Pipeline issue - OpenSCAP script failing because it cannot detect image

Summary

The pipeline is failing to run the OpenSCAP scan and gives the following error: Unknown image type. Can't choose security guide.

I suspect this may be because this container uses the approved distroless base image and OpenSCAP is not setup with a security guide for this image base.

Link to failed pipeline

https://repo1.dsop.io/dsop/cloudfit/cloudfit/cloudfit-cfs-sharepoint/-/pipelines/91900 NOTE: I have about 15 other pipelines in the https://repo1.dsop.io/dsop/cloudfit/cloudfit area that have the same problem.

What is the current bug behavior?

OpenSCAP scan cannot detect distroless base image type and fails.

What is the expected correct behavior?

OpenSCAP (or other tool) detects distroless base image and correctly runs an OpenSCAP scan (or bypasses the scan if the scan is not possible).

Possible fixes

A SCAP security guide is setup for the distroless base image, resulting in an OpenSCAP scan of the container. If a security guide cannot be used, then the OpenSCAP should be bypassed for the distroless base image.

Definition of Done

Pipeline failure has been resolved

/cc @ironbank-notifications/pipelines

Edited Feb 01, 2021 by David Freeman

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information