vulnerability
Overview
The top-level class of the vulnerability module. This class ensures that the correct version of grype
is installed and configured and that on the specified interval your systems are scanned for vulnerabilities.
Attributes
Attribute Name | Short Description |
---|---|
guard | When you set this value to true , Puppet start’s to guard the number of vulnerabilities on your system. |
remediate | When you set this value to true , Puppet will remediate the specfied CVE’s. |
update | Update the vulnerability database on every Puppet run. |
update
Update the vulnerability database on every Puppet run.
When you set this value to true
, Puppet will check the vulnerability database on every run and update it when it detects a new version.
Although setting it to true is the best setting security-wise, it can introduce dynamic changes to your Puppet run’s that you don’t want. When you want more controlled updates, set this value to false and make sure that the vulnerability::update
class is scheduled in some other way.
Even when you set this value to false
, Puppet will do an update on the initial run where grype
is installed. This is required to at least have an initial vulnerability database.
Back to overview of vulnerability
guard
When you set this value to true
, Puppet start’s to guard the number of vulnerabilities on your system. Check the ::vulnerability::guard
class for details.
The default value is false
meaning no automatic checks on the vulnerability status.
Back to overview of vulnerability
remediate
When you set this value to true
, Puppet will remediate the specfied CVE’s. See the remediate class for details.
The default value is true
meaning no automatic checks on the vulnerability status.