{"id":20148235,"url":"https://github.com/chainguard-dev/stigs","last_synced_at":"2025-03-03T00:25:47.147Z","repository":{"id":247635269,"uuid":"822755342","full_name":"chainguard-dev/stigs","owner":"chainguard-dev","description":null,"archived":false,"fork":false,"pushed_at":"2025-02-09T01:31:36.000Z","size":406,"stargazers_count":10,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-09T02:28:25.815Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-01T18:52:08.000Z","updated_at":"2025-02-09T01:30:38.000Z","dependencies_parsed_at":"2024-11-15T05:01:58.926Z","dependency_job_id":null,"html_url":"https://github.com/chainguard-dev/stigs","commit_stats":null,"previous_names":["chainguard-dev/stigs"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fstigs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fstigs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fstigs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fstigs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/stigs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241587798,"owners_count":19986628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:35:54.683Z","updated_at":"2025-03-03T00:25:47.122Z","avatar_url":"https://github.com/chainguard-dev.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# stigs\n\n## Overview\n\nChainguard has developed a STIG profile for images built with Wolfi, namely,\nall Chainguard Images.  The profile is based on the General Purpose Operating\nSystem (GPOS) STIG which defines hardening checks across a range of\ncapabilities including cryptography, remote access, and internal configuration.\nThe Chainguard GPOS STIG profile is compatible with common STIG checking tools\nincluding OpenSCAP and SCAP Viewer - instructions for using those tools are\nincluded below.\n\nWhen the STIG profile is run against a Chainguard Image, the scanning tool will\ncheck several aspects of the image's configuration based on which GPOS checks\napply to a container image.  An explanation of each check is included and those\nchecks marked as Not Applicable include a rationale section explaining why the\nchecks do not apply.  For more information on STIG scanning containers see\n[DISA's Container Hardening\nWhitepaper](https://dl.dod.cyber.mil/wp-content/uploads/devsecops/pdf/Final_DevSecOps_Enterprise_Container_Hardening_Guide_1.2.pdf)\n\n## Getting Started\n\nThe simplest way to get started is to use Chainguard's pre-packaged Chainguard\nImage for\n[`openscap`](https://images.chainguard.dev/directory/image/openscap/overview),\nwhich includes the `openscap` tool itself, the `oscap-docker` libraries, and\nthe Chainguard GPOS STIG profile. This image is built with the same\ncapabilities and low-to-zero CVEs as every other Chainguard image, and makes\nthe otherwise difficult to setup `openscap` tool portable.\n\nThe instructions below assume that `docker` is installed and running on your\nsystem, and are intended to be performed on a non-production system, similar to\nthe process outlined in DISA's Container Hardening Whitepaper.\n\nFor ease of use, we'll use the datastream file sourced from this repository,\nand available within Chainguard's openscap image, we'll refer to this as the\n`scan` image, and the `target` image we'll be scanning will be:\n`cgr.dev/chainguard/wolfi-base:latest`.\n\n```bash\n# Start the target image (required by openscap-docker)\ndocker run --name target -d cgr.dev/chainguard/wolfi-base:latest tail -f /dev/null\n\n# Run the scan image against the target image\n# NOTE: This is a highly privileged container since we're scanning a container being run by the host's docker daemon.\ndocker run -i --rm -u 0:0 --pid=host \\\n  -v /var/run/docker.sock:/var/run/docker.sock \\\n  -v $(pwd)/out:/out \\\n  --entrypoint sh \\\n  cgr.dev/chainguard/openscap:latest-dev \u003c\u003c_END_DOCKER_RUN\noscap-docker container target xccdf eval \\\n  --profile \"xccdf_basic_profile_.check\" \\\n  --report /out/report.html \\\n  --results /out/results.xml \\\n  /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml\n_END_DOCKER_RUN\n```\n\nThe results of the scan will be written to the current directory in the `out`\ndirectory.  The `report.html` file will contain a human-readable report of the\nscan results, and the `results.xml` file will contain the raw results of the\nscan.\n\n### Alternative Uses\n\nThe SSG content in this repository can be used by any other tool that supports\nthe format, such as SCAP Workbench. For an alternative walkthrough of using\nSCAP workbench, see [alternative uses](./docs/alternatives.md).\n\n## Updates\n\nThe Chainguard STIG profile is re-evaluated and evolves alongside Wolfi OS and\nChainguard images. New releases of the profile is marked by a new version\nnumber. The `cgr.dev/chainguard/openscap:latest` image always contains the\nlatest version of the Chainguard GPOS profile.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fstigs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fstigs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fstigs/lists"}