cem_acpt 0.11.2 → 0.12.0

data/specifications/CEM-6760.md

@@ -0,0 +1,120 @@
+# CEM-6760 — Fix invalid CIS-CAT Pro Assessor flags in on-node scan daemon
+
+## Summary
+
+The on-node scan daemon's `run_ciscat` helper in
+`lib/terraform/gcp/linux/scan/scan_service.rb` passes two flags that
+CIS-CAT Pro v4's `Assessor-CLI.sh` does not accept: `-rn ciscat-results`
+and `-rjson`. Both are silently ignored — the assessor falls back to a
+hostname-prefixed default filename instead of `ciscat-results.*`, and
+no JSON report is ever written. Only the canonical ARF.xml lands in
+the reports directory, after which the daemon 500s when its parser
+tries to read the JSON file at the expected path. Swap the flags to
+their real names (`-rp`, `-json`) and add `-nts` to suppress the
+auto-appended timestamp so the file lands at the literal path the
+parser already reads.
+
+## Functional Behavior
+
+### `lib/terraform/gcp/linux/scan/scan_service.rb#run_ciscat`
+
+The method currently constructs the assessor command as
+(`scan_service.rb:73-79`):
+
+```ruby
+cmd = [
+  'sudo', '/opt/cis-cat-pro/Assessor-CLI.sh',
+  '-rd', REPORT_DIR,
+  '-rn', 'ciscat-results',
+  '-rjson',
+  '-p', profile,
+]
+```
+
+Replace `-rn` with `-rp` (the real `--report-prefix` flag), replace
+`-rjson` with `-json` (the real JSON-output flag), and append `-nts`
+(`--no-timestamp`) so the assessor does not insert a timestamp segment
+in the filename:
+
+```ruby
+cmd = [
+  'sudo', '/opt/cis-cat-pro/Assessor-CLI.sh',
+  '-rd', REPORT_DIR,
+  '-rp', 'ciscat-results',
+  '-nts',
+  '-json',
+  '-p', profile,
+]
+```
+
+With these three changes the assessor writes JSON to
+`/opt/cem_acpt/scan/reports/ciscat-results.json` — the literal path
+`json_out` at `scan_service.rb:72` already references and
+`parse_ciscat_json` already reads.
+
+The `-l <level>` conditional at `scan_service.rb:81` is unchanged.
+
+## Input/Output Contracts
+
+No method signature changes. The command array passed to
+`Open3.capture3` changes; everything downstream — `parse_ciscat_json`,
+the `error` handling at `scan_service.rb:84`, and the `/scan` HTTP
+response shape — sees the same data flow.
+
+## Constraints / Invariants
+
+- `-rp`, `-json`, and `-nts` are all valid in CIS-CAT Pro v4.x
+  (confirmed against `Assessor-CLI.sh -h` on a v4.63.0-provisioned
+  node). The shipping `cem_acpt_scan` flow installs the assessor from
+  the operator-supplied bundle, so any v4.x release works.
+- ARF.xml continues to be emitted as a side effect — we do not pass
+  `-narf`. Keeping ARF makes it easier to diagnose future scan
+  failures by hand on the node.
+- The `json_out` path constant at `scan_service.rb:72` does not change.
+
+## Tests
+
+Add a text-grep regression spec at
+`spec/terraform/gcp/linux/scan/scan_service_spec.rb` (new path,
+mirroring `lib/`). The spec reads `scan_service.rb` as a string and
+asserts the corrected flag tokens are present and the old ones absent:
+
+- `'-rp', 'ciscat-results'` present, `'-rn', 'ciscat-results'` absent.
+- `'-json'` present, `'-rjson'` absent.
+- `'-nts'` present.
+
+No execution, no `Open3` stubbing, no eval-slicing of the script. The
+behavioral validation (the assessor actually accepting these flags)
+was performed by hand on a v4.63.0 node; the spec's only job is to
+catch an accidental revert.
+
+## Non-Goals
+
+- **Stderr capture on scan failure.** Tracked by CEM-6761.
+- **Missing `-b <benchmark>` flag.** Tracked by CEM-6759. Without it
+  the assessor still exits without scanning anything; this spec only
+  addresses flag-name correctness, not benchmark identification.
+- **JSON key-name mismatch in `parse_ciscat_json`.** Tracked by
+  CEM-6762.
