add openscap image (#2724)

Signed-off-by: Josh Wolf <josh@wolfs.io>

images/openscap/README.md

@@ -0,0 +1,28 @@
+<!--monopod:start-->
+# openscap
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/openscap` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/openscap/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+NIST Certified SCAP 1.2 toolkit
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/openscap:latest
+```
+<!--getting:end-->
+
+<!--body:start--><!--body:end-->

images/openscap/config/main.tf

@@ -0,0 +1,29 @@
+variable "extra_packages" {
+  description = "The additional packages to install"
+  type        = list(string)
+  default     = []
+}
+
+module "accts" {
+  source = "../../../tflib/accts"
+  uid    = 65532
+  gid    = 65532
+  run-as = 65532
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      packages = concat([
+        "py3-docker",
+        "docker-cli",
+        "scap-security-guide",
+      ], var.extra_packages)
+    }
+    //
+    accounts = module.accts.block
+    entrypoint = {
+      command = "/usr/bin/oscap"
+    }
+  })
+}

images/openscap/main.tf

@@ -0,0 +1,37 @@
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "versions" {
+  package = "openscap"
+  source  = "../../tflib/versions"
+}
+
+module "config" {
+  for_each       = module.versions.versions
+  source         = "./config"
+  extra_packages = [each.key]
+}
+
+module "versioned" {
+  for_each          = module.versions.versions
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.config[each.key].config
+  build-dev         = true
+  main_package      = each.value.main
+  update-repo       = each.value.is_latest
+}
+
+module "test-versioned" {
+  for_each = module.versions.versions
+  source   = "./tests"
+  digest   = module.versioned[each.key].image_ref
+}
+
+module "tagger" {
+  source     = "../../tflib/tagger"
+  depends_on = [module.test-versioned]
+  tags       = merge([for v in module.versioned : v.latest_tag_map]...)
+}

images/openscap/metadata.yaml

@@ -0,0 +1,10 @@
+name: openscap
+image: cgr.dev/chainguard/openscap
+logo: https://storage.googleapis.com/chainguard-academy/logos/openscap.svg
+endoflife: ""
+console_summary: ""
+short_description: "NIST Certified SCAP 1.2 toolkit"
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: "https://github.com/OpenSCAP/openscap"
+keywords: []

images/openscap/tests/main.tf

@@ -0,0 +1,36 @@
+terraform {
+  required_providers {
+    imagetest = { source = "chainguard-dev/imagetest" }
+    oci       = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "imagetest_inventory" "inventory" {}
+
+resource "imagetest_harness_docker" "docker" {
+  name      = "openscap"
+  inventory = data.imagetest_inventory.inventory
+
+  envs = {
+    IMAGE_NAME : var.digest
+  }
+}
+
+resource "imagetest_feature" "test" {
+  name    = "docker-test"
+  harness = imagetest_harness_docker.docker
+
+  steps = [{
+    name = "basic test"
+    # This does quite a bit of work for a `version` command, it validates oscap
+    # can run (and that all the libraries are linked), but also probes the
+    # supported OVAL objects and checks they are legit. The alternative
+    # requires an uncomfortable level of privilege to either support
+    # `oscap-docker` scans or `oscap-chroot` scans.
+    cmd = "docker run --rm $IMAGE_NAME version"
+  }]
+}