Hlo Habr!

Nyob rau hauv lub neej niaj hnub no, vim yog lub luag hauj lwm ntawm containerization nyob rau hauv txoj kev loj hlob, qhov teeb meem ntawm kev ua kom muaj kev ruaj ntseg ntawm ntau theem thiab cov koom haum cuam tshuam nrog ntim tsis yog nyob rau hauv qhov kawg. Kev kuaj xyuas manually yog ib txoj haujlwm hnyav, yog li nws yuav zoo rau ua yam tsawg kawg yog thawj kauj ruam ntawm kev ua haujlwm ntawm cov txheej txheem no.

Hauv tsab xov xwm no, kuv yuav qhia cov ntawv npaj ua tiav rau kev siv ob peb Docker kev nyab xeeb kev siv hluav taws xob thiab cov lus qhia yuav ua li cas los teeb tsa qhov chaw me me los sim cov txheej txheem no. Koj tuaj yeem siv cov ntaub ntawv los sim nrog kev npaj cov txheej txheem ntawm kev sim kev ruaj ntseg ntawm Dockerfile cov duab thiab cov lus qhia. Nws yog qhov tseeb tias kev txhim kho thiab kev siv vaj tse sib txawv rau txhua tus, yog li hauv qab no kuv yuav muab ob peb txoj hauv kev.

Security Check Utilities

Muaj ntau tus neeg pab cuam sib txawv thiab cov ntawv sau uas ua cov tshev rau ntau yam ntawm Docker infrastructure. Ib txhia ntawm lawv twb tau piav nyob rau hauv ib tsab xov xwm dhau los (https://habr.com/ru/company/swordfish_security/blog/518758/#docker-security), thiab nyob rau hauv tsab xov xwm no kuv xav tsom mus rau peb ntawm lawv, uas npog qhov feem ntau ntawm cov kev cai ruaj ntseg rau Docker dluab uas tau tsim thaum lub sijhawm txhim kho. Tsis tas li ntawd, kuv tseem yuav qhia ib qho piv txwv ntawm peb cov khoom siv hluav taws xob no tuaj yeem ua ke rau hauv ib lub raj xa dej los ua kev kuaj xyuas kev nyab xeeb.

Hadolint
https://github.com/hadolint/hadolint

Ib qho yooj yim siv hluav taws xob console uas pab ua ntej ntsuas qhov raug thiab kev nyab xeeb ntawm Dockerfile cov lus qhia (piv txwv li, siv cov ntawv tso cai nkaus xwb lossis siv sudo).

Dockle
https://github.com/goodwithtech/dockle

Ib qho khoom siv hluav taws xob uas ua haujlwm ntawm cov duab (lossis ntawm cov duab khaws tseg tarball) uas kuaj xyuas qhov tseeb thiab kev ruaj ntseg ntawm cov duab tshwj xeeb xws li los ntawm kev txheeb xyuas nws cov khaubncaws sab nraud povtseg thiab kev teeb tsa - cov neeg siv tau tsim dab tsi, cov lus qhia dab tsi yog siv, cov ntim dab tsi yog mounted. , lub xub ntiag ntawm ib lo lus zais dawb paug, thiab lwm yam e. Txawm tias muaj pes tsawg daim tshev tsis loj heev thiab ua raws li ob peb daim tshev thiab cov lus pom zoo. CIS (Center for Internet Security) Benchmark rau docker.

Tsis paub
https://github.com/aquasecurity/trivy

Qhov kev siv hluav taws xob no yog tsom rau kev nrhiav ob hom kev tsis zoo - OS tsim teeb meem (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu tau txais kev txhawb nqa) thiab teeb meem kev vam khom (Gemfile.lock, Pipfile.lock, composer.lock, pob-lock .json, yarn.lock, Cargo.lock). Trivy tuaj yeem luam theej duab ob qho tib si hauv qhov chaw cia khoom thiab cov duab hauv zos, thiab tseem luam theej duab raws li cov ntaub ntawv pauv .tar nrog Docker duab.

Cov kev xaiv kev siv hluav taws xob

Txhawm rau sim tawm cov ntawv thov piav qhia hauv cov xwm txheej sib cais, kuv yuav muab cov lus qhia rau kev txhim kho tag nrho cov khoom siv hluav taws xob ua ib feem ntawm cov txheej txheem yooj yim.