+- **Refactoring `scan_service.rb` for broader testability beyond what
+  is needed to assert the new flag set.**
+
+## Acceptance Criteria
+
+- [ ] `run_ciscat` passes `-rp ciscat-results` instead of
+      `-rn ciscat-results`.
+- [ ] `run_ciscat` passes `-json` instead of `-rjson`.
+- [ ] `run_ciscat` passes `-nts` so the output filename has no
+      timestamp segment.
+- [ ] RSpec regression coverage at
+      `spec/terraform/gcp/linux/scan/scan_service_spec.rb` asserts the
+      corrected flag tokens are present and the old ones absent.
+- [ ] `bundle exec rake spec` passes.
+
+## Files Touched
+
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — `run_ciscat` flag
+  fix.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — new
+  text-grep regression spec.
+- `specifications/CEM-6760.md` — this file.

data/specifications/CEM-6761.md

@@ -0,0 +1,136 @@
+# CEM-6761 — Surface assessor stderr when result file is missing
+
+## Summary
+
+`run_ciscat` and `run_openscap` in `lib/terraform/gcp/linux/scan/scan_service.rb` use
+`||=` to attach the assessor/oscap exit-code message to `parsed['error']`. Because
+`parse_ciscat_json` / `parse_openscap_xml` set `parsed['error']` to a "Result file
+missing" string whenever the output file is absent, `||=` short-circuits and the
+actual assessor stderr — the reason the file was never written — is silently discarded.
+Engineers debugging a failed scan see only `"Result file missing: …"` with no indication
+of what the scanner printed, making root-cause analysis guesswork.
+
+## Functional Behavior
+
+### `run_ciscat` (`scan_service.rb:71–86`)
+
+**Before:**
+
+```ruby
+_stdout, stderr, status = Open3.capture3(*cmd)
+parsed = parse_ciscat_json(json_out)
+parsed['error'] ||= "Assessor-CLI exited #{status.exitstatus}: #{stderr}" unless status.success? || File.exist?(json_out)
+parsed
+```
+
+**After:**
+
+```ruby
+_stdout, stderr, status = Open3.capture3(*cmd)
+parsed = parse_ciscat_json(json_out)
+unless status.success? || File.exist?(json_out)
+  assessor_msg = "Assessor-CLI exited #{status.exitstatus}: #{stderr.strip}"
+  parsed['error'] = parsed['error'] ? "#{assessor_msg}; #{parsed['error']}" : assessor_msg
+end
+parsed
+```
+
+### `run_openscap` (`scan_service.rb:31–45`)
+
+**Before:**
+
+```ruby
+_stdout, stderr, status = Open3.capture3(*cmd)
+parsed = parse_openscap_xml(xml_out)
+parsed['error'] ||= "oscap exited #{status.exitstatus}: #{stderr}" unless status.success? || File.exist?(xml_out)
+parsed
+```
+
+**After:**
+
+```ruby
+_stdout, stderr, status = Open3.capture3(*cmd)
+parsed = parse_openscap_xml(xml_out)
+unless status.success? || File.exist?(xml_out)
+  oscap_msg = "oscap exited #{status.exitstatus}: #{stderr.strip}"
+  parsed['error'] = parsed['error'] ? "#{oscap_msg}; #{parsed['error']}" : oscap_msg
+end
+parsed
+```
+
+Key changes:
+- `||=` replaced with explicit conditional assignment so both messages are preserved.
+- `stderr.strip` trims trailing newlines from the assessor output before embedding it.
+- Assessor/oscap message is prepended, separated by `"; "`, so the tool-level failure
+  is the first thing the reader sees.
+
+## Input/Output Contracts
+
+**Failure path input:** `Open3.capture3` returns a non-zero exit status *and* the
+result file was not written (the normal failure mode when the assessor crashes early).
+
+**Output:** The `'error'` key in the returned hash contains both messages joined by
+`"; "`:
+
+```
+"Assessor-CLI exited 1: <stderr text>; Result file missing: /opt/cem_acpt/scan/reports/ciscat-results.json"
+```
+
+This string flows back through `perform_scan` → `/scan` endpoint → HTTP 500 response
+body, where the host-side `DaemonClient` surfaces it in the test failure output.
+
+## Edge Cases
+
+- **Assessor exits non-zero but file was written anyway** — the `|| File.exist?` guard
+  is unchanged; stderr is not attached in this case. The parse result stands on its own.
