Overview

Ensure the your vulnerability scanning is setup correctly. Key settings are:

  • directories
  • excludes
  • ttl_hours

Attributes

Attribute Name Short Description
cache_dir The grype cache directory.
config_dir The grype config directory.
directories This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities.
excludes An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning.
level The severity level of the vulnerabilities you want to report on the system.
ttl_hours This specifies the number of hours you want to keep between different vulnerability scans.
update_url  

cache_dir

The grype cache directory. The default values is fine most of the time.

This is an internal variable. Please be cautious when changing this. Type: Stdlib::Absolutepath

Back to overview of setup

config_dir

The grype config directory. The default values is fine most of the time.

This is an internal variable. Please be cautious when changing this. Type: Stdlib::Absolutepath

Back to overview of setup

update_url

The url used for fetching the database updates. Type: String[1]

Back to overview of setup

ttl_hours

This specifies the number of hours you want to keep between different vulnerability scans.

The vulnerability module uses facter to report the CVE’s found on a system. Scanning a system, however, is a resource-intensive and time-consuming activity. Therefore we don’t want Puppet to do this on every Puppet run.

This parameter specifies the number of hours between new scans. It is the amount of time the fact cve_list is deemed valid.

The default value is 24, meaning a new scan is done once a day.

When you change the setting or update the vulnerability database, the fact is automatically invalidated, so a new scan is done on the next puppet run. Type: Integer

Back to overview of setup

directories

This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. The default value for this is ['/']. This is safe but also slow. You can speed up the detection of the vulnerabilities by being more specific on the directories you want to scan. Type: Array[Stdlib::Absolutepath]

Back to overview of setup

excludes

An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. The default value for this setting is an empty array. This means no files and/or directories will be excludes fropm the scan.

Type: Array[String[1]]

Back to overview of setup

level

The severity level of the vulnerabilities you want to report on the system.

Valid values are in order of severity are:

  • Critical
  • High
  • Medium
  • Low
  • Negligible
  • Unknown

When you select a value, vulnerabilities of that level and higher will be reported on the system.

When you select one of the lower levels, potentially a lot of CVE’s are reported on the CVE list. This might cause strain on your Puppetdb.

The default value is Medium

Type: Vulnerability::Level

Back to overview of setup