$ export ROX_ENDPOINT=<host:port> (1)
You can use the roxctl
cli to check deployment YAML files and images for policy compliance.
You have configured the ROX_ENDPOINT
environment variable using the following command:
$ export ROX_ENDPOINT=<host:port> (1)
1 | The host and port information that you want to store in the ROX_ENDPOINT environment variable. |
When you check policy compliance by using the roxctl deployment check
or roxctl image check
commands, you can specify the output format by using the -o
option to the command and specifying the format as json
, table
, csv
, or junit
. This option determines how the output of a command is displayed in the terminal.
For example, the following command checks a deployment and then displays the result in csv
format:
$ roxctl deployment check --file =<yaml_filename> -o csv
When you do not specify the
|
Different options are available to configure the output. The following table lists the options and the format in which they are available.
Option | Description | Formats |
---|---|---|
|
Use this option to display the JSON output in a compact format. |
|
|
Use this option to specify custom headers. |
|
|
Use this option to omit the header row from the output. |
|
|
Use this option to specify GJSON paths to select specific items from the output. For example, to get the Policy name and Severity for a deployment check, use the following command:
|
|
|
Use this options to merge table cells that have the same value. |
|
|
Use this option to include the header row as a comment in the output. |
|
|
Use this option to specify the name of the JUnit test suite. |
|
Run the following command to check the build-time and deploy-time violations of your security policies in YAML deployment files:
$ roxctl deployment check --file=<yaml_filename>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |
This command validates the following items:
Configuration options in a YAML file, such as resource limits or privilege options
Aspects of the images used in a YAML file, such as components or vulnerabilities
Run the following command to check the build-time violations of your security policies in images:
$ roxctl image check --image=<image_name>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |
You can also check the scan results for specific images.
Run the following command to return the components and vulnerabilities found in the image in JSON format:
$ roxctl image scan --image <image_name>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |