This module integrates vulnerability scanning into Puppet and the Puppet workflow. The vulnerability scanning engine is built upon the grype. Once installed, the module will scan your system for vulnerabilities and report all vulnerabilities as Puppet facts.

The facts are uploaded to the Puppetdb, and here, you can use these facts to see how your entire fleet of systems is doing vulnerability-wise.

Guarding the vulnerabilities on your systems

Ok so now you have all the information about found vulnerabilities on your system. But how are you going to use it.

Failing when a vulnerability is found

The ::vulnerability::guard class allows you to specify the number of specific vulnerabilities your allow on your system. When more vulnerabilities are found, Puppet will throw an error. You will need to monitor the status of the Puppet runs on your puppetserver and take appropriate action when Puppet fails because of a detected vulnerability.

Executing Puppet code when a vulnerability is found

The module contains some functions you can use in your Puppet code to determine if a certain CVE is detected and when it is, execute some remediation Puppet code for this.

Using the command line

The Vulnerability module contains a command-line utility. Using the utility, you can select the list of detected vulnerabilities and maybe rep[ort information to monitoring utilities.