cem_acpt 0.11.2 → 0.12.0

data/lib/cem_acpt/provision/terraform.rb

@@ -267,15 +267,15 @@ module CemAcpt
       # @raise [StandardError] If there is an error formatting the provision data.
       def provision_node_data
         node_data = @provision_data[:nodes].each_with_object({}) do |node, h|
-          h[node.node_name] = node.node_data.merge(
-            {
-              goss_file: node.test_data[:goss_file],
-              puppet_manifest: node.test_data[:puppet_manifest],
-              provision_dir_source: @backend.provision_directory,
-              provision_dir_dest: @backend.destination_provision_directory,
-              provision_commands: provision_commands_for(node),
-            }
-          )
+          base = {
+            goss_file: resolve_goss_file(node),
+            puppet_manifest: node.test_data[:puppet_manifest],
+            provision_dir_source: @backend.provision_directory,
+            provision_dir_dest: @backend.destination_provision_directory,
+            provision_commands: provision_commands_for(node),
+          }
+          base.merge!(scan_node_data_for(node)) if scan_mode?
+          h[node.node_name] = node.node_data.merge(base)
         end
         node_data.to_json
       rescue StandardError => e
@@ -287,7 +287,7 @@ module CemAcpt
       def provision_commands_for(node)
         case @backend
         when CemAcpt::Provision::Linux
-          @backend.provision_commands_wrapper(node.node_data[:image])
+          @backend.provision_commands_wrapper(node.node_data[:image], scan_mode: scan_mode?)
         when CemAcpt::Provision::Windows
           []
         else
@@ -295,6 +295,143 @@ module CemAcpt
         end
       end
 