+- **`stderr` is empty or only whitespace** — `.strip` collapses it to `""`, so the
+  message reads `"Assessor-CLI exited 1: "` — still correct, not a crash.
+- **`parse_ciscat_json` returns no `'error'` key** — `parsed['error']` is `nil`;
+  the ternary falls through to the bare `assessor_msg` assignment. Equivalent to
+  the original `||=` behaviour.
+
+## Constraints / Invariants
+
+- The guard condition `unless status.success? || File.exist?(json_out)` is unchanged.
+  This condition defines when stderr is surfaced and must not be relaxed.
+- The normalized output hash shape remains compatible with `CemAcpt::Scan::Result`.
+  No callers change.
+
+## Non-Goals
+
+- Adding a `-b <benchmark>` flag to `run_ciscat` (CEM-6759).
+- Fixing the CIS-CAT Pro JSON key names in `parse_ciscat_json` (CEM-6762 — already done).
+- Capturing assessor stdout; only stderr is relevant for error reporting.
+
+## Tests
+
+Extend `spec/terraform/gcp/linux/scan/scan_service_spec.rb` with two new `describe`
+blocks — one for `run_ciscat` and one for `run_openscap` — that stub `Open3.capture3`
+and exercise the combined-error-message path. The script is already loaded via the
+`SCAN_SERVICE_LOADED` guard, so `run_ciscat` and `run_openscap` are available directly.
+
+For `run_ciscat`: stub `Open3.capture3` to return `['', 'Permission denied', double(exitstatus: 1, success?: false)]`
+and pass a nonexistent `json_out` path (the stub never writes a file). Assert that the
+returned `'error'` string contains both `"Assessor-CLI exited 1"` and `"Result file missing"`.
+
+For `run_openscap`: same pattern with `oscap` stderr. Assert that `'error'` contains
+both `"oscap exited 1"` and `"Result file missing"`.
+
+## Acceptance Criteria
+
+- [ ] `run_ciscat` uses explicit conditional assignment instead of `||=`.
+- [ ] `run_openscap` uses explicit conditional assignment instead of `||=`.
+- [ ] When the result file is absent and the assessor exits non-zero, the `'error'`
+  value includes both the exit-code/stderr message and the "Result file missing" message.
+- [ ] `.strip` is applied to `stderr` before embedding.
+- [ ] All existing specs pass.
+- [ ] New unit tests for the combined-error path pass for both `run_ciscat` and
+  `run_openscap`.
+
+## Files Touched
+
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — fix `run_ciscat` and `run_openscap`.
+- `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb` — mirror update.
+- `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` — checksum update.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — new unit-test contexts for
+  both methods.

data/specifications/CEM-6762.md

@@ -0,0 +1,163 @@
+# CEM-6762 — Parse CIS-CAT Pro v4 rules JSON keys correctly
+
+## Summary
+
+`parse_ciscat_json` in `lib/terraform/gcp/linux/scan/scan_service.rb` reads the wrong
+top-level array key and wrong per-entry keys out of the CIS-CAT Pro Assessor v4 JSON
+report. The parser expects `raw['results']` at the top level, but v4 emits `raw['rules']`.
+Per-entry, it tries `r['id'] || r['rule_id']` for the rule identifier and `r['severity']`
+for severity; v4 uses `r['rule-id']` (hyphen, not underscore) and emits no `severity` field.
+The result-value count bucketing maps `'notapplicable'` to `not_applicable_count`, but v4
+emits `'notchecked'` and `'informational'` instead.
+
+Because the key names don't match, `raw['rules']` resolves to nil, the parser falls back to
+an empty array, and every CIS-CAT Pro scan reports zero passes and zero fails regardless of
+what the assessor found. The top-level `score` key is correct and `.to_f` handles the string
+`"85.95"` format v4 uses, so the score is not broken — this masks the breakage in smoke
+tests. Confirmed against actual `Assessor-CLI.sh -json` output on RHEL 8 while validating
+CEM-6511.