Lub tswv yim tseem ceeb yog ua kom pom tias koj tuaj yeem siv cov ntsiab lus tsis siv neeg tshawb xyuas rau Dockerfiles thiab Docker cov duab uas tau tsim thaum lub sij hawm txhim kho.

Kev txheeb xyuas nws tus kheej muaj cov kauj ruam hauv qab no:

Tshawb xyuas qhov raug thiab kev nyab xeeb ntawm Dockerfile cov lus qhia nrog lub linter utility Hadolint
Tshawb xyuas qhov tseeb thiab kev ruaj ntseg ntawm cov duab kawg thiab nruab nrab - ib qho khoom siv Dockle
Kev Tshawb Fawb Txog Kev Paub Ntau Yam (CVE) hauv cov duab hauv paus thiab ntau qhov kev vam khom - los ntawm kev siv hluav taws xob Tsis paub

Tom qab ntawv hauv tsab xov xwm kuv yuav muab peb txoj hauv kev los ua cov kauj ruam no:
Thawj qhov yog los ntawm kev teeb tsa CI / CD cov raj xa dej siv cov piv txwv ntawm GitLab (nrog cov lus piav qhia ntawm cov txheej txheem ntawm kev nce qhov piv txwv).
Qhov thib ob yog siv lub plhaub ntawv.
Qhov thib peb yog nrog tsim Docker duab los luam theej duab Docker.
Koj tuaj yeem xaiv qhov kev xaiv uas haum rau koj zoo tshaj plaws, hloov mus rau koj qhov kev tsim kho vaj tse thiab hloov kho rau koj cov kev xav tau.

Tag nrho cov ntaub ntawv tsim nyog thiab cov lus qhia ntxiv kuj tseem nyob hauv qhov chaw khaws cia: https://github.com/Swordfish-Security/docker_cicd

GitLab CI/CD integration

Hauv thawj qhov kev xaiv, peb yuav saib yuav ua li cas kev kuaj xyuas kev nyab xeeb tuaj yeem siv tau siv GitLab repository system ua piv txwv. Ntawm no peb yuav mus dhau cov kauj ruam thiab pom yuav ua li cas teeb tsa ib puag ncig kev sim nrog GitLab los ntawm kos, tsim cov txheej txheem luam theej duab thiab khiav cov khoom siv los sim Dockerfile thiab cov duab random - daim ntawv thov JuiceShop.

Txhim kho GitLab
1. Nruab Docker:

sudo apt-get update && sudo apt-get install docker.io

2. Ntxiv tus neeg siv tam sim no rau pawg docker kom koj tuaj yeem ua haujlwm nrog docker yam tsis siv sudo:

sudo addgroup <username> docker

3. Nrhiav koj tus IP:

ip addr

4. Nruab thiab khiav GitLab hauv lub thawv, hloov chaw nyob IP hauv hostname nrog koj tus kheej:

docker run --detach 
--hostname 192.168.1.112 
--publish 443:443 --publish 80:80 
--name gitlab 
--restart always 
--volume /srv/gitlab/config:/etc/gitlab 
--volume /srv/gitlab/logs:/var/log/gitlab 
--volume /srv/gitlab/data:/var/opt/gitlab 
gitlab/gitlab-ce:latest

Peb tab tom tos GitLab kom ua tiav tag nrho cov txheej txheem kev teeb tsa tsim nyog (koj tuaj yeem ua raws li cov txheej txheem los ntawm cov zis ntawm cov ntaub ntawv teev cia: docker cav -f gitlab).

5. Qhib koj tus IP hauv zos hauv qhov browser thiab pom ib nplooj ntawv muab hloov tus password rau tus neeg siv hauv paus:

Teem tus password tshiab thiab mus rau GitLab.

6. Tsim ib qhov project tshiab, piv txwv li cicd-test thiab pib nws nrog cov ntaub ntawv pib README.md:

7. Tam sim no peb yuav tsum nruab GitLab Runner: tus neeg sawv cev uas yuav khiav tag nrho cov haujlwm tsim nyog ntawm kev thov.
Download tau qhov tseeb version (qhov no, nyob rau hauv Linux 64-ntsis):

sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64

8. Ua kom nws ua tau:

sudo chmod +x /usr/local/bin/gitlab-runner

9. Ntxiv tus neeg siv OS rau tus khiav thiab pib qhov kev pabcuam:

sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start

Nws yuav tsum zoo li no:

local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1

10. Tam sim no peb sau npe rau Runner kom nws tuaj yeem cuam tshuam nrog peb qhov piv txwv GitLab.
Txhawm rau ua qhov no, qhib nplooj ntawv Chaw-CI / CD (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) thiab nyob rau ntawm Runners tab nrhiav qhov URL thiab Sau npe token:

11. Sau npe tus neeg khiav dej num los ntawm kev hloov qhov URL thiab tus lej sau npe:

sudo gitlab-runner register 
--non-interactive 
--url "http://<URL>/" 
--registration-token "<Registration Token>" 
--executor "docker" 
--docker-privileged 
--docker-image alpine:latest 
--description "docker-runner" 
--tag-list "docker,privileged" 
--run-untagged="true" 
--locked="false" 
--access-level="not_protected"

Yog li ntawd, peb tau txais kev npaj ua haujlwm GitLab, uas peb yuav tsum tau ntxiv cov lus qhia los pib peb cov khoom siv hluav taws xob. Hauv qhov demo no, peb tsis muaj daim ntawv thov tsim thiab ntim cov kauj ruam, tab sis nyob rau hauv ib puag ncig tiag tiag lawv yuav ua ntej cov kauj ruam scan thiab tsim cov duab thiab Dockerfile rau kev tshuaj xyuas.

pipeline configuration

1. Ntxiv cov ntaub ntawv rau lub chaw cia khoom mydockerfile.df (qhov no yog qhov kev sim Dockerfile uas peb yuav sim) thiab GitLab CI / CD txheej txheem teeb tsa cov ntaub ntawv .gitlab-cicd.yml, uas teev cov lus qhia rau scanners (nco lub dot hauv cov ntaub ntawv npe).

Cov ntaub ntawv .yaml configuration muaj cov lus qhia rau kev khiav peb cov khoom siv hluav taws xob (Hadolint, Dockle, thiab Trivy) uas yuav txheeb xyuas cov Dockerfile uas tau xaiv thiab cov duab teev hauv DOCKERFILE hloov pauv. Tag nrho cov ntaub ntawv tsim nyog tuaj yeem nqa los ntawm qhov chaw cia khoom: https://github.com/Swordfish-Security/docker_cicd/

Extract los ntawm mydockerfile.df (qhov no yog cov ntaub ntawv paub daws teeb meem nrog cov txheej txheem ntawm cov lus qhia arbitrary tsuas yog ua kom pom tias cov khoom siv hluav taws xob ua haujlwm li cas). Direct link rau cov ntaub ntawv: mydockerfile.df

Cov ntsiab lus ntawm mydockerfile.df

FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root

Lub teeb tsa YAML zoo li qhov no (cov ntaub ntawv nws tus kheej tuaj yeem raug coj los ntawm qhov txuas ncaj qha ntawm no: .gitlab-ci.yml):

Cov ntsiab lus ntawm .gitlab-ci.yml

variables:
    DOCKER_HOST: "tcp://docker:2375/"
    DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse   
    DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
    # DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
    SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
    TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
    ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
 
services:
    - docker:dind # to be able to build docker images inside the Runner
 
stages:
    - scan
    - report
    - publish
 
HadoLint:
    # Basic lint analysis of Dockerfile instructions
    stage: scan
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/hadolint_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
     
    # NB: hadolint will always exit with 0 exit code
    - ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
 
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/hadolint_results.json
 
Dockle:
    # Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
    stage: scan   
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/dockle_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
    - ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE   
     
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/dockle_results.json
 
Trivy:
    # Analysing docker image and package dependencies against several CVE bases
    stage: scan   
    image: docker:git
 
    script:
    # getting the latest Trivy
    - apk add rpm
    - export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
     
    # displaying all vulnerabilities w/o failing the build
    - ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE    
    
    # write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE    
 
    # failing the build if the SHOWSTOPPER priority is found
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
         
    artifacts:
        when: always # return artifacts even after job failure
        paths:
        - $ARTIFACT_FOLDER/trivy_results.json
 
    cache:
        paths:
        - .cache
 
Report:
    # combining tools outputs into one HTML
    stage: report
    when: always
    image: python:3.5
     
    script:
    - mkdir json
    - cp $ARTIFACT_FOLDER/*.json ./json/
    - pip install json2html
    - wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
    - python ./convert_json_results.py
     
    artifacts:
        paths:
        - results.html

Yog tias tsim nyog, koj tuaj yeem luam theej duab cov duab khaws tseg ua .tar archive (txawm li cas los xij, koj yuav tsum tau hloov cov ntaub ntawv nkag rau cov khoom siv hauv YAML cov ntaub ntawv)

NB: Trivy yuav tsum tau nruab rpm и git. Txwv tsis pub, nws yuav tsim qhov yuam kev thaum luam theej duab RedHat-raws li cov duab thiab tau txais kev hloov tshiab rau cov ntaub ntawv tsis muaj zog.

