Home

Awesome

docker-security-checker

This repository contains OPA Rego policies for Dockerfile Security checks using Conftest

Sample rego policy for using COPY instead of ADD in Dockerfile

deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

Running the conftest with security policies

conftest test Dockerfile
WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try it out yourself

Katacoda Playground for docker-security-checker

Contribution