+      def scan_mode?
+        @config.respond_to?(:scan_mode?) && @config.scan_mode?
+      end
+
+      # In scan mode the test directory may not contain a goss.yaml; the
+      # Terraform `provisioner "file"` block requires a real source path, so
+      # write a small stub file once into the working dir and reuse it for
+      # any node that lacks a real goss.yaml. The on-node Goss systemd units
+      # are not started in scan mode, so the stub is never used at runtime.
+      def resolve_goss_file(node)
+        real = node.test_data[:goss_file]
+        return real if real && File.exist?(real)
+        return nil unless scan_mode?
+
+        @scan_goss_stub_path ||= write_scan_goss_stub!
+      end
+
+      def write_scan_goss_stub!
+        path = File.join(working_dir, 'scan-stub-goss.yaml')
+        File.write(path, "# Empty Goss stub used by cem_acpt_scan when no goss.yaml is present.\n")
+        path
+      end
+
+      # Returns the additional Terraform node_data fields needed to drive the
+      # scan_config_upload and cis_cat_pro_upload null_resources. The license
+      # fields are populated alongside the bundle fields so that the four
+      # provisioners inside cis_cat_pro_upload (bundle upload, bundle extract,
+      # license upload, license extract) all have the data they need from a
+      # single resource invocation.
+      def scan_node_data_for(node)
+        bundle = cis_cat_pro_bundle_for(node)
+        license = cis_cat_pro_license_for(node)
+        {
+          scan_config_json: scan_config_json_for(node),
+          cis_cat_pro_bundle: bundle || '',
+          cis_cat_pro_format: bundle ? archive_format(bundle) : '',
+          cis_cat_pro_license: license || '',
+          cis_cat_pro_license_format: license ? archive_format(license) : '',
+        }
+      end
+
+      # Builds the JSON content uploaded to /opt/cem_acpt/scan/scan_config.json
+      # at provision time. The on-node scan_service reads this on each /scan
+      # invocation to pick the right scanner, profile, and level.
+      def scan_config_json_for(node)
+        cfg = node.test_data[:scan] || {}
+        require 'json'
+        JSON.generate(
+          'scanner'   => cfg[:scanner].to_s,
+          'profile'   => cfg[:profile].to_s,
+          'level'     => cfg[:level],
+          'datastream' => cfg[:datastream],
+          'benchmark' => cfg[:benchmark],
+        )
+      end
+
+      # Resolves the local path to the CIS-CAT Pro bundle for this node.
+      # Returns nil if the resolved scanner is openscap (no bundle needed).
+      # Honors `cem_acpt_scan.cis_cat_pro_source` from config (local path or
+      # gs:// URI; gs:// URIs are downloaded to a per-run cache file before
+      # being passed to Terraform).
+      def cis_cat_pro_bundle_for(node)
+        cfg = node.test_data[:scan] || {}
+        return nil unless cfg[:scanner].to_s == 'ciscat'
+
+        @cis_cat_pro_local_path ||= resolve_cis_cat_pro_source!
+      end
+
+      # Resolves the local path to the CIS-CAT Pro license bundle for this
+      # node. Mirrors {#cis_cat_pro_bundle_for}: returns nil unless the
+      # resolved scanner is `ciscat`, otherwise memoizes the resolved local
+      # path. The license is required separately from the assessor bundle so
+      # that license rotation does not force rebundling the assessor.
+      def cis_cat_pro_license_for(node)
+        cfg = node.test_data[:scan] || {}
+        return nil unless cfg[:scanner].to_s == 'ciscat'
+
+        @cis_cat_pro_license_local_path ||= resolve_cis_cat_pro_license!
+      end
+
+      def resolve_cis_cat_pro_source!
+        source = @config.get('cem_acpt_scan.cis_cat_pro_source')
+        raise 'cem_acpt_scan.cis_cat_pro_source is required for CIS-CAT Pro scans' if source.nil? || source.to_s.empty?
+
+        if source.start_with?('gs://')
+          # Preserve the source's archive extension so the local cache file
+          # carries its real format. archive_format raises if the extension
+          # is unrecognized, which is the right behavior here too.
+          ext = archive_format(source) == 'zip' ? '.zip' : '.tar.gz'
+          dest = File.join(working_dir, "cis-cat-pro#{ext}")
+          logger.info('CemAcpt::Provision::Terraform') { "Downloading CIS-CAT Pro bundle from #{source}" }
+          CemAcpt::Utils::Shell.run_cmd("gcloud storage cp #{source} #{dest}")
+          dest
+        else
+          File.expand_path(source)
+        end
+      end
+
+      # Mirror of {#resolve_cis_cat_pro_source!} for the license bundle.
+      # Raises {CemAcpt::Scan::LicenseNotFoundError} (rather than a plain
+      # RuntimeError as source does) so callers can rescue it specifically —
+      # missing license is a recoverable operator-config error, not a bug.
+      def resolve_cis_cat_pro_license!
+        source = @config.get('cem_acpt_scan.cis_cat_pro_license')
+        raise CemAcpt::Scan::LicenseNotFoundError if source.nil? || source.to_s.empty?
+
+        if source.start_with?('gs://')
+          ext = archive_format(source) == 'zip' ? '.zip' : '.tar.gz'
+          dest = File.join(working_dir, "cis-cat-pro-license#{ext}")
+          logger.info('CemAcpt::Provision::Terraform') { "Downloading CIS-CAT Pro license bundle from #{source}" }
+          CemAcpt::Utils::Shell.run_cmd("gcloud storage cp #{source} #{dest}")
+          dest
+        else
+          File.expand_path(source)
+        end
+      end
+
+      # Detects the archive format of a CIS-CAT Pro bundle from its path
+      # extension. CIS-CAT Pro ships either a tarball or a zip; we accept
+      # both, dispatch to the appropriate on-node extractor in the
+      # cis_cat_pro_upload null_resource, and raise on anything else so the
+      # operator gets a clear error before provisioning starts instead of
+      # an obscure terraform-apply failure.
+      # @param path [String] local path or gs:// URI to the bundle.
+      # @return [String] 'tar.gz' or 'zip'.
+      # @raise [RuntimeError] if the extension is not recognized.
+      def archive_format(path)
+        case path.to_s.downcase
+        when /\.tar\.gz\z/, /\.tgz\z/
+          'tar.gz'
+        when /\.zip\z/
+          'zip'
+        else
+          raise "Unsupported CIS-CAT Pro archive format: '#{path}'. Expected .tar.gz, .tgz, or .zip."
+        end
+      end
+
       # @return [Hash] The variables to be passed to Terraform, including the provision data for the nodes and any
       #   necessary credentials and module package paths.
       # @raise [StandardError] If there is an error formatting the variables.

