Awesome

docker-security-checker

This repository contains OPA Rego policies for Dockerfile Security checks using Conftest

• The rego policy rules can be found at policy/security.rego

Sample rego policy for using COPY instead of ADD in Dockerfile

deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

Running the conftest with security policies

• Run the following command to test security policies against the Dockerfile

conftest test Dockerfile

• Now you can see the below example output

WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try it out yourself

• I have created this scenario in katacoda playground to learn and try out yourself

• Read more about it at https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f

Contribution

• You can add more policies at policy directory with more information by adding comments