Merge pull request #4 from chainguard-dev/scap-workbench

add scap workbench docs
chainguard-dev · Jul 11, 2024 · d267981 · d267981
2 parents f558960 + af3bf9f
commit d267981
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -42,8 +42,7 @@ and available within Chainguard's openscap image, we'll refer to this as the
 docker run --name target -d cgr.dev/chainguard/wolfi-base:latest tail -f /dev/null
 
 # Run the scan image against the target image
-# NOTE: This is a highly privileged container since we're scanning a container
-being run by the host's docker daemon.
+# NOTE: This is a highly privileged container since we're scanning a container being run by the host's docker daemon.
 docker run -i --rm -u 0:0 --pid=host \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/out:/out \
@@ -62,6 +61,12 @@ directory.  The `report.html` file will contain a human-readable report of the
 scan results, and the `results.xml` file will contain the raw results of the
 scan.
 
+### Alternative Uses
+
+The SSG content in this repository can be used by any other tool that supports
+the format, such as SCAP Workbench. For an alternative walkthrough of using
+SCAP workbench, see [alternative uses](./docs/alternatives.md).
+
 ## Updates
 
 The Chainguard STIG profile is re-evaluated and evolves alongside Wolfi OS and

diff --git a/docs/alternatives.md b/docs/alternatives.md
@@ -0,0 +1,30 @@
+# Alternative Uses
+
+The SSG content in this repository can be used by any other tool that supports
+the format. The sections below provide examples of using other tools.
+
+## XCCDF Files
+
+As an alternative to the datastream file, the XCCDF format is also supported. While they represent identical checks, the format may be preferable by certain tooling.
+
+The XCCDF files are suffixed with `-xccdf` in the folder. For example, the GPOS profile is located at:
+
+```
+./gpos/xml/scap/ssg/content/ssg-chainguard-xccdf/ssg-chainguard-xccdf/
+```
+
+## SCAP Workbench
+
+The following will walk through using SCAP Workbench alongside with GPOS Datastream file.
+
+1. Clone the `chainguard-dev/stigs` repository
+
+2. Navigate to the directory with the XCCDF files, by default this is:
+
+```
+./gpos/xml/scap/ssg/content/ssg-chainguard-xccdf/OvalChecks/
+```
+
+3. From that directory, load the content into SCAP Workbench by selecting `Other SCAP Content > Load Content`.
+
+4. The GPOS content has a single profile, which when loaded into SCAP Workbench can be customized and saved as a Tailoring file.