data/lib/cem_acpt/scan/daemon_client.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'uri'
+require_relative 'errors'
+require_relative 'result'
+
+module CemAcpt
+  module Scan
+    # HTTP client for the on-node scan daemon. Mirrors the role of
+    # {CemAcpt::Goss::Api}: build URIs, GET them, parse the JSON response,
+    # turn the response into a typed result.
+    #
+    # The daemon is installed by {CemAcpt::Provision::Linux#scan_provision_commands}
+    # and serves two endpoints on the configurable scan port:
+    #
+    #   GET /health -> 200 OK once the daemon has started and the scanner
+    #                  binaries it needs are present on disk.
+    #   GET /scan   -> 200 with a JSON body shaped like:
+    #                    { "score":  87.4, "passed_count": 187, "failed_count": 27,
+    #                      "not_applicable_count": 14, "error_count": 0, "rules": [...] }
+    #                  Non-200 responses or unparseable bodies raise
+    #                  {ScannerInvocationError}.
+    class DaemonClient
+      DEFAULT_PORT = 8084
+      DEFAULT_READY_TIMEOUT = 60
+      DEFAULT_HTTP_TIMEOUT = 1800 # 30 minutes — scans can be long
+
+      # @param host [String] The IP or DNS name of the test node.
+      # @param port [Integer] The port the daemon listens on.
+      # @param ready_timeout [Integer] How long to wait for /health.
+      # @param http_timeout [Integer] How long a single /scan request may take.
+      def initialize(host:, port: DEFAULT_PORT, ready_timeout: DEFAULT_READY_TIMEOUT, http_timeout: DEFAULT_HTTP_TIMEOUT)
+        @host = host
+        @port = port
+        @ready_timeout = ready_timeout
+        @http_timeout = http_timeout
+      end
+
+      # Polls /health until it returns 200 or the timeout elapses.
+      # @raise [DaemonNotReadyError] if the timeout is reached without a 200.
+      def wait_until_ready
+        deadline = Time.now + @ready_timeout
+        last_error = nil
+        while Time.now < deadline
+          begin
+            return true if get(URI("http://#{@host}:#{@port}/health"), timeout: 5).first.to_i == 200
+          rescue StandardError => e
+            last_error = e
+          end
+          sleep 2
+        end
+        msg = "Scan daemon at #{@host}:#{@port} did not become ready within #{@ready_timeout}s"
+        msg += " (last error: #{last_error.class}: #{last_error.message})" if last_error
+        raise DaemonNotReadyError, msg
+      end
+
+      # Hits /scan and turns the response into a {Result}.
+      # @param test_case [String] Acceptance-test directory name.
+      # @param scanner [Symbol] :openscap or :ciscat.
+      # @param profile [String] Scanner-native profile id.
+      # @param threshold [Float] Pass threshold (0-100).
+      # @return [Result]
+      # @raise [ScannerInvocationError] on non-200 or unparseable body.
+      def scan(test_case:, scanner:, profile:, threshold:)
+        uri = URI("http://#{@host}:#{@port}/scan")
+        status, body = get(uri, timeout: @http_timeout)
+        unless status.to_i == 200
+          raise ScannerInvocationError, "Scan daemon at #{@host}:#{@port} returned status #{status}: #{body.inspect}"
+        end
+
+        Result.new(test_case: test_case, scanner: scanner, profile: profile, threshold: threshold, body: body)
+      end
+
+      private
+
+      def get(uri, timeout:)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.read_timeout = timeout
+        http.open_timeout = [timeout, 30].min
+        response = http.get(uri.request_uri)
+        body = response.body.to_s
+        parsed = body.empty? ? {} : JSON.parse(body)
+        [response.code, parsed]
+      rescue JSON::ParserError => e
+        raise ScannerInvocationError, "Scan daemon at #{@host}:#{@port} returned non-JSON body: #{e.message}"
+      end
+    end
+  end
+end

data/lib/cem_acpt/scan/errors.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module CemAcpt
+  module Scan
+    # Raised when the on-node scan daemon does not respond healthily within
+    # the configured `cem_acpt_scan.daemon.ready_timeout` window.
+    class DaemonNotReadyError < StandardError; end
+
+    # Raised when a test case has no entry in `cem_acpt_scan.profiles.<scanner>`
+    # and so no scanner profile id can be resolved. The message carries the
+    # missing config key so the operator can fix it without re-running.
+    class ProfileNotFoundError < StandardError
+      def initialize(test_case, scanner, config_key)
+        super("No scanner profile id configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
+      end
+    end
+
+    # Raised when the scan daemon returns a non-200 response or a payload
+    # that cannot be parsed as a scan result. Mirrors the role of the
+    # error path in {CemAcpt::Goss::Api}.
+    class ScannerInvocationError < StandardError; end
+
+    # Raised when `cem_acpt_scan.cis_cat_pro_license` is unset (or empty) and
+    # any test case in the run resolves to scanner `ciscat`. The license is
+    # required for CIS-CAT Pro and is separate from the assessor bundle so
+    # that license rotation does not require rebundling the assessor. The
+    # message carries the missing config key so the operator can fix it
+    # without re-running.
+    class LicenseNotFoundError < StandardError
+      def initialize(config_key = 'cem_acpt_scan.cis_cat_pro_license')
+        super("CIS-CAT Pro license is required for CIS-CAT Pro scans. Set '#{config_key}' in cem_acpt config.")
+      end
+    end
+
+    # Raised when a test case has no entry in `cem_acpt_scan.benchmarks.cis_cat`
+    # and so no benchmark XCCDF filename can be resolved. The message carries the
+    # missing config key so the operator can fix it without re-running.
+    class BenchmarkNotFoundError < StandardError
+      def initialize(test_case, scanner, config_key)
+        super("No benchmark configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
+      end
+    end
+  end
+end

