jonrau1 · jonrau1 · Feb 3, 2024 · Feb 3, 2024 · Feb 3, 2024 · Feb 3, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -23,8 +23,6 @@
 # use as builder image to pull in required deps
 FROM alpine@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 AS builder
 
-LABEL org.opencontainers.image.source="https://github.com/alpinelinux/docker-alpine"
-
 ENV PYTHONUNBUFFERED=1
 
 COPY requirements-docker.txt /tmp/requirements-docker.txt
@@ -48,6 +46,17 @@ FROM alpine@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd062897
 
 COPY --from=builder /usr /usr
 
+LABEL \
+    org.opencontainers.image.title="ElectricEye" \
+    org.opencontainers.image.description="ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, Security Posture Management & Attack Surface Monitoring supporting 100s of services and evaluations to harden your CSP & SaaS environments with controls mapped to over 20 industry, regulatory, and best practice controls frameworks." \
+    org.opencontainers.image.version="3.0" \
+    org.opencontainers.image.created="2024-02-02T00:00:00Z" \
+    org.opencontainers.image.documentation="https://github.com/jonrau1/ElectricEye" \
+    org.opencontainers.image.revision="sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0" \
+    org.opencontainers.image.source="https://github.com/alpinelinux/docker-alpine" \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.authors="[email protected]"
+
 # NOTE: This will copy all application files and auditors to the container
 # IMPORTANT: ADD YOUR TOML CONFIGURATIONS BEFORE YOU BUILD THIS! - or use docker run -v options to override
 

diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, S
 
 - Multi-faceted Attack Surface Monitoring uses tools such as VirusTotal, Nmap, Shodan.io, Detect-Secrets, and CISA's KEV to locate assets indexed on the internet, find exposed services, locate exploitable vulnerabilities, and malicious packages in artifact repositories, respectively.
 
-- Outputs to [AWS Security Hub](https://aws.amazon.com/security-hub/), [AWS DocumentDB](https://aws.amazon.com/documentdb/), JSON, CSV, HTML Reports, [MongoDB](https://www.mongodb.com/), [Amazon SQS](https://aws.amazon.com/sqs/), [PostgreSQL](https://www.postgresql.org/), [Slack](https://slack.com/) (via Slack App Bots), and [FireMon Cloud Defense](https://www.firemon.com/introducing-disruptops/).
+- Outputs to [AWS Security Hub](https://aws.amazon.com/security-hub/), the [Open Cyber Security Framework (OCSF)](https://github.com/ocsf/) [V1.1.0](https://schema.ocsf.io/1.1.0/?extensions=) in JSON, [AWS DocumentDB](https://aws.amazon.com/documentdb/), JSON, CSV, HTML Reports, [MongoDB](https://www.mongodb.com/), [Amazon SQS](https://aws.amazon.com/sqs/), [PostgreSQL](https://www.postgresql.org/), [Slack](https://slack.com/) (via Slack App Bots), and [FireMon Cloud Defense](https://www.firemon.com/introducing-disruptops/).
 
 ElectricEye's core concept is the **Auditor** which are sets of Python scripts that run **Checks** per Service dedicated to a specific SaaS vendor or public cloud service provider called an **Assessment Target**.  You can run an entire Assessment Target, a specific Auditor, or a specific Check within an Auditor. After ElectricEye is done with evaluations, it supports over a dozen types of **Outputs** ranging from an HTML executive report to AWS DocumentDB clusters - you can run multiple Outputs as you see fit.
 

diff --git a/docs/outputs/OUTPUTS.md b/docs/outputs/OUTPUTS.md
@@ -492,6 +492,20 @@ To use this Output include the following arguments in your ElectricEye CLI: `pyt
 }
 ```
 
+## Open Cyber Security Format (OCSF) V1.1.0 Output
+
+The OCSF V1.1.0 Output selection will convert all ElectricEye findings into the OCSF format (in JSON) which is a normalized and standardized security-centric data model, well-suited to ingestion in Data Lakes and Data Lake Houses built upon Amazon Security Lake, AWS Glue Data Catalog, Snowflake, Apache Iceberg, Google BigQuery, and more. The Event Class used for this finding is [`compliance_finding [2003]`](https://schema.ocsf.io/1.1.0/classes/compliance_finding?extensions=)
+
+This Output will provide the `ProductFields.AssetDetails` information, it is mapped within `resource.data`.
+
+To use this Output include the following arguments in your ElectricEye CLI: `python3 eeauditor/controller.py {..args..} -o ocsf_v1_1_0`
+
+### Example Open Cyber Security Format (OCSF) V1.1.0 Output
+
+```json
+{}
+```
+
 ## MongoDB & AWS DocumentDB Output
 
 The MongoDB Output selection will write all ElectricEye findings to a MongoDB database or to an AWS DocumentDB Instance/Cluster along with the `ProductFields.AssetDetails` using `pymongo`. To facilitate mutable records being written to a Collection, ElectricEye will duplicate the ASFF `Id` (the finding's GUID) into the MongoDB `_id` field and write all records sequentially using the `update_one(upsert=True)` method within `pymongo`. This is written with a filter to replace the entire record where and existing `_id` is located.