Gate: stig
Introduction
The STIG policy gate is intended to deny an image that does not have at least one companion STIG evaluation stored alongside of it. The STIG evaluation can be generated by using an AnchoreCTL workflow that will generate and upload it to your Anchore Enterprise deployment. For more information on the Anchore STIG feature, please see the Anchore STIG documentation.
Example Use-case
Scenario 1
Goal: Create a rule that results in a STOP action for images that do not contain a STIG evaluation.
Example rule set configuration in Anchore Enterprise
Gate: stig
Trigger: no stig evaluations available
Required Parameters: n/a
Recommendations (optional): “Perform STIG evaluation on image”
Action: STOP
Scenario 2
Goal: Create a rule that results in a STOP action for images where the uploaded STIG evaluations is older than 7 days.
Example rule set configuration in Anchore Enterprise
Gate: stig
Trigger: stig evaluations outdated
Required Parameters: max days since stig evaluation = “7”
Recommendations (optional): “Perform new STIG evaluation on image”
Action: STOP
Reference: stig
| Trigger Name | Description | Parameter | Description | Example |
|---|---|---|---|---|
| no stig evaluations available | Triggers if Anchore does not have STIG evaluations for this image | n/a | n/a | n/a |
| stig evaluations outdated | Triggers if all of the uploaded STIG evaluations are outdated | max days since stig evaluation | The maximum age (in days) for any STIG evaluation - an image won’t trigger as long as it has at least one STIG evaluation within this window. | 7 |