data/lib/cem_acpt/scan/result.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module CemAcpt
+  module Scan
+    # Normalized scan result. Wraps the JSON payload returned by the on-node
+    # scan daemon and exposes the bits the runner needs: the score the daemon
+    # reported (scanner-native pass-rate, 0-100), the pass/fail decision
+    # against the configured threshold, and a status code compatible with
+    # {CemAcpt::TestRunner::TestResults} so the existing result-aggregation
+    # plumbing doesn't have to grow a new branch.
+    #
+    # Status semantics: 200 if `score >= threshold`, 1 otherwise. This makes
+    # {Result} look-alike enough to {CemAcpt::Goss::Api::ActionResponse} for
+    # the runner's `process_test_results` loop to treat it uniformly.
+    class Result
+      attr_reader :test_case, :scanner, :profile, :score, :threshold, :body
+
+      # @param test_case [String] The acceptance-test directory name.
+      # @param scanner [Symbol, String] :openscap or :ciscat.
+      # @param profile [String] The scanner-native profile id used.
+      # @param threshold [Float] The pass threshold this result was evaluated against.
+      # @param body [Hash] The parsed JSON payload from the scan daemon. Must
+      #   include numeric `score` and counts (`passed_count`, `failed_count`,
+      #   `not_applicable_count`, `error_count`); may include a `rules` array.
+      def initialize(test_case:, scanner:, profile:, threshold:, body:)
+        @test_case = test_case
+        @scanner = scanner.to_sym
+        @profile = profile
+        @threshold = threshold.to_f
+        @body = body || {}
+        @score = (@body['score'] || @body[:score] || 0.0).to_f
+      end
+
+      # @return [Boolean] true if the score met the threshold.
+      def pass?
+        @score >= @threshold
+      end
+      alias success? pass?
+
+      # @return [Boolean] true if the score did not meet the threshold.
+      def fail?
+        !pass?
+      end
+      alias error? fail?
+
+      # @return [Integer] HTTP-style status: 200 on pass, 1 on fail.
+      # Conforms to the contract {CemAcpt::TestRunner::Runner#process_test_results}
+      # uses to decide the run's exit code.
+      def status
+        pass? ? 200 : 1
+      end
+      alias http_status status
+
+      # @return [Hash] The full normalized result, suitable for `to_json`.
+      def to_h
+        {
+          test_case: @test_case,
+          scanner: @scanner,
+          profile: @profile,
+          score: @score,
+          threshold: @threshold,
+          passed_count: counts(:passed_count),
+          failed_count: counts(:failed_count),
+          not_applicable_count: counts(:not_applicable_count),
+          error_count: counts(:error_count),
+          rules: @body['rules'] || @body[:rules] || [],
+          pass: pass?,
+        }
+      end
+
+      def to_json(*args)
+        to_h.to_json(*args)
+      end
+
+      def to_s
+        "<#{self.class.name} test_case=#{@test_case} scanner=#{@scanner} score=#{@score} threshold=#{@threshold} pass=#{pass?}>"
+      end
+      alias inspect to_s
+
+      private
+
+      def counts(key)
+        (@body[key.to_s] || @body[key] || 0).to_i
+      end
+    end
+  end
+end

data/lib/cem_acpt/scan.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Namespace for the benchmark-scan subsystem used by `cem_acpt_scan`. Mirrors
+# the file-organization pattern of {CemAcpt::Bolt} and {CemAcpt::Goss}: a
+# top-level umbrella module with subordinate files for the HTTP client to the
+# on-node scan daemon, the normalized result wrapper, and error classes.
+#
+# The on-node scan daemon source lives in `lib/terraform/gcp/linux/scan/`
+# alongside the systemd unit; both are uploaded to the test node via the
+# existing recursive `provisioner "file"` block in main.tf.
+module CemAcpt
+  module Scan
+    require_relative 'scan/errors'
+    require_relative 'scan/result'
+    require_relative 'scan/daemon_client'
+  end
+end

