OpenSCAP is an open-source toolkit that implements the Security Content Automation Protocol (SCAP) for automated security compliance, vulnerability scanning, and configuration checking. It provides a set of tools and libraries to assess systems against security policies, identify vulnerabilities, and generate reports to ensure compliance with standards like PCI DSS or government regulations.
Getting Started
To pull the image:
docker pull registry.hardened.eu/library/openscap:latest
Verifying Image Signatures
All Hardened B.V. images are signed using cosign. You can verify the signature using the following steps:
Save the public key:
cat >hardened.pub <<EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbxhUFlXkIIbDzdRAR9rc6kDPNb+k
J48lhqqlOMyiq3jkbKXNj2sEFMduFlNh63MrZA59PKf4TjS1AiCrvaFXNA==
-----END PUBLIC KEY-----
EOL
Verify the image signature:
cosign verify --key hardened.pub registry.hardened.eu/library/openscap:latest
The verification will show the signature details and confirm the image’s authenticity.
To verify the SBOM, run the following command:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/openscap:latest
To download the SBOM, run the same command and decode it:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/openscap:latest | jq -r .payload | base64 -d | jq -r .predicate > openscap-spdx.json
Trademarks
This software is packaged by Hardened B.V. All trademarks are property of their respective owners. Use of these images does not imply any affiliation or endorsement.
The latest tag is only public. Contact us for detailed information.
| Hash | Tag | Size (compressed) | Last updated | Actions |
|---|---|---|---|---|
| sha256:0edce9cdde06e... |
latest
x86_64
|
38.29 MB | 19:07:11 16/12/2025 UTC (Calculating...) | |
| •••••••••••• | •••••••••••• | •••••••••••• | •••••••••••• | Contact Hardened |
| Package | Version | License |
|---|---|---|
| acl-libs | 2.3.2-r1 | (LGPL-2.1-or-later AND GPL-2.0-or-later) |
| alpine-os-release | 3.23-r0 | MIT |
| autocommand | 2.2.2 | LicenseRef-LGPLv3 |
| backports-tarfile | 1.2.0 | - |
| bash | 5.3.3-r1 | GPL-3.0-or-later |
| brotli-libs | 1.2.0-r0 | MIT |
| busybox | 1.37.0-r30 | GPL-2.0-only |
| busybox-binsh | 1.37.0-r30 | GPL-2.0-only |
| c-ares | 1.34.6-r0 | MIT |
| ca-certificates-bundle | 20251003-r0 | (MPL-2.0 AND MIT) |
| certifi | 2025.11.12 | MPL-2.0 |
| charset-normalizer | 3.4.4 | MIT |
| dbus-libs | 1.16.2-r1 | (AFL-2.1 OR GPL-2.0-or-later) |
| docker | 7.1.0 | Apache-2.0 |
| editables | 0.5 | - |
| gdbm | 1.26-r0 | GPL-3.0-or-later |
| hatch-vcs | 0.5.0 | MIT |
| hatchling | 1.28.0 | MIT |
| idna | 3.11 | BSD-3-Clause |
| importlib-metadata | 8.0.0 | - |
| inflect | 7.3.1 | - |
| jaraco-collections | 5.1.0 | - |
| jaraco-context | 5.3.0 | - |
| jaraco-functools | 4.0.1 | - |
| jaraco-text | 3.12.1 | - |
| libarchive | 3.8.4-r0 | LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain |
| libblkid | 2.41.2-r0 | LGPL-2.1-or-later |
| libbz2 | 1.0.8-r6 | bzip2-1.0.6 |
| libcap2 | 2.77-r0 | (BSD-3-Clause OR GPL-2.0-only) |
| libcrypto3 | 3.5.4-r0 | Apache-2.0 |
| libcurl | 8.17.0-r1 | curl |
| libdw | 0.194-r2 | GPL-3.0-or-later AND ( GPL-2.0-or-later OR LGPL-3.0-or-later ) |
| libeconf | 0.8.0-r0 | MIT |