+
+## Functional Behavior
+
+### `parse_ciscat_json` (`scan_service.rb:88–109`)
+
+**Before:**
+
+```ruby
+results = (raw['results'] || []).map do |r|
+  {
+    'id'       => r['id'] || r['rule_id'],
+    'severity' => r['severity'],
+    'result'   => r['result'] || r['status'],
+  }
+end
+score = (raw['score'] || raw['compliance_score'] || 0.0).to_f
+counts = results.group_by { |r| (r['result'] || '').to_s.downcase }.transform_values(&:size)
+{
+  'score'                => score,
+  'passed_count'         => counts['pass'] || 0,
+  'failed_count'         => counts['fail'] || 0,
+  'not_applicable_count' => counts['notapplicable'] || 0,
+  'error_count'          => counts['error'] || 0,
+  'rules'                => results,
+}
+```
+
+**After:**
+
+```ruby
+results = (raw['rules'] || []).map do |r|
+  {
+    'id'     => r['rule-id'],
+    'result' => r['result'],
+  }
+end
+score = (raw['score'] || 0.0).to_f
+counts = results.group_by { |r| (r['result'] || '').to_s.downcase }.transform_values(&:size)
+{
+  'score'                => score,
+  'passed_count'         => counts['pass'] || 0,
+  'failed_count'         => counts['fail'] || 0,
+  'not_applicable_count' => (counts['notchecked'] || 0) + (counts['notapplicable'] || 0),
+  'error_count'          => (counts['error'] || 0) + (counts['informational'] || 0),
+  'rules'                => results,
+}
+```
+
+Key changes:
+- `raw['results']` → `raw['rules']` (v4 top-level key).
+- `r['id'] || r['rule_id']` → `r['rule-id']` (v4 per-entry key; hyphen, not underscore).
+- `r['result'] || r['status']` → `r['result']` (v4 only uses `result`).
+- `severity` field dropped; v4 does not emit it.
+- `not_applicable_count` sums `notchecked` + `notapplicable` — v4 uses `notchecked`; the
+  `notapplicable` term is kept as a defensive fallback for format variants.
+- `error_count` sums `error` + `informational` — v4 uses `informational` for rules that are
+  advisory only.
+- `raw['compliance_score']` fallback removed; not present in v4.
+
+## Input/Output Contracts
+
+**Input:** Path to a CIS-CAT Pro v4 JSON report file. Confirmed v4 shape:
+
+```json
+{
+  "benchmark-id":    "xccdf_org.cisecurity.benchmarks_benchmark_4.0.0_CIS_...",
+  "benchmark-title": "CIS Red Hat Enterprise Linux 8 Benchmark",
+  "profile-id":      "xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server",
+  "score":           "85.95",
+  "rules": [
+    { "rule-id": "xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_...", "rule-title": "...", "result": "pass" },
+    { "rule-id": "xccdf_org.cisecurity.benchmarks_rule_6.1.2_...",   "rule-title": "...", "result": "fail" },
+    { "rule-id": "xccdf_org.cisecurity.benchmarks_rule_6.2.1.1.2_...","rule-title": "...", "result": "notchecked" },
+    { "rule-id": "xccdf_org.cisecurity.benchmarks_rule_5.4.1.2_...", "rule-title": "...", "result": "informational" }
+  ]
+}
+```
+
+**Output:** Hash compatible with the host-side `Scan::Result` constructor (shape unchanged):
+
+```ruby
+{
+  'score'                => 85.95,           # Float; score string coerced with .to_f
+  'passed_count'         => Integer,
+  'failed_count'         => Integer,
+  'not_applicable_count' => Integer,         # notchecked + notapplicable
+  'error_count'          => Integer,         # error + informational
+  'rules'                => [{ 'id' => String, 'result' => String }, ...],
+}
+```
+
+## Edge Cases
+
+- **File missing:** returns `{ 'error' => "Result file missing: #{path}" }` — unchanged.
+- **Empty `rules` array:** all counts zero, `rules` is `[]`; no crash.
+- **`score` as string:** `.to_f` on `"85.95"` returns `85.95`; handled correctly.
+- **`notapplicable` in future format variants:** included in `not_applicable_count` sum as a defensive fallback.
+
+## Constraints / Invariants
+
+- Normalized output hash shape must remain compatible with `CemAcpt::Scan::Result#initialize`. No callers change.
+- `rule-title` is not included in normalized rule entries; `rule-id` is sufficient as the unique identifier.
+
+## Non-Goals
+
+- Adding the `-b <benchmark>` flag to `run_ciscat` (CEM-6759).
+- Surfacing assessor stderr on failure (CEM-6761).