data/lib/cem_acpt/test_data.rb

@@ -42,15 +42,15 @@ module CemAcpt
 
           goss_file = File.expand_path(File.join(test_dir, 'goss.yaml'))
           puppet_manifest = File.expand_path(File.join(test_dir, 'manifest.pp'))
-          raise "Goss file not found for test #{test_name}" unless File.exist?(goss_file)
           raise "Puppet manifest not found for test #{test_name}" unless File.exist?(puppet_manifest)
+          raise "Goss file not found for test #{test_name}" unless scan_mode? || File.exist?(goss_file)
 
           bolt_test = File.expand_path(File.join(test_dir, 'bolt.yaml'))
           logger.debug('CemAcpt::TestData') { "Complete test directory found for test #{test_name}: #{test_dir}" }
           test_data = {
             test_name: test_name,
             test_dir: File.expand_path(test_dir),
-            goss_file: goss_file,
+            goss_file: File.exist?(goss_file) ? goss_file : nil,
             puppet_manifest: puppet_manifest,
           }
           test_data[:bolt_test] = bolt_test if File.exist?(bolt_test)
@@ -59,6 +59,7 @@ module CemAcpt
             process_static_vars(test_data_i)
             process_name_pattern_vars(test_name, test_data_i)
             vars_post_processing!(test_data_i)
+            scan_post_processing!(test_data_i) if scan_mode?
             test_data_i.format!
             a << test_data_i
           end
@@ -68,14 +69,69 @@ module CemAcpt
       private
 
       # Locates acceptance tests in the module directory.
+      # In scan mode the predicate is `manifest.pp` (goss.yaml is optional);
+      # otherwise it is `goss.yaml` so the existing acceptance flow is unchanged.
       # @return [Array<String>] the list of acceptance test paths
       def find_acceptance_tests!
-        @acceptance_tests = acpt_test_dir.children.select { |f| f.directory? && File.exist?(File.join(f, 'goss.yaml')) }.map(&:to_s)
+        predicate = scan_mode? ? 'manifest.pp' : 'goss.yaml'
+        @acceptance_tests = acpt_test_dir.children.select { |f| f.directory? && File.exist?(File.join(f, predicate)) }.map(&:to_s)
         raise 'No acceptance tests found' if @acceptance_tests.empty?
 
         logger.info('CemAcpt') { "Found #{@acceptance_tests.size} acceptance tests" }
       end
 
+      def scan_mode?
+        @config.respond_to?(:scan_mode?) && @config.scan_mode?
+      end
+
+      # Resolves scanner, profile, and level for a scan-mode test case and
+      # stuffs them under `:scan` so Provision::Terraform can fan them out
+      # to the on-node scan daemon's config file. The scanner choice prefers
+      # the global `cem_acpt_scan.scanner` override; otherwise it derives
+      # from the test framework (cis -> ciscat, stig -> openscap). The
+      # profile id is looked up by full test-case name from the per-scanner
+      # config map, so this method raises a clear error early when the
+      # mapping is missing — better than provisioning a node and failing
+      # mid-scan.
+      def scan_post_processing!(test_data)
+        require_relative 'scan/errors'
+        framework = test_data[:framework] || test_data['framework']
+        override = @config.get('cem_acpt_scan.scanner')
+        scanner = (override || derive_scanner(framework))&.to_sym
+        raise "Cannot determine scanner for test '#{test_data[:test_name]}' from framework '#{framework}'" unless scanner
+
+        config_key = scanner == :ciscat ? 'cem_acpt_scan.profiles.cis_cat' : 'cem_acpt_scan.profiles.openscap'
+        profiles = @config.get(config_key) || {}
+        profile = profiles[test_data[:test_name]] || profiles[test_data[:test_name].to_sym]
+        raise CemAcpt::Scan::ProfileNotFoundError.new(test_data[:test_name], scanner, "#{config_key}.#{test_data[:test_name]}") if profile.nil? || profile.to_s.empty?
+
+        benchmark = nil
+        if scanner == :ciscat
+          benchmarks = @config.get('cem_acpt_scan.benchmarks.cis_cat') || {}
+          benchmark = benchmarks[test_data[:test_name]] || benchmarks[test_data[:test_name].to_sym]
+          if benchmark.nil? || benchmark.to_s.empty?
+            raise CemAcpt::Scan::BenchmarkNotFoundError.new(
+              test_data[:test_name], scanner,
+              "cem_acpt_scan.benchmarks.cis_cat.#{test_data[:test_name]}"
+            )
+          end
+        end
+
+        test_data[:scan] = {
+          scanner: scanner,
+          profile: profile,
+          level: test_data[:level] || test_data['level'],
+          benchmark: benchmark,
+        }
+      end
+
+      def derive_scanner(framework)
+        case framework.to_s
+        when 'cis' then 'ciscat'
+        when 'stig' then 'openscap'
+        end
+      end
+
       # Processes a for_each statement in the test data config.
       # @param test_data [Hash] the test data hash
       # @return [Array<Hash>] the list of test data hashes

