Oracle Cloud Infrastructure – Cleanup Vulnerability Scan Reports

Sometimes it’s hard to cleanup old unused compartments. There are a lot of resources still available, and some of them like the CSS scans from Vulnerability Scanning are not visible in Oracle Cloud Infrastructure console. But for most of them, there is a command-line solution available for OCI command-line tool or you can solve it with some line of codes in Python. And when using the OCI Cloud Console, you can execute the code immediately without provisioning any additional server.

The Case – Compartment Delete Workflow failed

When verifying the workflow, we see the deletion is failed according some resource leftovers. We must delete them all before the compartment deletion workflow runs well. There are other resources like Management Dashboard Searches, let’s keep the focus on the VSS scans.

Troubleshooting

There is an Oracle document available to troubleshoot the Vulnerability Scanning service: Troubleshooting the Vulnerability Scanning service (oracle.com).

In the section Delete Compartment Failed – you find a Python code block to delete all available scan reports in a compartment for any scan type like host, container, port etc. To speed up the process, I used the Oracle Cloud Infrastructure Cloud shell to run the Python script. All I must do is to set the correct compartment OCID.

Python Code

import oci
import sys

compartment = "ocid1.compartment.oc1..aaaaaaaactjmqnfhqtc6hlq7x7lgtlfquppbcngffniftnlnxihczi4p7fsa"

def list(list_func, compartment):
    try:
        scans = oci.pagination.list_call_get_all_results(
            list_func,
            compartment
        ).data
        return scans
    except Exception as e:
        raise RuntimeError("Error listing scans in compartment " + compartment + ": " + str(e.args))

def delete_scans(delete_func, scans):
    for s in scans:
        try:
            delete_func(s.id)
        except Exception as e:
            raise RuntimeError("Error deleting scan " + s["id"] + ": " + str(e.args))

config = oci.config.from_file()

# Quick safety check
print("Using compartment " + compartment)
if input("Do you want to delete all scan results (host, port, CIS, container) in this compartment? [y/N]: ") != "y":
    sys.exit()

# Create the client from the config
client = oci.vulnerability_scanning.VulnerabilityScanningClient(config)

# Host agent scans
print("Listing agent scans to delete...")
host_scans = list(client.list_host_agent_scan_results, compartment)
print("Deleting " + str(len(host_scans)) + " host scans")
delete_scans(client.delete_host_agent_scan_result, host_scans)

# Host port scans
print("Listing port scans to delete...")
port_scans = list(client.list_host_port_scan_results, compartment)
print("Deleting " + str(len(port_scans)) + " port scans")
delete_scans(client.delete_host_port_scan_result, port_scans)

# Host CIS benchmarks
print("Listing CIS scans to delete...")
cis_benchmarks = list(client.list_host_cis_benchmark_scan_results, compartment)
print("Deleting " + str(len(cis_benchmarks)) + " CIS scans")
delete_scans(client.delete_host_cis_benchmark_scan_result, cis_benchmarks)

# Container scans
print("Listing container image scans to delete...")
container_scans = list(client.list_container_scan_results, compartment)
print("Deleting " + str(len(container_scans)) + " container image scans")
delete_scans(client.delete_container_scan_result, container_scans)

Just copy &paste the code lines it into a new file in Cloud Shell, adapt the compartment and run it.

Cleanup Run

This is how it looks like when running the Python code, in my case, 11 CIS scans are found and deleted. Verify, that the proper compartment OCID is used and confirm.

And now? Happy compartment deletion 🙂