$ export ROX_ENDPOINT=<host:port> (1)
You can use the roxctl
CLI to check deployment YAML files and images for policy compliance.
You have configured the ROX_ENDPOINT
environment variable using the following command:
$ export ROX_ENDPOINT=<host:port> (1)
1 | The host and port information that you want to store in the ROX_ENDPOINT environment variable. |
When you check policy compliance by using the roxctl deployment check
or roxctl image check
commands, you can specify the output format by using the -o
option to the command and specifying the format as json
, table
, csv
, or junit
. This option determines how the output of a command is displayed in the terminal.
For example, the following command checks a deployment and then displays the result in csv
format:
$ roxctl deployment check --file =<yaml_filename> -o csv
When you do not specify the
|
Different options are available to configure the output. The following table lists the options and the format in which they are available.
Option | Description | Formats |
---|---|---|
|
Use this option to display the JSON output in a compact format. |
|
|
Use this option to specify custom headers. |
|
|
Use this option to omit the header row from the output. |
|
|
Use this option to specify GJSON paths to select specific items from the output. For example, to get the Policy name and Severity for a deployment check, use the following command:
|
|
|
Use this options to merge table cells that have the same value. |
|
|
Use this option to include the header row as a comment in the output. |
|
|
Use this option to specify the name of the JUnit test suite. |
|
Run the following command to check the build-time and deploy-time violations of your security policies in YAML deployment files:
$ roxctl deployment check --file=<yaml_filename>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |
This command validates the following items:
Configuration options in a YAML file, such as resource limits or privilege options
Aspects of the images used in a YAML file, such as components or vulnerabilities
Run the following command to check the build-time violations of your security policies in images:
$ roxctl image check --image=<image_name>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |
You can also check the scan results for specific images.
Run the following command to return the components and vulnerabilities found in the image in JSON format:
$ roxctl image scan --image <image_name>
The format is defined in the API reference.
To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the --force
option.
To check specific image scan results, you must have a token with both |
Commands that you can run on a specific image.
$ roxctl image [command] [flags]
Command | Description |
---|---|
|
Check images for build time policy violations, and report them. |
|
Scan the specified image, and return the scan results. |
Option | Description |
---|---|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
The roxctl image
command supports the following options inherited from the parent roxctl
command:
Option | Description |
---|---|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
Set |
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
Enable insecure connection options. Alternatively, by setting the |
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
Disable the color output. Alternatively, by setting the |
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
Use an unencrypted connection. Alternatively, by setting the |
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the |
Scan the specified image, and return the scan results.
$ roxctl image scan [flags]
Option | Description |
---|---|
|
Specify the cluster name or ID to which you want to delegate the image scan. |
|
Print JSON output in a compact format. The default value is |
|
Ignore Central’s cache and force a fresh re-pull from Scanner. The default value is |
|
Specify the headers to print in a tabular output. The default values include |
|
Print headers as comments in a CSV tabular output. The default value is |
|
Specify the image name and reference to scan. For example, |
|
Include snoozed and unsnoozed CVEs in the scan results. The default value is |
|
Merge duplicate cells in a tabular output. The default value is |
|
Do not print headers for a tabular output. The default value is |
|
Specify the output format. Output formats include |
|
Specify the number of retries before exiting as an error. The default value is |
|
Set the time to wait between retries in seconds. The default value is |
|
Specify JSON path expressions to create a row from the JSON object. For more details, run the |
Check images for build time policy violations, and report them.
$ roxctl image check [flags]
Option | Description |
---|---|
|
List of the policy categories that you want to execute. By default, all the policy categories are used. |
|
Define the cluster name or ID that you want to use as the context for evaluation. |
|
Print JSON output in a compact format. The default value is |
|
Bypass the Central cache for the image and force a new pull from the Scanner. The default value is |
|
Define headers to print in a tabular output. The default values include |
|
Print headers as comments in a CSV tabular output. The default value is |
|
Specify the image name and reference. For example, |
|
Set the name of the JUnit test suite. Default value is |
|
Merge duplicate cells in a tabular output. The default value is |
|
Do not print headers for a tabular output. The default value is |
|
Choose the output format. Output formats include |
|
Set the number of retries before exiting as an error. The default value is |
|
Set the time to wait between retries in seconds. The default value is |
|
Create a row from the JSON object by using JSON path expression. For more details, run the |
|
Define whether you want to send notifications in the event of violations. The default value is |