data/lib/cem_acpt/test_runner/log_formatter/scan_result_formatter.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+
+module CemAcpt
+  module TestRunner
+    module LogFormatter
+      # Formats the results of a {CemAcpt::Scan::Result}. Mirrors the shape of
+      # {GossActionResponse} so the runner's `process_test_results` loop
+      # treats scan results the same way: `summary` for the one-liner,
+      # `results` for the per-rule detail (used at debug only — full per-rule
+      # output bloats normal logs without adding decision-grade information).
+      class ScanResultFormatter < Base
+        def initialize(config, instance_names_ips, subject: nil)
+          super(subject)
+          @config = config
+          @instance_names_ips = instance_names_ips
+        end
+
+        def summary(response = nil)
+          super(response)
+          r = log_subject
+          status = r.pass? ? 'passed' : 'failed'
+          [
+            "SUMMARY: #{status.capitalize}: Scan #{r.test_case}:",
+            "scanner=#{r.scanner}",
+            "score=#{format('%.2f', r.score)}",
+            "threshold=#{format('%.2f', r.threshold)}",
+            "passed=#{r.to_h[:passed_count]}",
+            "failed=#{r.to_h[:failed_count]}",
+          ].join(' ')
+        end
+
+        # CIS-CAT Pro v4 JSON does not carry a severity field, and the
+        # test_runner routes log lines by past-tense prefix ("Passed:",
+        # "Skipped:") to choose log level. Mapping outcome → prefix here
+        # keeps passes at verbose, not-applicable rules at info, and
+        # surfaces fails/errors at error level.
+        OUTCOME_PREFIXES = {
+          'pass' => 'Passed',
+          'fail' => 'Failed',
+          'notchecked' => 'Skipped',
+          'notapplicable' => 'Skipped',
+          'notselected' => 'Skipped',
+        }.freeze
+
+        def results(response = nil)
+          super(response)
+          rules = log_subject.to_h[:rules]
+          return [] unless rules.is_a?(Array)
+
+          rules.map do |rule|
+            outcome = (rule['result'] || rule[:result]).to_s.downcase
+            id = rule['id'] || rule[:id]
+            prefix = OUTCOME_PREFIXES[outcome] || outcome.capitalize
+            "#{prefix}: rule=#{id}"
+          end
+        end
+
+        def host_name(response = nil)
+          super(response)
+          log_subject.test_case
+        end
+
+        def test_name(response = nil)
+          super(response)
+          log_subject.test_case
+        end
+      end
+    end
+  end
+end

data/lib/cem_acpt/test_runner/log_formatter.rb

@@ -3,6 +3,7 @@
 require_relative 'log_formatter/bolt_summary_results_formatter'
 require_relative 'log_formatter/goss_action_response'
 require_relative 'log_formatter/goss_error_formatter'
+require_relative 'log_formatter/scan_result_formatter'
 require_relative 'log_formatter/standard_error_formatter'
 
 module CemAcpt
@@ -19,10 +20,12 @@ module CemAcpt
           end
         when CemAcpt::Bolt::SummaryResults
           BoltSummaryResultsFormatter.new(*args, subject: result)
+        when CemAcpt::Scan::Result
+          ScanResultFormatter.new(*args, subject: result)
         when StandardError
           StandardErrorFormatter.new(result)
         else
-          raise ArgumentError, "result must be a CemAcpt::Goss::Api::ActionResponse, CemAcpt::Bolt::SummaryResults, or StandardError, got #{result.class}"
+          raise ArgumentError, "result must be a CemAcpt::Goss::Api::ActionResponse, CemAcpt::Bolt::SummaryResults, CemAcpt::Scan::Result, or StandardError, got #{result.class}"
         end
       end
     end