ãããããã«ïŒ
çŸä»£ã®çŸå®ã§ã¯ãéçºããã»ã¹ã«ãããã³ã³ããåã®åœ¹å²ãå¢å€§ããŠãããããã³ã³ããã«é¢é£ããããŸããŸãªã¹ããŒãžããšã³ãã£ãã£ã®ã»ãã¥ãªãã£ã確ä¿ãããšããåé¡ã¯ã決ããŠéèŠãªåé¡ã§ã¯ãããŸããã æåãã§ãã¯ã®å®è¡ã«ã¯æéãããããããå°ãªããšããã®ããã»ã¹ãèªååããããã®æåã®æé ãå®è¡ããããšããå§ãããŸãã
ãã®èšäºã§ã¯ãããã€ãã® Docker ã»ãã¥ãªã㣠ãŠãŒãã£ãªãã£ãå®è£
ããããã®æ¢è£œã®ã¹ã¯ãªãããšããã®ããã»ã¹ããã¹ãããããã®å°ããªã㢠ã¹ã¿ã³ããå±éããæ¹æ³ã«ã€ããŠèª¬æããŸãã ãããã®ãããªã¢ã«ã䜿çšããŠãDockerfile ã€ã¡ãŒãžãšæé ã®ã»ãã¥ãªãã£ããã¹ãããããã»ã¹ãç·šæããæ¹æ³ãå®éšã§ããŸãã éçºãšå®è£
ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã人ã«ãã£ãŠç°ãªãããšã¯æãããªã®ã§ã以äžã«èãããããªãã·ã§ã³ãããã€ã瀺ããŸãã
ã»ãã¥ãªãã£ãã§ãã¯ãŠãŒãã£ãªãã£
Docker ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ããŸããŸãªåŽé¢ã®ãã§ãã¯ãå®è¡ããããŸããŸãªãã«ã㌠ã¢ããªã±ãŒã·ã§ã³ãã¹ã¯ãªãããå€æ°ãããŸãã ãããã®ããã€ãã¯ãã§ã«åã®èšäºã§èª¬æãããŠããŸã (
ãããªã³ã
æåã®è¿äŒŒãšããŠãDockerfile åœä»€ã®æ£ç¢ºããšå®å šæ§ãè©äŸ¡ããã®ã«åœ¹ç«ã€ãéåžžã«åçŽãªã³ã³ãœãŒã« ãŠãŒãã£ãªã㣠(ããšãã°ãæ¿èªãããã€ã¡ãŒãž ã¬ãžã¹ããªã®ã¿ã䜿çšããããsudo ã䜿çšããããªã©)ã
ããã¯ã«
ã€ã¡ãŒãž (ãŸãã¯ã€ã¡ãŒãžã®ä¿åããã tar ã¢ãŒã«ã€ã) ãæäœããã³ã³ãœãŒã« ãŠãŒãã£ãªãã£ãç¹å®ã®ã€ã¡ãŒãžèªäœã®æ£ç¢ºæ§ãšã»ãã¥ãªãã£ããã§ãã¯ãããã®ã¬ã€ã€ãŒãšæ§æ (ã©ã®ãŠãŒã¶ãŒãäœæãããã©ã®åœä»€ã䜿çšãããã©ã®ãããªãã®ã§ããã) ãåæããŸãã d. ãããŸã§ã®ãšããããã§ãã¯ã®æ°ã¯ããã»ã©å€ããªããããã€ãã®ç¬èªã®ãã§ãã¯ãšæšå¥šäºé
ã«åºã¥ããŠããŸãã
éåŠ
ãã®ãŠãŒãã£ãªãã£ã¯ãOS ãã«ãã®åé¡ (AlpineãRedHat (EL)ãCentOSãDebian GNUãUbuntu ã§ãµããŒã) ãšäŸåé¢ä¿ã®åé¡ (Gemfile.lockãPipfile.lockãcomposer.lockãpackage) ã® XNUMX çš®é¡ã®è匱æ§ãæ€åºããããšãç®çãšããŠããŸãã -lock.jsonãyarn.lockãcargo.lock)ã Trivy ã¯ããªããžããªå ã®ã€ã¡ãŒãžãšããŒã«ã« ã€ã¡ãŒãžã®äž¡æ¹ãã¹ãã£ã³ã§ããDocker ã€ã¡ãŒãžã§è»¢éããã .tar ãã¡ã€ã«ã«åºã¥ããŠã¹ãã£ã³ããããšãã§ããŸãã
ãŠãŒãã£ãªãã£ãå®è£ ããããã®ãªãã·ã§ã³
説æãããŠããã¢ããªã±ãŒã·ã§ã³ãéé¢ãããç°å¢ã§è©Šãããã«ãããç°¡ç¥åããããã»ã¹ã§ãã¹ãŠã®ãŠãŒãã£ãªãã£ãã€ã³ã¹ããŒã«ããæé ã瀺ããŸãã
äž»ãªã¢ã€ãã¢ã¯ãéçºäžã«äœæããã Dockerfile ãš Docker ã€ã¡ãŒãžã®èªåã³ã³ãã³ãæ€èšŒãå®è£ ããæ¹æ³ã瀺ãããšã§ãã
ãã§ãã¯èªäœã¯æ¬¡ã®æé ã§æ§æãããŸãã
- ãªã³ã¿ãŒ ãŠãŒãã£ãªãã£ã䜿çšãã Dockerfile åœä»€ã®æ£ç¢ºããšå®å šæ§ã®ãã§ã㯠ãããªã³ã
- ãŠãŒãã£ãªãã£ã䜿çšããŠæçµã€ã¡ãŒãžãšäžéã€ã¡ãŒãžã®æ£ç¢ºæ§ãšå®å šæ§ããã§ãã¯ãã ããã¯ã«
