All Scanner Integrations
How Scanner Integrations Work in RegScale
For Commercial Integrations with RegScale, all vulnerability scanners now use a common library and behave identically. This outlines how each of these work to create records in RegScale.
Background
Vulnerability Scanners are integrated into RegScale for three outcomes:
- Import assets into a Security Plan
- Import vulnerabilities into a Security Plan
- Create Issues and/or POA&Ms in a Security Plan
For each of the dozen-odd vulnerability scan integrations, asset inventories are updated, a scan history is created, Vulnerabilities are created, and, if configured to do so, Issues are created and optionally marked as "Cyber Reportable Plan of Actions and Milestones (POA&M)".
Scanner Configurations
All vulnerability scanner integrations leverage three configuration items from the init.yaml file:
(see CLI Configuration for full details on init.yaml)
| Key | Notes | Value Type |
|---|---|---|
| issues: (scanner-name): | default days for due date (in days) | trivy: {'critical': 14, 'high': 60, 'moderate': 120, ' 'low': 364} |
| complianceCreation | Behavior for compliance findings Options: "Assessment" - create an assessment and mark the control implemented/in remediation, "Issue" - create an issue for each compliance test failure, "POAM" - create an issue for each compliance test failure and mark it a POA&M | string: options: "Assessment" (default) | "Issue" | "POAM" |
| incrementPoamIdentifier | If the issues use "otherIdentifier" for POA&M id, this will increment the pattern by +1 | bool: true | false default: false |
| ingestClosedIssues | Whether or not to import closed issues | bool: true | false default: false |
| issueCreation | For Commercial Scan integrations, this determines whether an issue is created for each unique vulnerability / asset pair: PerAsset or only for each unique vulnerability: Consolidated | string: options: "Consolidated" | "PerAsset" |
| preventAutoClose | Whether or not to close previously created issues that are not in the current scan | bool: true | false default: false |
| poamTitleType | What to use for the title of poams created from scans | string: options: "Cve" (default) - CVE Number | "PluginId" - Scanner Plugin Id |
| stigMapperFile | Path to the STIG mapper rules file for compliance scanning | str: stig_mapper_rules.json |
| tenableGroupByPlugin | For Tenable scans, can group by Plugin Id (vice CVE) | bool: true | false default: false |
| threadMaxWorkers | Maximum number of worker threads | int: 1-8 default: 4 |
| vulnerabilityCreation | For Commercial Scan integrations, this determines whether an issue is created for vulnerabilities. Options are: "NoIssue" -don't create issues from vulnerabilities. "IssueCreation" - create issues from vulnerabilities. "PoamCreation" - create issues/POA&Ms from vulnerabilities | string: options: "NoIssue" | "IssueCreation" | "PoamCreation" |
| useMilestones | bool: true | false (default) |
Data Flow and Record Creation
For each vulnerability scan integration the following records are created:
- Scan History:
- All scanner integrations first create a scanner history entry as a child of the Security Plan identified in the scanner integration argument (
--regscale_ssp_id) - Scan History is visible in Security Plans under the "Vulnerabilities" tab in Data Entry
- All scanner integrations first create a scanner history entry as a child of the Security Plan identified in the scanner integration argument (
- Assets:
- All assets are created as children of the Security Plan
- As assets appear in the scan they are created in RegScale, regardless of the existence off a vulnerability or not.
- Asset status is set by the scan. If an asset is shown as active in a scan, it is marked active; If a scan shows an asset as inactive, it is marked inactive
- Assets are visible in Security Plans under the "Assets" tab in Data Entry
- Vulnerabilities:
- All scan results are created as vulnerability records as children of the Security Plan
- Vulnerabilities are visible in Security Plans under "Vulnerabilities" tab in Data Entry and then "CVE List"
- For each asset affected by the vulnerability, a vulnerability mapping record is created which is visible when clicking in the "CVE List" on "View" and "Impacted Assets"
- Issues:
- If the
vulnerabilityCreationconfiguration item is set toIssueCreationorPoamCreation, vulnerabilities will create Issue records as children of the Security Plan - If the
vulnerabilityCreationconfiguration item is set toPoamCreation, vulnerabilities will create Issue records as children of the Security Plan and will mark the issues as "Cyber Reportable Plan of Actions and Milestones (POA&M)" - Issues are visible in Security Plans under the "Issues/POAMS" tab in Data Entry
- If the
issueCreationconfiguration item is set toConsolidated, one issue will be created per vulnerability and all impacted assets will be listed in the same record - If the
issueCreationconfiguration item is set toPerAsset, an issue will be created for each vulnerability/asset pair - If the
poamTitleTypeconfiguration item is set toCve, the issues will be consolidated according to unique CVEs, when set toConsolidatedor will simply use the CVE as the label of the Issue when set toPerAsset - If the
poamTitleTypeconfiguration item is set topluginId, the issues will be consolidated according to unique Plugin Ids, when set toConsolidatedor will simply use the Plugin Id as the label of the Issue when set toPerAsset - Each Issue created will be marked by the source of the scan in the
Source Reportfield of the issue record (e.g. "Aqua")
- If the
- Subsequent scan imports:
- If an asset was created in a previous scan, but does not appear in subsequent scans from the same source (e.g. Aqua), it is updated to inactive
- If a vulnerability was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
- If an issue was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
- If an issue was created in a previous scan and includes multiple assets, the impacted assets listed in the issue will be updated according to what assets still have the same vulnerability in the subsequent scan
- If an issue was created in a previous scan and appears in subsequent scans, the "Last Seen Date" will be updated and the issue status remain "Open"
Updated about 1 month ago