| libelf | 0.194-r2 | GPL-3.0-or-later AND ( GPL-2.0-or-later OR LGPL-3.0-or-later ) |
| libexpat | 2.7.3-r0 | MIT |
| libffi | 3.5.2-r0 | MIT |
| libgcc | 15.2.0-r2 | (GPL-2.0-or-later AND LGPL-2.1-or-later) |
| libgcrypt | 1.11.2-r0 | (LGPL-2.1-or-later AND GPL-2.0-or-later) |
| libgomp | 15.2.0-r2 | (GPL-2.0-or-later AND LGPL-2.1-or-later) |
| libgpg-error | 1.57-r0 | (GPL-2.0-or-later AND LGPL-2.1-or-later) |
| libidn2 | 2.3.8-r0 | (GPL-2.0-or-later OR LGPL-3.0-or-later) |
| libintl | 0.24.1-r1 | LGPL-2.1-or-later |
| libltdl | 2.5.4-r2 | (LGPL-2.0-or-later AND GPL-2.0-or-later) |
| libmagic | 5.46-r2 | BSD-2-Clause |
| libncursesw | 6.5_p20251123-r0 | X11 |
| libopendbx | 1.4.6-r2 | GPL-2.0-or-later |
| libpanelw | 6.5_p20251123-r0 | X11 |
| libpsl | 0.21.5-r3 | MIT |
| libselinux | 3.6-r1 | LicenseRef-Public-Domain |
| libssl3 | 3.5.4-r0 | Apache-2.0 |
| libstdc++ | 15.2.0-r2 | (GPL-2.0-or-later AND LGPL-2.1-or-later) |
| libunistring | 1.4.1-r0 | (GPL-2.0-or-later OR LGPL-3.0-or-later) |
| libxml2 | 2.13.9-r0 | MIT |
| libxslt | 1.1.43-r3 | X11 |
| lua5.4-libs | 5.4.8-r0 | MIT |
| lz4-libs | 1.10.0-r0 | (BSD-2-Clause AND GPL-2.0-or-later) |
| more-itertools | 10.3.0 | - |
| mpdecimal | 4.0.1-r0 | BSD-2-Clause |
| musl | 1.2.5-r21 | MIT |
| musl-fts | 1.2.7-r7 | BSD-3-Clause |
| my-test-package | 1.0 | LicenseRef-UNKNOWN |
| ncurses-terminfo-base | 6.5_p20251123-r0 | X11 |
| nghttp2-libs | 1.68.0-r0 | MIT |
| nghttp3 | 1.13.1-r0 | MIT |
| openscap | 1.4.3-r0 | LGPL-2.1-or-later |
| openscap-docker | 1.4.3-r0 | LGPL-2.1-or-later |
| packaging | 24.2 | - |
| packaging | 25.0 | - |
| pathspec | 0.12.1 | - |
| pcre2 | 10.47-r0 | BSD-3-Clause |
| perl | 5.42.0-r0 | (Artistic-1.0-Perl OR GPL-1.0-or-later) |
| platformdirs | 4.2.2 | MIT |
| pluggy | 1.6.0 | MIT |
| popt | 1.19-r4 | MIT |
| procps-compat-libs | 3.3.17-r5 | (GPL-2.0-or-later AND LGPL-2.1-or-later) |
| py3-certifi | 2025.11.12-r0 | MPL-2.0 |
| py3-charset-normalizer | 3.4.4-r0 | MIT |
| py3-docker-py | 7.1.0-r0 | Apache-2.0 |
| py3-editables | 0.5-r2 | MIT |
| py3-hatch-vcs | 0.5.0-r0 | MIT |
| py3-hatchling | 1.28.0-r0 | MIT |
| py3-idna | 3.11-r0 | BSD-3-Clause |
| py3-packaging | 25.0-r0 | (Apache-2.0 AND BSD-2-Clause) |
| py3-parsing | 3.2.3-r0 | MIT |
| py3-pathspec | 0.12.1-r2 | MPL-2.0 |
| py3-pluggy | 1.6.0-r0 | MIT |
| py3-requests | 2.32.5-r0 | Apache-2.0 |
| py3-setuptools | 80.9.0-r2 | MIT |
| py3-setuptools_scm | 9.2.2-r0 | MIT |
| py3-trove-classifiers | 2025.9.11.17-r0 | Apache-2.0 |
| py3-urllib3 | 2.5.0-r0 | MIT |
| py3-websocket-client | 1.9.0-r0 | Apache-2.0 |
| pyparsing | 3.2.3 | - |
| python3 | 3.12.12-r0 | PSF-2.0 |
| readline | 8.3.3-r0 | GPL-3.0-or-later |
| requests | 2.32.5 | Apache-2.0 |
| rpm | 4.19.1.1-r3 | GPL-2.0-or-later |
| rpm-scripts | 4.19.1.1-r3 | GPL-2.0-or-later |
| setuptools | 80.9.0 | MIT |
| setuptools-scm | 9.2.2 | MIT |
| sqlite-libs | 3.51.1-r0 | blessing |
| ssl_client | 1.37.0-r30 | GPL-2.0-only |
| tomli | 2.0.1 | - |
| trove-classifiers | 2025.9.11.17 | - |
| typeguard | 4.3.0 | MIT |
| typing-extensions | 4.12.2 | - |
| urllib3 | 2.5.0 | MIT |
| websocket-client | 1.9.0 | Apache-2.0 |
| wheel | 0.45.1 | - |
| xmlsec | 1.3.7-r0 | MIT |
