The Definitive Guide to Automating OpenSCAP and Sigstore
Modern DevSecOps pipelines require unified security controls that cover both infrastructure compliance and software supply chain integrity. OpenSCAP (Open Security Content Automation Protocol) and Sigstore are two industry-standard tools that address these needs respectively, but automating them together unlocks end-to-end security automation with minimal manual overhead.
What Are OpenSCAP and Sigstore?
OpenSCAP is a open-source framework for implementing the SCAP (Security Content Automation Protocol) standard, used to scan systems, containers, and infrastructure for compliance against industry benchmarks like CIS, STIG, and OVAL. It generates machine-readable reports (ARF, XCCDF) to track compliance posture over time.
Sigstore is a open-source project for securing software supply chains via keyless signing, transparency logs, and verification. Its core components include Cosign (container/artifact signing), Fulcio (short-lived certificate authority), and Rekor (immutable transparency log for signatures and attestations).
Why Automate OpenSCAP and Sigstore Together?
Automating these tools in tandem ensures that only compliant, verified artifacts make it to production. A typical workflow enforces two gates: 1) The artifact passes OpenSCAP compliance checks, and 2) The artifact is signed via Sigstore and verified before deployment. This eliminates gaps between compliance and supply chain security.
Prerequisites for Automation
- OpenSCAP base tools (oscap, oscap-docker) installed on CI runners
- Cosign CLI for Sigstore operations
- CI/CD platform (GitHub Actions, GitLab CI, Jenkins, etc.)
- Container registry (Docker Hub, Quay, ECR) with push/pull access
- OIDC provider (GitHub, Google, etc.) for Sigstore keyless signing (optional but recommended)
Core Automation Workflows
1. Automating OpenSCAP Compliance Checks
OpenSCAP can scan container images, VM templates, and infrastructure-as-code (IaC) files. For container scans, use the oscap-docker tool to run compliance checks against CIS Docker Benchmark content:
# Scan a Docker image against CIS Docker Benchmark
oscap-docker image-cve xccdf eval --profile cis-docker-benchmark --results results.xml /usr/share/xml/scap/ssg/content/ssg-docker-cis-benchmark-xccdf.xml
# Fail build if non-compliant
if grep -q "fail" results.xml; then exit 1; fi
Automate this step in CI to fail builds that do not meet compliance thresholds, with results stored in artifact repositories for audit purposes.
2. Automating Sigstore Signing and Verification
Use Cosign to sign container images and SBOMs, with signatures stored in Rekor for public verifiability. Keyless signing via OIDC eliminates the need to manage long-lived signing keys:
# Sign a container image with Sigstore keyless signing
COSIGN_EXPERIMENTAL=1 cosign sign --oidc-provider github
# Verify signature before deployment
COSIGN_EXPERIMENTAL=1 cosign verify
Automate signing immediately after passing OpenSCAP checks, and enforce verification in deployment pipelines (e.g., Kubernetes admission controllers, container runtime hooks).
Integrating Into CI/CD Pipelines
Below is a sample GitHub Actions workflow that automates both OpenSCAP scanning and Sigstore signing for a container image:
name: Security Pipeline
on: [push]
jobs:
security-checks:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for Sigstore OIDC
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build container image
run: docker build -t myapp:${{ github.sha }} .
- name: Install OpenSCAP
run: sudo apt-get install -y openscap-scanner ssg-deb
- name: Run OpenSCAP compliance scan
run: |
oscap-docker image-cve myapp:${{ github.sha }} xccdf eval --profile cis-docker-benchmark --results compliance-results.xml /usr/share/xml/scap/ssg/content/ssg-docker-cis-benchmark-xccdf.xml
if grep -q "fail" compliance-results.xml; then echo "Compliance check failed"; exit 1; fi
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign container with Sigstore
run: COSIGN_EXPERIMENTAL=1 cosign sign myapp:${{ github.sha }}
- name: Push signed image to registry
run: |
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login -u ${{ secrets.REGISTRY_USER }} --password-stdin
docker push myapp:${{ github.sha }}
Advanced Automation Use Cases
- Automate OpenSCAP remediation scripts for non-compliant infrastructure via Ansible or Terraform
- Generate and sign SBOMs with Cosign, then link compliance reports to signed artifacts in Rekor
- Enforce both compliance and signature verification in Kubernetes with OPA Gatekeeper or Kyverno policies
- Automate periodic compliance rescans for running workloads and trigger alerts on drift
Best Practices
- Store OpenSCAP compliance reports in immutable storage (e.g., S3, GCS) for audit trails
- Use keyless Sigstore signing to avoid managing long-lived private keys
- Update SCAP content regularly to cover new CVEs and benchmark updates
- Test failure scenarios (e.g., non-compliant image, invalid signature) to ensure pipeline gates work as expected
- Grant CI runners least privilege access to registries and OIDC providers
Common Pitfalls to Avoid
- Skipping OpenSCAP scans for "low-priority" images – compliance gaps affect all workloads
- Not verifying Sigstore signatures on deployment, only on signing
- Using outdated SCAP content that does not cover recent vulnerabilities
- Storing Sigstore private keys in plaintext in CI secrets
Conclusion
Automating OpenSCAP and Sigstore together creates a unified security gate that covers compliance and supply chain integrity, reducing manual toil and minimizing security risk. By integrating these tools into CI/CD pipelines, teams can shift security left and ensure only trusted, compliant artifacts reach production. Start with the sample workflow above, then expand to cover advanced use cases like SBOM signing and remediation automation.
Top comments (0)