description

Overview

This module integrates vulnerability scanning into Puppet® and the Puppet® workflow. The vulnerability scanning engine is built upon the grype. Once installed, the module will scan your system for vulnerabilities and report all vulnerabilities as Puppet® facts.

The facts are uploaded to the Puppetdb, and here, you can use these facts to see how your entire fleet of systems is doing vulnerability-wise.

Guarding the vulnerabilities on your systems

Ok so now you have all the information about found vulnerabilities on your system. But how are you going to use it.

Failing when a vulnerability is found

The ::vulnerability::guard class allows you to specify the number of specific vulnerabilities your allow on your system. When more vulnerabilities are found, Puppet® will throw an error. You will need to monitor the status of the Puppet® runs on your puppetserver and take appropriate action when Puppet® fails because of a detected vulnerability.

Executing Puppet® code when a vulnerability is found

The module contains some functions you can use in your Puppet® code to determine if a certain CVE is detected and when it is, execute some remediation Puppet® code for this.

Using the command line

The Vulnerability module contains a command-line utility. Using the utility, you can select the list of detected vulnerabilities and maybe rep[ort information to monitoring utilities.