GitLocker: The Coding Marketplace

Description:

dockerfilesec 1.0.6

Dockerfile-sec
Dockerfile-sec is a simple but powerful rules-based checker for Dockerfiles.
Install
> pip install dockerfile-sec

Quick start
Analyze a Dockerfile
> dockerfile-sec examples/Dockerfile-example
+----------+-------------------------------------------+----------+
| Rule Id | Description | Severity |
+----------+-------------------------------------------+----------+
| core-002 | Missing USER sentence in dockerfile | Medium |
| core-003 | Posible text plain password in dockerfile | High |
| core-005 | Recursive copy found | Medium |
| core-006 | Use of COPY instead of ADD | Low |
| core-007 | Use image tag instead of SHA256 hash | Medium |
| cred-001 | Generic credential | Medium |
+----------+-------------------------------------------+----------+

Using docker
> cat Dockerfile | docker run --rm -t cr0hn/dockerfile-sec

IMPORTANT: By using docker you can pass a rules file or a docker file as paramenter. You need to use a pipe or mount a volume

Usage
With remote rules
> dockerfile-sec -r http://127.0.0.1:9999/rules/credentials.yaml Dockerfile

With built-in rules
All rules
All rules are enabled by default:
> dockerfile-sec Dockerfile

Core rules only
https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/core.yaml
> dockerfile-sec -R core Dockerfile

Credentials rules only
https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/credentials.yaml
> dockerfile-sec -R credentials Dockerfile

Disabling built-in rules
> dockerfile-sec -R none Dockerfile

With user defined rules
> dockerfile-sec -r my-rules.yaml Dockerfile

Export results as json
> dockerfile-sec -o results.json Dockerfile

Quiet mode
Not writing anything in the console:
> dockerfile-sec -q -o results.json Dockerfile

Filtering false positives
By ignore file
Dockerfile-sec allows to ignore rules by using a file that contains the rules you want to ignore.
> dockerfile-sec -F ignore-rules.text Dockerfile

Ignore file format contains the IDs of rules you want to ignore. one ID per line. Example:
> ls ignore-rules.text
core-001
core-007

By using the cli
You also can use cli to ignore specific IDs:
> dockerfile-sec -i core-001,core007 Dockerfile

Using as a pipeline
You also can use dockerfile-sec as UNIX pipeline.
Loading Dockerfile from stdin:
> cat Dockerfile | dockerfile-sec -i core-001,core007

Exposing results via pipe:
> cat Dockerfile | dockerfile-sec -i core-001,core007 | jq

Output formats
JSON Output format
[
{
"description": "Missing USER sentence in dockerfile",
"id": "core-002",
"reference": "https://snyk.io/blog/10-docker-image-security-best-practices/",
"severity": "Medium"
}
]

References

https://snyk.io/blog/10-docker-image-security-best-practices/
https://medium.com/microscaling-systems/dockerfile-security-tuneup-166f1cdafea1
https://medium.com/@tariq.m.islam/container-deployments-a-lesson-in-deterministic-ops-a4a467b14a03
https://spacelift.io/blog/docker-security