7.5. Using OpenSCAP with Docker

The oscap-docker command-line utility enables users to use the oscap program to scan their docker-formatted container images and containers.
The following section:
  • explains the installation of oscap-docker
  • offers basic examples of usage
To learn more about sub-commands, use the --help option with the oscap-docker or oscap commands.


Because a container file system is influenced by mount points, results of scanning an image might differ from results of scanning a container created from it. For example, a mount point that provides only data for processes inside the container in a custom path does not affect results of a scan. However, a mount point in a container done to paths, such as /bin, /etc, or /var, providing new binaries or configuration files can cause differences in results of scanning.
To enable the scanning of images and containers, install the docker package. See the Getting Docker in Red Hat Enterprise Linux 7 chapter of the Getting Started with Containers guide for instructions on installing Docker.
Enter the following command to install oscap-docker:
# yum install openscap-utils
The following examples use the Red Hat Enterprise Linux 7 image.
# docker pull registry.access.redhat.com/rhel7
# docker images
REPOSITORY                               TAG                 IMAGE ID
registry.access.redhat.com/rhel7         latest              c453594215e4

7.5.1. Scanning Docker-formatted Images and Containers for Vulnerabilities

The oscap-docker command provides two ways to scan images and containers for vulnerabilities:
  • The image-cve or container-cve sub-commands determine the version of the operating system, download the CVE stream applicable to the given system, and run a vulnerability scan:
    # oscap-docker image-cve registry.access.redhat.com/rhel7
  • Another, more flexible way, enables you to specify OVAL definitions when checking for vulnerabilities. Use the image or container sub-command together with oscap arguments for an OVAL evaluation. For example, to scan an image using a definitions file downloaded from Red Hat OVAL repository, use the following command:
    # oscap-docker image registry.access.redhat.com/rhel7 oval eval com.redhat.rhsa-all.xml

7.5.2. Scanning Configuration Compliance of Docker-formatted Images and Containers

To scan for configuration compliance, use the SCAP content provided by the SCAP Security Guide (SSG). Ensure the scap-security-guide package is installed:
# yum install scap-security-guide
To verify compliance of Red Hat Enterprise Linux 7 image with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy, enter the following command:
# oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The following command scans the running environment of the container with ID 5ef05eef4a01:
# oscap-docker container 5ef05eef4a01 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
To get an XML file with results, use the --results argument and for generating an HTML report of an evaluation, add the --report argument. See the oscap(8) man page for more information.