Skip to content
This repository was archived by the owner on Mar 24, 2024. It is now read-only.
This repository was archived by the owner on Mar 24, 2024. It is now read-only.

update scap.go and parse_arf_result.go to simplify modification on ComplianceAsCode rules #2

Description

@tmishina

Purpose: to simplify ComplianceAsCode rules (avoid introducing new value for yamlfile_value template)

Idea: updating scap.go and parse_arf_result.go again to leverage following features.

  1. API resource collector distinguishes ResourcePath and DumpPath
  2. scap.go knows both default value and custom value of variable

Let’s talk with an example case:

  • default: /api/v1/namespaces/openshift-apiserver/configmaps/config
  • templating: /api/v1/namespaces/{{.openshift_apiserver_ns}}/configmaps/{{.openshift_apiserver_config}}

In this case, values should be as follows.

name default custom
openshift_apiserver_ns openshift-apiserver my-ns
openshift_apiserver_config config my-config

When parse_arf_result.go process warnings element, it should be invoked from scap.go with both default and custom value list, and it should do:

  1. render template for DumpPath with default values: /api/v1/namespaces/openshift-apiserver/configmaps/config
  2. render template for ResourcePath with custom values: /api/v1/namespaces/my-ns/configmaps/my-config
  3. get resource from ResourcePath and save it as DumpPath
  4. oscap can perform scan for DumpPath as if it comes from default path
  5. The scan output (ARF report) contains the warnings element, and therefore user can understand that the check target resource path was /api/v1/namespaces/my-ns/configmaps/my-config.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions