users they can either a) use golie (https://www.redhat.com/en/blog/red-hat-adopts-rolie-protocol-automated-exchange-security-compliance-assets) to mirror the content of https://atopathways.redhatgov.io/compliance-as-code/scap/ to an internal mirror OR b) mirror the source content repo (https://github.com/ComplianceAsCode/content) into the disconnected environment and then build the content in the disconnected environment, and then host that content in the disconnected environment OR c) build custom content that is hosted in the disconnected environmnt OR d) any combination of any of that
TL;DR put hte responsbility of hosting the compliance and vulnerability content on the enviornment and not on the CI tool.