Research Spike: Automate DISA SCAP version update merge requests

Current Behavior

Research potential solutions to the following feature:

Merge requests to update the SCAP content used in the openscap compliance job information are automatically created for SCAP content sourced by Compliance As Code (e.g. RHEL). This does not happen for SCAP content sourced by DISA (e.g. Ubuntu). Merge requests should also be automated for DISA content.

Purpose

Reduces the likelihood of using obsolete DISA SCAP content.

Plan

For Compliance As Code sourced SCAP content, path version information is stored in stages/scanning/rhel-oscap-version.json. Renovate automatically creates merge requests to update the json file with the latest compliance-as-code version because stages/scanning/renovate.json exists.

The path information for DISA sourced SCAP content is currenlty hard-coded in stages/scanning/openscap/oscap-compliance-run.sh.

• Document potential designs to
  • Identify the latest DISA SCAP content
  • Create a merge request to update the content used in the Ironbank Pipeline
  • Minimize additional complexity to maintain MR creation for SCAP content
• Identify related improvements, to include:
  • Rename stages/scanning/rhel-oscap-version.json to identify the correct data-source (e.g. Compliance as Code, not Openscap CLI)

Acceptance Criteria

• Research described in Plan documented in this issue