| xz-libs | 5.8.1-r0 | 0BSD AND LicenseRef-AND AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LicenseRef-Public-Domain |
| zipp | 3.19.2 | - |
| zlib | 1.3.1-r2 | Zlib |
| zstd-libs | 1.5.7-r2 | (BSD-3-Clause OR GPL-2.0-or-later) |
0BSD (permissive)
The Zero-Clause BSD (0BSD) license is a highly permissive open-source license that allows anyone to use, copy, modify, a... Show more
APACHE-2.0 (permissive)
The Apache License 2.0 is also a permissive license, similar to the MIT License, but with additional protections related... Show more
BLESSING (permissive)
The SQLite Blessing (BLESSING) is a public domain dedication used by the SQLite project. The author disclaims copyright ... Show more
BSD-2-CLAUSE (permissive)
The BSD 2-Clause License is a permissive license originating from the Berkeley Software Distribution (BSD). It allows fo... Show more
BSD-3-CLAUSE (permissive)
The BSD 3-Clause License is another permissive license originating from the Berkeley Software Distribution (BSD). It all... Show more
BZIP2-1.0.6 (permissive)
The bzip2 and libbzip2 licenses are permissive open source licenses, allowing use, modification, and distribution with m... Show more
CURL (permissive)
The CURL license is a permissive open source license that allows users to use, modify, and distribute the software freel... Show more
GPL-2.0 (strong-copyleft)
The GNU General Public License version 2 (GPL-2.0) is a strict copyleft license. If you modify and distribute software l... Show more
GPL-3.0 (strong-copyleft)
GPL-3.0 builds upon GPL-2.0 by adding clauses to address modern concerns such as software patents, tivoization (restrict... Show more
LGPL-2.1 (copyleft)
The LGPL is a more permissive variant of the GPL. It allows developers to link to (use) the LGPL-licensed library in the... Show more
MIT (permissive)
The MIT License is a highly permissive open-source license. It allows users to do almost anything with a project, includ... Show more
MPL-2.0 (weak-copyleft)
The MPL is a weak copyleft license. It requires that changes to MPL-licensed files be open-sourced, but allows these fil... Show more
PSF-2.0 (permissive)
The Python Software Foundation License 2.0 (PSF-2.0) is a permissive license used for Python software. It allows users t... Show more
X11 (permissive)
The X11 License (also known as the MIT/X11 License) is a permissive license that allows users to use, modify, and distri... Show more
ZLIB (permissive)
The zlib License is a permissive license that allows users to use, modify, and distribute the software freely. It's simi... Show more
| CVE | Severity | Package | Version | Fixed In | |
|---|---|---|---|---|---|
| CVE-2025-13836 | Medium | python3 | 3.12.12-r0 | Not fixed | |
|
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
|
|||||
| CVE-2025-12084 | Medium | python3 | 3.12.12-r0 | Not fixed | |
|
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
|
|||||
| CVE-2025-13837 | Low | python3 | 3.12.12-r0 | Not fixed | |
|
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
|
|||||
| CVE-2025-6075 | Low | python3 | 3.12.12-r0 | Not fixed | |
|
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
|
|||||
Compare Images
Image comparison functionality will be implemented in a future release.