- åºæ¬ã€ã¡ãŒãžå ã®å ¬ç¥ã®èåŒ±æ§ (CVE) ãšå€æ°ã®äŸåé¢ä¿ã®ååšã確èªãã - ãŠãŒãã£ãªãã£ã䜿çšãã éåŠ
ãã®èšäºã®åŸåã§ã¯ããããã®æé ãå®è£
ããããã® XNUMX ã€ã®ãªãã·ã§ã³ã«ã€ããŠèª¬æããŸãã
XNUMX ã€ç®ã¯ãäŸãšã㊠GitLab ã䜿çšã㊠CI/CD ãã€ãã©ã€ã³ãæ§æããŸã (ãã¹ã ã€ã³ã¹ã¿ã³ã¹ãçæããããã»ã¹ã®èª¬æä»ã)ã
XNUMX ã€ç®ã¯ã·ã§ã«ã¹ã¯ãªããã䜿çšããæ¹æ³ã§ãã
XNUMX çªç®ã®æ¹æ³ã«ã¯ãDocker ã€ã¡ãŒãžãã¹ãã£ã³ããããã® Docker ã€ã¡ãŒãžã®æ§ç¯ãå«ãŸããŸãã
æé©ãªãªãã·ã§ã³ãéžæãããããã€ã³ãã©ã¹ãã©ã¯ãã£ã«è»¢éããŠãããŒãºã«é©å¿ãããããšãã§ããŸãã
å¿
èŠãªãã¹ãŠã®ãã¡ã€ã«ãšè¿œå ã®æé ããªããžããªã«ãããŸãã
GitLab CI/CD ãžã®çµ±å
æåã®ãªãã·ã§ã³ã§ã¯ãäŸãšã㊠GitLab ãªããžã㪠ã·ã¹ãã ã䜿çšããŠã»ãã¥ãªã㣠ãã§ãã¯ãå®è£ ããæ¹æ³ãèŠãŠãããŸãã ããã§ã¯ãæé ã説æããGitLab ã䜿çšããŠãã¹ãç°å¢ãæåããã€ã³ã¹ããŒã«ããã¹ãã£ã³ ããã»ã¹ãäœæãããã¹ã Dockerfile ãšã©ã³ãã ã€ã¡ãŒãž (JuiceShop ã¢ããªã±ãŒã·ã§ã³) ããã§ãã¯ããããã®ãŠãŒãã£ãªãã£ãèµ·åããæ¹æ³ãç解ããŸãã
GitLab ã®ã€ã³ã¹ããŒã«
1. Docker ãã€ã³ã¹ããŒã«ããŸãã
sudo apt-get update && sudo apt-get install docker.io
2. sudo ã䜿çšããã« docker ãæäœã§ããããã«ãçŸåšã®ãŠãŒã¶ãŒã docker ã°ã«ãŒãã«è¿œå ããŸãã
sudo addgroup <username> docker
3. IP ãèŠã€ããŸãã
ip addr
4. ã³ã³ãããŒã« GitLab ãã€ã³ã¹ããŒã«ããŠèµ·åãããã¹ãåã® IP ã¢ãã¬ã¹ãç¬èªã®ã¢ãã¬ã¹ã«çœ®ãæããŸãã
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latest
GitLab ãå¿ èŠãªã€ã³ã¹ããŒã«æé ããã¹ãŠå®äºãããŸã§åŸ ã¡ãŸã (ãã° ãã¡ã€ã«åºåãéããŠããã»ã¹ãç£èŠã§ããŸã: docker logs -f gitlab)ã
5. ãã©ãŠã¶ã§ããŒã«ã« IP ãéããšãroot ãŠãŒã¶ãŒã®ãã¹ã¯ãŒãã®å€æŽãæ±ããããŒãžã衚瀺ãããŸãã
æ°ãããã¹ã¯ãŒããèšå®ããGitLab ã«ç§»åããŸãã
6. æ°ãããããžã§ã¯ã (cicd-test ãªã©) ãäœæããéå§ãã¡ã€ã«ã§åæåããŸãã README.md:
7. 次ã«ãGitLab Runner ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸããããã¯ãèŠæ±ã«å¿ããŠå¿
èŠãªãã¹ãŠã®æäœãå®è¡ãããšãŒãžã§ã³ãã§ãã
ææ°ããŒãžã§ã³ãããŠã³ããŒãããŸã (ãã®å Žå㯠Linux 64 ãããçš)ã
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
8. å®è¡å¯èœã«ããŸãã
sudo chmod +x /usr/local/bin/gitlab-runner
9. Runner ã® OS ãŠãŒã¶ãŒãè¿œå ãããµãŒãã¹ãéå§ããŸãã
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start
次ã®ããã«ãªããŸãã
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. 次ã«ãRunner ãç»é²ããŠãGitLab ã€ã³ã¹ã¿ã³ã¹ãšå¯Ÿè©±ã§ããããã«ããŸãã
ãããè¡ãã«ã¯ãèšå® - CI/CD ããŒãž (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) ãéãã[ã©ã³ããŒ] ã¿ã㧠URL ãšç»é²ããŒã¯ã³ãèