Integrating OPENSCAP (Open Source) tool to run security scans and integrate results into the Security Dashboard
Problem to solve
OpenSCAP (https://www.open-scap.org/) is an open source SCAP tool perform Security Compliance and Vulnerability assessment. SCAP tools are widely used in various organizations to perform such assessments.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Use Case: As teams start to develop more and more applications in GitLab with the ultimate goal of delivering them to the production environment, there is a push to use GitOps and similar types of techniques to build out the environments and deploy the applications. What is missing at the moment is the ability to check the environment for any vulnerabilities using SCAP tools. In line with GitLab's vision of providing more information directly in GitLab dashboard, SCAP tool scan results should become available in the Security Dashboard and provide one more layer of vulnerability assessment and compliance capability natively.
Proposal
- Incorporate an additional container embedded with OpenSCAP tool (https://hub.docker.com/r/openscap/openscap).
- Initialize the container, deploy the application, either in the ReviewApp or the destination environment.
- Execute OpenSCAP to scan and receive the documents.
- Parse the results and display them in the Security Dashboard.
Permissions and Security
Anyone who has access to the security dashboards.
Documentation
Testing
What does success look like, and how can we measure that?
Success will be defined by the added capability that the Security Dashboard users get by receiving the results of the SCAP Scan for actionable vulnerability management.
What is the type of buyer?
At the moment Security Dashboards are part of Gold/Ultimate. This functionality would be best suited for those tiers.
Links / references
- Core product: https://www.open-scap.org/
- Docker Container: https://hub.docker.com/r/openscap/openscap
- Package available Alpine: https://gitlab.alpinelinux.org/alpine/aports/issues/4460