The "OpenSCAP container image" (rhel7/openscap) has been updated to support the "configuration compliance" scan type. The configuration compliance scan type utilizes the SCAP content provided by the SCAP Security Guide (SSG) which is bundled inside the OpenSCAP container image. This new scan type can be utilized by the "atomic scan" command (which uses the OpenSCAP container image for scanning) and allows to:
- scan Red Hat Enterprise Linux based container images and containers against any profile provided by the SCAP Security Guide,
- remediate Red Hat Enterprise Linux based container images to be compliant with any profile provided by the SCAP Security Guide,
- generate HTML report from the scan and remediation.
The result of remediation is a container image with altered configuration which is added as a new layer on top of the original container image. It is important to note that the original container image will be kept unchanged and only on the top of it a new layer will be created, forming a new container image, that will contain all the configuration amendments. This means that the remediated container image is no longer signed by Red Hat, but this is expected as it differs from the original because of the remediated layer.