This repository has been archived by the owner on Mar 20, 2023. It is now read-only.
/
spec-imagemanifestvuln.yaml
56 lines (56 loc) · 1.94 KB
/
spec-imagemanifestvuln.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# an available choice for the specs control
name:
ImageManifestVulnPolicy
description:
Detect image vulnerabilities
multiselect:
specs
replacements: # if user select this choice, the template variable names and values to use
standards: |
NIST-CSF
categories: |
DE.CM Security Continuous Monitoring
controls: |
DE.CM-8 Vulnerability Scans
namespaceSelector: |
namespaces:
exclude: ["kube-*"]
include: ["*"]
policyTemplates: |
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: {{name}}-subscription
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: {{name}}-image-vulnerability
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["*"]
object-templates:
- complianceType: mustnothave # mustnothave any ImageManifestVuln object
objectDefinition:
apiVersion: secscan.quay.redhat.com/v1alpha1
kind: ImageManifestVuln # checking for a kind