Can I Perform SCAP Scans on Container Images? Yes You Can!
With software images and containerized applications on the rise, the question of scanning and compliance comes into view. These images are a little bit OS and application combined. We have vulnerability scanning. We have software bill of material (SBOM) generation. SWFT is working to use these two items to quickly get a preliminary ATO for software faster.
All that is good stuff.
What about compliance checks in images? Can we scan images like we do workstations and servers? And get compliance results to generate checklists with the status and severity?
Come to find out, yes you can. Enter RapidFort.
Scanning Images for Compliance
With RapidFort’s solution, you can scan your images with several compliance frameworks and checks. Specifically with the DISA benchmarks, these translate well into using the DISA checklists from https://public.cyber.mil/ to track vulnerabilities, compliance standards and show status, comments and details for each compliance check. Just like you do with SCC, Evaluate-STIG or OpenSCAP scans right now.
You can see the status, the findings, STIG ID, Vulnerability ID, and severity in their interface. You also can see the total results or score for the entire scan, and automatically show which are not applicable based on the use of the image in a containerized software stack.
For several images that are either Red Hat Linux, Ubuntu or the base level image is REL or Ubuntu (Elasticsearch for example) you can run the SCAP compliance against them with the DISA benchmark and get results that look familiar to you already. DISA has plenty of benchmarks to choose from for these. And they are always adding more.
FYI — this is just one part of RapidFort’s power. See their website for more information on hardening images, curated images, reducing your SBOM and CVEs and more to create a more secure software stack.
OpenRMF Professional to Track Image Compliance
When you use this new software technology referenced above to do SCAP scans on images (using just DISA benchmarks, for now), now you can upload those results into the latest OpenRMF Professional v2.12 (coming May 2025) and generate the appropriate checklist for your image.
Yes you read that correctly! Upload your .json SCAP scan results to generate a proper DISA STIG checklist.
That gives you the power to have 1) a vulnerability scan of the image. And 2) the SBOM of the image. And now 3) a compliance scan of the image to put into a checklist, where there is an applicable benchmark to use.
Use all of those to shrink your vulnerabilities, track compliance through automation, and produce a more secure set of software images for you and your customers. It is a win-win-win!
See OpenRMF Professional for Yourself
Want to learn more on how we are solving this cyber compliance workload problem through automation? Check out our demo site.
Get a live interactive demo with our technical team.
Or download and evaluate for yourself with our software, documentation, and online video training site.
See for yourself how we can help your team automate cyber compliance!
