When running SmartState analysis on CloudForms 4.2 (CFME 5.7) it is hard coded to pull an OpenSCAP profile from the Internet (I think? It's actually black box) that only checks for RHEL 7 RPMs for CVEs. It's not possible to point it to run the recently announced RHEL 7 STIG from DISA, for instance, which checks various configuration files like PermitRootLogin=no in addition to other checks.
I have 3 customers this week that have asked for this capability. DoD for instance has their own security baseline that they need to add on top of the RHEL 7 STIG. They would like to implement their own OpenSCAP XML file and be able to pass that to CloudForms. Another customer, a large civilian agency, wants to create their own as well and they also want to use Blackduck's OpenSCAP XML implementation.
I'm not sure if CF uses the Atomic CLI behind the scenes for this capability, but the atomic CLI already has the capability to do custom scanning.
This is a common ask from my customers too.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1379185. Solving #1379185 will allow a custom profile to be provided to image-inspector
This requires the per-provider instance advanced settings.