openscap-fips
OpenSCAP-FIPS Overview
Secure your stack with a hardened OpenSCAP-FIPS image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies.
Use this image to scan your Docker images and containers without the need to install OpenSCAP locally. This image comes preloaded with a Minimus STIG file for security and compliance assessments. Learn how to convert the DISA STIG report to other formats including JSON, CSV, HTML, DISA Checklist, etc.
FIPS 140-3 Certification
This image is FIPS-validated to ensure its cryptographic operations meet the Federal Information Processing Standards (FIPS) required for secure government and regulated environments. Its core cryptographic modules are validated under the NIST Cryptographic Module Validation Program (CMVP) and comply with the FIPS 140-3 standard.
To verify that the FIPS 140-3 provider is configured and active, follow the instructions in the FIPS compliance tab.
Try It Out
To test the Minimus OpenSCAP-FIPS image, follow the steps below to scan a container using its file system.
Step 1 - Download the Minimus STIG file
Download the Minimus STIG file ssg-minimus-gpos-ds.xml (Link).
wget -O ssg-minimus-gpos-ds.xml \
https://raw.githubusercontent.com/minimusio/examples/main/STIG/ssg-minimus-gpos-ds.xmlStep 2 - Create a directory for the scan results
mkdir -p "$(pwd)/openscap_results"Change the directory ownership to match the container's UID to grant the OpenSCAP container write access:
sudo chown 1000:1000 "$(pwd)/openscap_results"Step 3 - Pull the image to be scanned
Pull the image you plan to scan. For example, if we want to scan nginx:
docker pull reg.mini.dev/nginx:latestStep 4 - Run the OpenSCAP scan
Update the placeholder {IMAGE_TO_SCAN} in the command below before running the scan:
docker run --user root \
-v "$PWD/ssg-minimus-gpos-ds.xml:/ssg-minimus-gpos-ds.xml:ro" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD/openscap_results:/output" \
--entrypoint "" \
reg.mini.dev/openscap-fips \
/usr/bin/oscap-docker image {IMAGE_TO_SCAN} -- \
xccdf eval \
--profile "xccdf_basic_profile_.check" \
--results /output/scan-results.xml \
--report /output/report.html \
/ssg-minimus-gpos-ds.xmlFor example, for the Minimus nginx image, the command would look like this:
docker run --user root \
-v "$PWD/ssg-minimus-gpos-ds.xml:/ssg-minimus-gpos-ds.xml:ro" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD/openscap_results:/output" \
--entrypoint "" \
reg.mini.dev/openscap-fips \
/usr/bin/oscap-docker image reg.mini.dev/nginx:latest -- \
xccdf eval \
--profile "xccdf_basic_profile_.check" \
--results /output/scan-results.xml \
--report /output/report.html \
/ssg-minimus-gpos-ds.xmlStep 5 - Read the report
The STIG report will print directly to the terminal. Once the scan completes, open the openscap_results folder to view the results. You should see two files:
-
scan-results.xmlwill include the raw scan output and is machine-readable. -
report.htmlis a human-readable HTML report.
You can convert the DISA STIG report to other formats including JSON, CSV, HTML, DISA Checklist, etc. using the MITRE Heimdall tool. Learn more
Technical Considerations
The OpenSCAP-FIPS image provided by Minimus has no alternative in Docker Hub. It can be used as a minimal alternative for installing OpenSCAP locally.
OpenSCAP-FIPS built by Minimus:
- The image can be used as a minimal, secure alternative for installing OpenSCAP locally.
- Runs as non-root by default as user 1000.
The Payoff
A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.
- See the risk reduction dashboard for a detailed CVE report over the past 30 days.
- Review the compliance report to see the default hardening and security configurations for the image.
Terms & Info
Trademark
This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.
Disclaimer
Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.