add openscap image scan
Part of sylva-projects/sylva-elements/container-images/ci-disk-image-builder#2 (closed)
This MR is depending on sylva-projects/sylva-elements/container-images/openscap!1 (merged)
(openscap MR needs to be merged first to update the OPENSCAP_CI_IMAGE reference)
This MR uses the OpenSCAP image and add following steps in CI:
- perform security scan for OS in
['opensuese', 'ubuntu']and a fixed list of security profiles (standard,cis_xxx) defined in SSG content, (can be seen withoscap info "/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml")- the scan is based on the cached raw image from the previous SBOM job, to avoid time consuming on pull/unzip...
- (optionally, only for a given tag) publish report in the "general registry") and add links in release notes (https://gitlab.com/sylva-projects/sylva-elements/diskimage-builder/-/releases/0.0.dev0)
MR tested https://gitlab.com/sylva-projects/sylva-elements/diskimage-builder/-/pipelines/1563889907
Edited by Yiping Chen