Hello,
i have followed your excellent blog post about running openscap as a part of the build.
However for my case i was unable to use the same runner and your code in this repository does not work on different runners.
What i did is making the openscap as a standalone alpine docker image and wanted to share back in case you find it useful. I believe it is close to be usable as standalone github action
DOCKERFILE
# based on
# https://github.com/candrews/jumpstart/blob/cc931e5627bd272bfb5f92f327e580f67c1c7469/.github/workflows/build.yml
# Use the specified Alpine base image
FROM alpine:3.20
# Copy the scripts folder into the Docker image
COPY scripts /scripts
# Make sure the scripts are executable
RUN chmod +x /scripts/*.sh
# Add the scripts directory to the PATH
ENV PATH="/scripts:${PATH}"
# Set environment variables
ENV SCAP_SECURITY_GUIDE_VERSION=0.1.75
ENV MICROSOFT_SARIF_MULTITOOL_VERSION=4.5.4
ENV MITRE_SAF_VERSION=1.4.16
ENV SSG_DIR=ssg
# Install dependencies
RUN apk update && apk add --no-cache \
curl \
docker \
jq \
openscap-docker \
npm \
gcompat \
unzip
RUN curl --version
RUN curl -I
# Install npm packages
RUN npm install -g "@microsoft/sarif-multitool@${MICROSOFT_SARIF_MULTITOOL_VERSION}" \
&& npm install -g sinon@16.1.0 "@mitre/saf@${MITRE_SAF_VERSION}"
# Download and unzip SCAP Security Guide
RUN mkdir -p "${SSG_DIR}" \
&& curl -Lso "${SSG_DIR}/ssg.zip" "https://github.com/ComplianceAsCode/content/releases/download/v${SCAP_SECURITY_GUIDE_VERSION}/scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}.zip" \
&& unzip "${SSG_DIR}/ssg.zip" -d "${SSG_DIR}"
#RUN oscap --version
#RUN oscap-docker -h
RUN ls -R -l "${SSG_DIR}"
# Set entrypoint
#ENTRYPOINT ["oscap-docker"]
#CMD [ "-h" ]
ENTRYPOINT ["/bin/sh"]
Assuming it is build as my-oscap-docker it can then be easily used to scan from github action
# Create a directory to store the report
mkdir -p $GITHUB_WORKSPACE/report
docker pull ubuntu:22.04
docker run -d --name test-container ubuntu:22.04
docker run --rm --network host \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $GITHUB_WORKSPACE/report:/report \
my-oscap-docker:latest \
-c "/usr/bin/oscap-docker container test-container xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis_level2_server --results /report/ssg-results.xml --report /report/ssg-results.html /ssg/scap-security-guide-0.1.75/ssg-ubuntu2204-ds.xml"
Hello,
i have followed your excellent blog post about running openscap as a part of the build.
However for my case i was unable to use the same runner and your code in this repository does not work on different runners.
What i did is making the openscap as a standalone alpine docker image and wanted to share back in case you find it useful. I believe it is close to be usable as standalone github action
DOCKERFILE
Assuming it is build as my-oscap-docker it can then be easily used to scan from github action