+- Parsing OpenSCAP XML results (`parse_openscap_xml` is a separate method and is unaffected).
+
+## Tests
+
+Extend `spec/terraform/gcp/linux/scan/scan_service_spec.rb` with a new `describe` context
+for `parse_ciscat_json`. Because `scan_service.rb` is a standalone script that starts a
+WEBrick server at load time, the spec loads it via `load` after stubbing
+`WEBrick::HTTPServer.new` (returning a double that silently absorbs `mount_proc`, `start`,
+and `shutdown`) and `FileUtils.mkdir_p` (to avoid creating `/opt/cem_acpt/scan/reports` on
+the test host). After loading, `parse_ciscat_json` is defined at the top level and callable
+directly.
+
+The fixture is a small inline JSON string mirroring the confirmed v4 shape, written to a
+`Tempfile`. Tests assert:
+
+- All four result values (`pass`, `fail`, `notchecked`, `informational`) are counted in the
+  correct bucket.
+- `rules` entries carry `id` from `rule-id` and `result` from `result`; no `severity` key.
+- A non-existent path returns `{ 'error' => /Result file missing/ }`.
+
+The existing CEM-6760 text-grep assertions are untouched.
+
+## Acceptance Criteria
+
+- [ ] `parse_ciscat_json` reads `raw['rules']` instead of `raw['results']`.
+- [ ] Rule entries use `r['rule-id']` for `id`; `r['rule_id']` and `r['id']` are no longer referenced.
+- [ ] `severity` is no longer extracted from rule entries.
+- [ ] `not_applicable_count` counts `notchecked` and `notapplicable` result values.
+- [ ] `error_count` counts `error` and `informational` result values.
+- [ ] All existing specs pass.
+- [ ] New unit tests for `parse_ciscat_json` pass with a v4-shaped fixture.
+
+## Files Touched
+
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — fix `parse_ciscat_json`.
+- `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb` — mirror update.
+- `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` — checksum update.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — new `parse_ciscat_json` unit-test context.

data/specifications/CEM-6765.md

@@ -0,0 +1,101 @@
+# CEM-6765 — Remove stray `-l` flag from CIS-CAT Pro Assessor invocation
+
+## Summary
+
+The on-node scan daemon's `run_ciscat` helper in `lib/terraform/gcp/linux/scan/scan_service.rb` appends `-l <level>` to the assessor command. In CIS-CAT Pro v4, `-l` is `--list` ("List available assessment content"), not a level argument. The assessor parses `-l 2`, ignores the `2`, treats the invocation as a list request, prints the numbered benchmark catalog, exits zero, and writes no JSON report. This silently hijacks every CIS-CAT Pro scan regardless of how the rest of the pipeline is configured — masking CEM-6759's `-b` wiring and every prior blocker fix. Confirmed against `Assessor-CLI.sh -h` on a v4.63.0-provisioned node: `-l` has no level meaning. Scan level is encoded in the profile id (`Level_2_-_Server`), not a separate flag.
+
+Drop the `-l` flag, drop the now-unused `level` parameter from `run_ciscat`, and drop the corresponding argument from the `perform_scan` call site.
+
+## Functional Behavior
+
+### `lib/terraform/gcp/linux/scan/scan_service.rb#run_ciscat`
+
+The method currently constructs the assessor command as (`scan_service.rb:74-85`):
+
+```ruby
+def run_ciscat(profile, level, benchmark)
+  json_out = File.join(REPORT_DIR, 'ciscat-results.json')
+  cmd = [
+    'sudo', '/opt/cis-cat-pro/Assessor-CLI.sh',
+    '-rd', REPORT_DIR,
+    '-rp', 'ciscat-results',
+    '-nts',
+    '-json',
+    '-p', profile,
+  ]
+  cmd += ['-b', "/opt/cis-cat-pro/benchmarks/#{benchmark}"] if benchmark
+  cmd += ['-l', level.to_s] if level
+```
+
+Drop the `level` parameter and the `-l` append:
+
+```ruby
+def run_ciscat(profile, benchmark)
+  json_out = File.join(REPORT_DIR, 'ciscat-results.json')
+  cmd = [
+    'sudo', '/opt/cis-cat-pro/Assessor-CLI.sh',
+    '-rd', REPORT_DIR,
+    '-rp', 'ciscat-results',
+    '-nts',
+    '-json',
+    '-p', profile,
+  ]
+  cmd += ['-b', "/opt/cis-cat-pro/benchmarks/#{benchmark}"] if benchmark
+```
+
+### `lib/terraform/gcp/linux/scan/scan_service.rb#perform_scan`
+
+Update the call site (`scan_service.rb:124`):
+
+```ruby
+# before:
+when 'ciscat'
+  run_ciscat(cfg['profile'], cfg['level'], cfg['benchmark'])
+
+# after:
+when 'ciscat'
+  run_ciscat(cfg['profile'], cfg['benchmark'])
+```
+
+The `cfg['level']` key remains in the daemon's `scan_config.json` payload — it is unused by `run_ciscat` after this change but harmless. Removing it from the host-side JSON payload is left as a follow-up cleanup, not a blocker.
