Container Usage Cheatsheet

While we work on formal documentation here is a cheetsheet of common usage:

General Scanning#

ghost alpine:latest
ghost --ignore-unfixed wordpress:latest

Policy Decisions#

Ghost supports custom policy driven by OPA. You can specify a local rego file or OPA endpoint. Scanner binary will issue exit code 2 for failed policies.

ghost --rego-file ghost.rego alpine:latest
ghost image --opa-server https://51.222.5.38:8443 alpine:latest
ghost --format json -o results.json ubuntu:18.04

Templating and Reporting#

ghost --format template --template @ghost.tpl -o report.html alpine:latest

Webhook#

Send Ghost scan results to a webhook

ghost --webhook http://192.168.1.196:9001/api/webhook alpine:latest

Tagging#

Tag scan results which get passed to OPA policy decsions and webhook.

ghost --tags "build=${BUILD_NUMBER},url={url}" alpine:latest

Jenkinsfile Stage Example#

stage('Ghost Image Assurance Scan'){
steps{
script{
sh "ghost image --rego-file ${WORKSPACE}/exp.rego --format template --template \"@${WORKSPACE}/exp.tpl\" -o /home/jeff/ghost/exp.html --tags \"jenkins-build-${BUILD_NUMBER}\" 192.168.1.41:5000/jeffsbooks:latest"
}
}
post {
always {
publishHTML target: [
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '/home/jeff/ghost',
reportFiles: 'exp.html',
reportName: 'GhostScannerReport'
]
}
}
}
Edit this page