2. Tom qab ntxiv cov ntaub ntawv rau lub chaw cia khoom, raws li cov lus qhia hauv peb cov ntaub ntawv teeb tsa, GitLab yuav cia li pib tsim thiab luam theej duab txheej txheem. Nyob rau ntawm CI / CD → Pipelines tab, koj tuaj yeem pom qhov kev nce qib ntawm cov lus qhia.

Yog li ntawd, peb muaj plaub txoj haujlwm. Peb ntawm lawv tau koom ncaj qha rau kev luam theej duab, thiab qhov kawg (Tshaj Tawm) sau cov ntawv qhia yooj yim los ntawm cov ntaub ntawv tawg nrog cov txiaj ntsig scan.

Los ntawm lub neej ntawd, Trivy nres nws qhov kev ua tiav yog tias muaj qhov tsis zoo tshwm sim hauv daim duab lossis kev vam khom. Nyob rau tib lub sijhawm, Hadolint ib txwm rov qab ua tiav txoj cai, txij li nws qhov kev ua tiav ib txwm muaj cov lus hais, uas ua rau kev tsim kom nres.

Nyob ntawm koj qhov kev xav tau tshwj xeeb, koj tuaj yeem teeb tsa tus lej tawm kom cov khoom siv no tseem tso tseg cov txheej txheem tsim thaum pom muaj teeb meem ntawm qee qhov kev thuam. Hauv peb qhov xwm txheej, kev tsim yuav nres tsuas yog tias Trivy pom qhov muaj qhov tsis zoo nrog qhov hnyav uas peb tau teev tseg hauv SHOWSTOPPER qhov sib txawv hauv .gitlab-ci.yml.

Cov txiaj ntsig ntawm kev ua haujlwm ntawm txhua qhov kev siv hluav taws xob tuaj yeem pom hauv lub cav ntawm txhua txoj haujlwm scanning, ncaj qha hauv json cov ntaub ntawv hauv cov khoom qub, lossis hauv daim ntawv qhia HTML yooj yim (ntxiv rau qhov hauv qab no):

3. Txhawm rau nthuav tawm cov ntaub ntawv siv hluav taws xob hauv ib daim ntawv me ntsis uas tib neeg nyeem tau, ib tsab ntawv me me Python yog siv los hloov peb cov ntaub ntawv json rau hauv ib daim ntawv HTML nrog lub rooj ntawm qhov tsis xws luag.
Tsab ntawv no tau pib los ntawm kev tshaj tawm txoj haujlwm cais, thiab nws cov khoom siv zaum kawg yog cov ntaub ntawv HTML nrog daim ntawv tshaj tawm. Cov ntawv sau kuj tseem nyob hauv qhov chaw khaws cia thiab tuaj yeem hloov kho raws li koj xav tau, xim, thiab lwm yam.

Plhaub tsab ntawv

Qhov kev xaiv thib ob yog tsim nyog rau cov xwm txheej uas koj yuav tsum tau kuaj xyuas Docker cov duab tsis nyob hauv CI / CD system, lossis koj yuav tsum muaj tag nrho cov lus qhia hauv daim ntawv uas tuaj yeem ua ncaj qha rau tus tswv tsev. Qhov kev xaiv no yog them los ntawm cov ntawv npaj ua plhaub uas tuaj yeem khiav ntawm lub tshuab virtual (lossis txawm tias tiag). Tsab ntawv ua raws tib cov lus qhia raws li gitlab-khiav saum toj no.

Rau tsab ntawv ua haujlwm tau zoo, Docker yuav tsum tau nruab rau ntawm lub kaw lus thiab tus neeg siv tam sim no yuav tsum nyob hauv pawg docker.

Tsab ntawv nws tus kheej tuaj yeem pom ntawm no: docker_sec_check.sh

Thaum pib ntawm cov ntaub ntawv, qhov sib txawv qhia meej tias cov duab twg yuav tsum tau tshuaj xyuas thiab qhov ua rau muaj qhov tsis xws luag yuav ua rau Trivy utility tawm nrog cov cai yuam kev.

