Awesome
Dockerfile-sec
Dockerfile-sec is a simple but powerful rules-based checker for Dockerfiles.
Install
> pip install dockerfile-sec
Quick start
Analyze a Dockerfile
> dockerfile-sec examples/Dockerfile-example
+----------+-------------------------------------------+----------+
| Rule Id | Description | Severity |
+----------+-------------------------------------------+----------+
| core-002 | Missing USER sentence in dockerfile | Medium |
| core-003 | Posible text plain password in dockerfile | High |
| core-005 | Recursive copy found | Medium |
| core-006 | Use of COPY instead of ADD | Low |
| core-007 | Use image tag instead of SHA256 hash | Medium |
| cred-001 | Generic credential | Medium |
+----------+-------------------------------------------+----------+
Using docker
> cat Dockerfile | docker run --rm -t cr0hn/dockerfile-sec
IMPORTANT: By using docker you can pass a rules file or a docker file as paramenter. You need to use a pipe or mount a volume
Usage
With remote rules
> dockerfile-sec -r http://127.0.0.1:9999/rules/credentials.yaml Dockerfile
With built-in rules
All rules
All rules are enabled by default:
> dockerfile-sec Dockerfile
Core rules only
https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/core.yaml
> dockerfile-sec -R core Dockerfile
Credentials rules only
https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/credentials.yaml
> dockerfile-sec -R credentials Dockerfile
Disabling built-in rules
> dockerfile-sec -R none Dockerfile
With user defined rules
> dockerfile-sec -r my-rules.yaml Dockerfile
Export results as json
> dockerfile-sec -o results.json Dockerfile
Quiet mode
Not writing anything in the console:
> dockerfile-sec -q -o results.json Dockerfile
Filtering false positives
By ignore file
Dockerfile-sec allows to ignore rules by using a file that contains the rules you want to ignore.
> dockerfile-sec -F ignore-rules.text Dockerfile
Ignore file format contains the IDs of rules you want to ignore. one ID per line. Example:
> ls ignore-rules.text
core-001
core-007
By using the cli
You also can use cli to ignore specific IDs:
> dockerfile-sec -i core-001,core007 Dockerfile
Using as a pipeline
You also can use dockerfile-sec as UNIX pipeline.
Loading Dockerfile from stdin:
> cat Dockerfile | dockerfile-sec -i core-001,core007
Exposing results via pipe:
> cat Dockerfile | dockerfile-sec -i core-001,core007 | jq
Output formats
JSON Output format
[
{
"description": "Missing USER sentence in dockerfile",
"id": "core-002",
"reference": "https://snyk.io/blog/10-docker-image-security-best-practices/",
"severity": "Medium"
}
]