+
+## Input/Output Contracts
+
+`run_ciscat` loses its `level` positional argument; signature shrinks from three positional args to two. Everything downstream (`parse_ciscat_json`, the error handling at `scan_service.rb:87-90`, and the `/scan` HTTP response shape) is unchanged.
+
+## Constraints / Invariants
+
+- `-l` is `--list` in CIS-CAT Pro v4.x and has no level meaning — confirmed from `Assessor-CLI.sh -h` on a v4.63.0 node during CEM-6765's investigation. There is no separate level flag in the v4 CLI.
+- Scan level is already encoded in the profile id (e.g. `xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server`). Removing the redundant `-l` does not change which controls the assessor evaluates.
+- `test_data[:scan][:level]` is unaffected. It is still extracted by `test_data.rb`'s `vars_post_processing` from the test-case name pattern and remains available in the scan config payload for logging and openscap.
+
+## Tests
+
+Add a text-grep regression to `spec/terraform/gcp/linux/scan/scan_service_spec.rb` asserting `'-l'` is absent from `run_ciscat`'s command array.
+
+Update the existing CEM-6761 `run_ciscat` stub tests at `spec/terraform/gcp/linux/scan/scan_service_spec.rb:171` to drop the level positional argument — `run_ciscat('profile-id', 'benchmark.xml')` instead of `run_ciscat('profile-id', 2, 'benchmark.xml')`.
+
+Behavioral validation (the assessor producing a JSON report with the corrected command) was performed by hand on a v4.63.0 node during CEM-6765's investigation. That evidence is stronger than any unit test we could write without a live assessor binary.
+
+## Non-Goals
+
+- **Removing `cfg['level']` from `scan_config.json`.** The level remains in the payload as a harmless metadata field. Removing it would touch `provision/terraform.rb` and ripple through CEM-6759's tests for no functional gain.
+- **Dropping `level` extraction from `test_data.rb`.** It is still useful for logging and openscap.
+- **Refactoring `run_ciscat` further.**
+
+## Acceptance Criteria
+
+- [ ] `run_ciscat` no longer passes `-l` to `Assessor-CLI.sh`.
+- [ ] `run_ciscat`'s signature is `(profile, benchmark)` — no `level` parameter.
+- [ ] `perform_scan` calls `run_ciscat(cfg['profile'], cfg['benchmark'])`.
+- [ ] RSpec regression coverage at `spec/terraform/gcp/linux/scan/scan_service_spec.rb` asserts `'-l'` is not in the script.
+- [ ] CEM-6761 `run_ciscat` stub tests pass the new two-arg signature.
+- [ ] `bundle exec rake spec` passes.
+
+## Files Touched
+
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — drop `-l` flag and `level` parameter.
+- `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb` — fixture mirror.
+- `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` — updated checksum.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — `-l` absence text-grep, two-arg `run_ciscat` calls.
+- `specifications/CEM-6765.md` — this file.

