From 5eabccc1ed6d050cd5ce24944346a1128e49b9f5 Mon Sep 17 00:00:00 2001
From: Luke Hinds <lukehinds@gmail.com>
Date: Wed, 6 Jul 2016 10:33:44 +0100
Subject: Adding security_scan section to functest userguide.

JIRA: FUNCTEST-356

Change-Id: Ib7e2fc7eda88425390b37c36cbedc3f89c090f61
Signed-off-by: Luke Hinds <lukehinds@gmail.com>
---
 docs/userguide/index.rst | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/docs/userguide/index.rst b/docs/userguide/index.rst
index ea2679764..327a1756b 100644
--- a/docs/userguide/index.rst
+++ b/docs/userguide/index.rst
@@ -388,9 +388,35 @@ the OpenStack 'bgpvpn' API:
 security_scan
 ^^^^^^^^^^^^^
 
-**TODO:**
+Security Scanning, is a project to insure security compliance and vulnerability
+checks, as part of an automated CI / CD platform delivery process.
+
+The project makes use of the existing SCAP format[6] to perform deep scanning of
+NFVi nodes, to insure they are hardened and free of known CVE reported vulnerabilities.
+
+The SCAP content itself, is then consumed and run using an upstream opensource tool
+known as OpenSCAP[7].
+
+The OPNFV Security Group have developed the code that will called by the OPNFV Jenkins
+build platform, to perform a complete scan. Resulting reports are then copied to the
+OPNFV functest dashboard.
+
+The current work flow is as follows:
 
+  * Jenkins Build Initiated
+  * security_scan.py script is called, and a config file is passed to the script as
+    an argument.
+  * The IP addresses of each NFVi node (compute / control), is gathered.
+  * A scan profile is matched to the node type.
+  * The OpenSCAP application is remotely installed onto each target node gathered
+    on step 3, using upstream packaging (rpm and .deb).
+  * A scan is made against each node gathered within step 3.
+  * HTML Reports are downloaded for rendering on a dashboard.
+  * If the config file value 'clean' is set to 'True' then the application installed in
+    step 5 is removed, and all reports created at step 6 are deleted.
 
+At present, only the Apex installer is supported, with support for other installers due
+within D-release.
 
 VNF
 ---
@@ -449,6 +475,8 @@ References
 .. _`[3]`: https://rally.readthedocs.org/en/latest/index.html
 .. _`[4]`: http://events.linuxfoundation.org/sites/events/files/slides/Functest%20in%20Depth_0.pdf
 .. _`[5]`: https://github.com/Orange-OpenSource/opnfv-cloudify-clearwater/blob/master/openstack-blueprint.yaml
+.. _`[6]`: https://scap.nist.gov/
+.. _`[7]`: https://github.com/OpenSCAP/openscap
 .. _`[9]`: https://git.opnfv.org/cgit/functest/tree/testcases/VIM/OpenStack/CI/libraries/os_defaults.yaml
 .. _`[11]`: http://robotframework.org/
 
-- 
cgit 1.2.3-korg