Puppet Class: vulnerability

Defined in:
manifests/init.pp

Summary

The top-level class of the vulnerability module.

Overview

vulnerability::vulnerability

This class ensures that the correct version of [‘grype`](github.com/anchore/grype) is installed and configured and that on the specified interval your systems are scanned for vulnerabilities.

See the file “LICENSE” for the full license governing this code.

Parameters:

  • update (Boolean)

    Update the vulnerability database on every Puppet run. When you set this value to ‘true`, Puppet will check the vulnerability database on every run and update it when it detects a new version. Although setting it to true is the best setting security-wise, it can introduce dynamic changes to your Puppet run’s that you don’t want. When you want more controlled updates, set this value to false and make sure that the ‘vulnerability::update` class is scheduled in some other way. Even when you set this value to `false`, Puppet will do an update on the initial run where [`grype`](github.com/anchore/grype) is installed. This is required to at least have an initial vulnerability database.

  • guard (Boolean)

    When you set this value to ‘true`, Puppet start’s to guard the number of vulnerabilities on your system. Check the [‘::vulnerability::guard` class](./guard.html) for details. The default value is `false` meaning no automatic checks on the vulnerability status.



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'manifests/init.pp', line 21

class vulnerability (
  Boolean $guard,
  Boolean $update
) {
  include stdlib
  #
  # Fetch the license file if needed.
  #
  unless defined(Class['easy_type::license::available']) {
    class { 'easy_type::license::available':
      stage => 'setup',
    }
  }

  contain vulnerability::install
  contain vulnerability::setup

  Class['vulnerability::install']
  -> Class['vulnerability::setup']

  if $update or $facts['grype_version'] == 'not-installed' {
    contain vulnerability::update

    Class['vulnerability::setup']
    -> Class['vulnerability::update']
  }
  if $guard {
    contain vulnerability::guard

    Class['vulnerability::update']
    -> Class['vulnerability::guard']
  }
}