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cem_acpt
 version: !ruby/object:Gem::Version
-  version: 0.11.2
+  version: 0.12.0
 platform: ruby
 authors:
 - puppetlabs
+autorequire:
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: async-http
@@ -219,6 +220,7 @@ email:
 executables:
 - cem_acpt
 - cem_acpt_image
+- cem_acpt_scan
 extensions: []
 extra_rdoc_files: []
 files:
@@ -252,6 +254,7 @@ files:
 - docs/rfcs/README.md
 - exe/cem_acpt
 - exe/cem_acpt_image
+- exe/cem_acpt_scan
 - lib/cem_acpt.rb
 - lib/cem_acpt/actions.rb
 - lib/cem_acpt/bolt.rb
@@ -272,6 +275,7 @@ files:
 - lib/cem_acpt/config/base.rb
 - lib/cem_acpt/config/cem_acpt.rb
 - lib/cem_acpt/config/cem_acpt_image.rb
+- lib/cem_acpt/config/cem_acpt_scan.rb
 - lib/cem_acpt/core_ext.rb
 - lib/cem_acpt/goss.rb
 - lib/cem_acpt/goss/api.rb
@@ -286,12 +290,15 @@ files:
 - lib/cem_acpt/platform.rb
 - lib/cem_acpt/platform/base.rb
 - lib/cem_acpt/platform/gcp.rb
-- lib/cem_acpt/provision.rb
 - lib/cem_acpt/provision/terraform.rb
 - lib/cem_acpt/provision/terraform/linux.rb
 - lib/cem_acpt/provision/terraform/os_data.rb
 - lib/cem_acpt/provision/terraform/terraform_cmd.rb
 - lib/cem_acpt/provision/terraform/windows.rb
+- lib/cem_acpt/scan.rb
+- lib/cem_acpt/scan/daemon_client.rb
+- lib/cem_acpt/scan/errors.rb
+- lib/cem_acpt/scan/result.rb
 - lib/cem_acpt/test_data.rb
 - lib/cem_acpt/test_runner.rb
 - lib/cem_acpt/test_runner/log_formatter.rb
@@ -299,6 +306,7 @@ files:
 - lib/cem_acpt/test_runner/log_formatter/bolt_summary_results_formatter.rb
 - lib/cem_acpt/test_runner/log_formatter/goss_action_response.rb
 - lib/cem_acpt/test_runner/log_formatter/goss_error_formatter.rb
+- lib/cem_acpt/test_runner/log_formatter/scan_result_formatter.rb
 - lib/cem_acpt/test_runner/log_formatter/standard_error_formatter.rb
 - lib/cem_acpt/test_runner/test_results.rb
 - lib/cem_acpt/utils.rb
@@ -314,6 +322,8 @@ files:
 - lib/terraform/gcp/linux/goss/puppet_noop.yaml
 - lib/terraform/gcp/linux/log_service/log_service.rb
 - lib/terraform/gcp/linux/main.tf
+- lib/terraform/gcp/linux/scan/scan_service.rb
+- lib/terraform/gcp/linux/scan/scan_service.service
 - lib/terraform/gcp/linux/systemd/goss-acpt.service
 - lib/terraform/gcp/linux/systemd/goss-idempotent.service
 - lib/terraform/gcp/linux/systemd/goss-noop.service
@@ -324,6 +334,7 @@ files:
 - lib/terraform/image/gcp/linux/main.tf
 - lib/terraform/image/gcp/windows/.keep
 - sample_config.yaml
+- specifications/CEM-6511.md
 - specifications/CEM-6713.md
 - specifications/CEM-6714.md
 - specifications/CEM-6715.md
@@ -331,6 +342,12 @@ files:
 - specifications/CEM-6717.md
 - specifications/CEM-6718.md
 - specifications/CEM-6719.md
+- specifications/CEM-6720.md
+- specifications/CEM-6759.md
+- specifications/CEM-6760.md
+- specifications/CEM-6761.md
+- specifications/CEM-6762.md
+- specifications/CEM-6765.md
 homepage: https://github.com/puppetlabs/cem_acpt
 licenses:
 - proprietary
@@ -338,6 +355,7 @@ metadata:
   homepage_uri: https://github.com/puppetlabs/cem_acpt
   source_code_uri: https://github.com/puppetlabs/cem_acpt
   changelog_uri: https://github.com/puppetlabs/cem_acpt
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -352,7 +370,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: CEM Acceptance Tests
 test_files: []

data/lib/cem_acpt/provision.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'logging'
-require_relative 'provision/terraform'
-
-module CemAcpt
-  module Provision
-    include CemAcpt::Logging
-
-    def self.new_provisioner(config, provision_data)
-      case config.get('provisioner')
-      when 'terraform'
-        logger.debug('CemAcpt::Provision') { 'Using Terraform provisioner' }
-        CemAcpt::Provision::Terraform.new(config, provision_data)
-      else
-        raise ArgumentError, "Unknown provisioner #{config.get('provisioner')}"
-      end
-    end
-  end
-end