Overview

The top-level class of the vulnerability module. This class ensures that the correct version of grype is installed and configured and that on the specified interval your systems are scanned for vulnerabilities.

Attributes

Attribute Name Short Description
guard When you set this value to true, Puppet start’s to guard the number of vulnerabilities on your system.
remediate When you set this value to true, Puppet will remediate the specfied CVE’s.
update Update the vulnerability database on every Puppet run.

update

Update the vulnerability database on every Puppet run.

When you set this value to true, Puppet will check the vulnerability database on every run and update it when it detects a new version.

Although setting it to true is the best setting security-wise, it can introduce dynamic changes to your Puppet run’s that you don’t want. When you want more controlled updates, set this value to false and make sure that the vulnerability::update class is scheduled in some other way.

Even when you set this value to false, Puppet will do an update on the initial run where grype is installed. This is required to at least have an initial vulnerability database.

Back to overview of vulnerability

guard

When you set this value to true, Puppet start’s to guard the number of vulnerabilities on your system. Check the ::vulnerability::guard class for details.

The default value is false meaning no automatic checks on the vulnerability status.

Back to overview of vulnerability

remediate

When you set this value to true, Puppet will remediate the specfied CVE’s. See the remediate class for details.

The default value is true meaning no automatic checks on the vulnerability status.

Back to overview of vulnerability