Thaum lub sijhawm ua tiav tsab ntawv, tag nrho cov khoom siv hluav taws xob yuav raug rub mus rau hauv phau ntawv teev npe docker_tools, cov txiaj ntsig ntawm lawv txoj haujlwm - hauv phau ntawv teev npe docker_tools/json, thiab HTML nrog daim ntawv qhia yuav nyob rau hauv cov ntaub ntawv results.html.

Piv txwv tsab ntawv tso zis

~/docker_cicd$ ./docker_sec_check.sh

[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+---------------------+------------------+----------+---------+-------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY | VERSION |             TITLE       |
+---------------------+------------------+----------+---------+-------------------------+
| object-path         | CVE-2020-15256   | HIGH     | 0.11.4  | Prototype pollution in  |
|                     |                  |          |         | object-path             |
+---------------------+------------------+          +---------+-------------------------+
| tree-kill           | CVE-2019-15599   |          | 1.2.2   | Code Injection          |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262   | LOW      | 1.4.1   | Unprotected dynamically |
|                     |                  |          |         | loaded chunks           |
+---------------------+------------------+----------+---------+-------------------------+

juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)

...

juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)

...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Docker duab nrog txhua yam khoom siv

Raws li lwm qhov thib peb, kuv tau sau ob qho yooj yim Dockerfiles los tsim cov duab nrog cov khoom siv kev ruaj ntseg. Ib Dockerfile yuav pab tsim cov txheej txheem los luam theej duab cov duab los ntawm qhov chaw cia khoom, qhov thib ob (Dockerfile_tar) yuav tsim cov txheej txheem los luam theej duab cov ntaub ntawv nrog cov duab.

1. Peb muab cov ntaub ntawv Docker tsim nyog thiab cov ntawv sau los ntawm lub chaw cia khoom https://github.com/Swordfish-Security/docker_cicd/tree/master/Dockerfile.
2. Khiav nws rau kev sib dhos:

docker build -t dscan:image -f docker_security.df .

3. Tom qab tsim tiav, tsim ib lub thawv los ntawm daim duab. Nyob rau tib lub sijhawm, peb dhau DOCKERIMAGE ib puag ncig hloov pauv nrog lub npe ntawm cov duab peb xav tau thiab txuas Dockerfile uas peb xav txheeb xyuas los ntawm peb lub tshuab mus rau cov ntaub ntawv /Dockerfile (nco ntsoov tias yuav tsum muaj txoj hauv kev rau cov ntaub ntawv no:

docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image


[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement
INFO    - DKL-LI-0003: Only put necessary files
        * unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Результаты

Peb tau npog tsuas yog ib qho yooj yim txheej ntawm Docker artifact scanning cov cuab yeej, uas kuv xav tias npog cov duab kev ruaj ntseg zoo heev. Muaj ntau lwm cov cuab yeej them nyiaj thiab pub dawb uas tuaj yeem ua tib yam kev kuaj xyuas, kos cov ntaub ntawv zoo nkauj lossis ua haujlwm nkaus xwb hauv console hom, npog lub thawv tswj cov tshuab, thiab lwm yam. Ib qho kev piav qhia ntawm cov cuab yeej no thiab yuav ua li cas koom ua ke yuav tshwm sim tom qab me ntsis.

Qhov zoo ntawm cov txheej txheem ntawm cov cuab yeej tau piav qhia hauv tsab xov xwm yog tias lawv txhua tus tau tsim los ntawm qhib qhov chaw thiab koj tuaj yeem sim nrog lawv thiab lwm yam cuab yeej zoo sib xws los nrhiav seb qhov twg haum rau koj cov kev xav tau thiab cov yam ntxwv. Tau kawg, txhua qhov tsis zoo uas pom yuav tsum tau kawm rau kev siv tau hauv cov xwm txheej tshwj xeeb, tab sis qhov no yog lub ntsiab lus rau yav tom ntej tsab xov xwm loj.

Kuv vam tias cov lus qhia no, cov ntawv sau thiab cov khoom siv hluav taws xob yuav pab tau koj thiab dhau los ua lub hauv paus rau kev tsim kom muaj kev ruaj ntseg zoo dua hauv thaj chaw ntim khoom.

Tau qhov twg los: www.hab.com

Cov txheej txheem thiab cov piv txwv ntawm kev siv Docker kev ruaj ntseg xyuas cov khoom siv