7.5. Using OpenSCAP with Docker

The oscap-docker command-line utility allows users to use the oscap program to scan their docker-formatted container images and containers almost in the same way as their local systems.
The following section explains the installation of oscap-docker and offers basic examples of usage. To learn more about sub-commands, use the --help option with the oscap-docker or oscap commands.
To enable the scanning of images and containers, you need to have the docker package installed, too. See the Getting Docker in Red Hat Enterprise Linux 7 chapter of the Getting Started with Containers guide for instructions on installing Docker.
enter the following command to install oscap-docker:
# yum install openscap-utils

Example 7.12. Using oscap-docker

oscap-docker scan_target[-cve] target_identifier [oscap-arguments]
Where scan_target is an image or a container to scan, and target_identifier is the name or the ID of the target.
The second of the following commands attaches a container image, determines the variant and version of the operating system, downloads the CVE stream applicable to the given system, and finally runs the vulnerability scan:
# docker images
REPOSITORY                               TAG                 IMAGE ID
registry.access.redhat.com/rhel7         latest              c453594215e4
# oscap-docker image-cve registry.access.redhat.com/rhel7
The second of the following commands runs the OpenSCAP scan within a chroot environment of a running container. The results may differ from scanning of a container image due to defined mount points. We used the OVAL patch definition com.redhat.rhsa-all.xml in this example.
# docker ps
5ef05eef4a01    registry.access.redhat.com/rhel7	"/bin/bash"   sleepy_kirch
# oscap-docker container 5ef05eef4a01 oval eval com.redhat.rhsa-all.xml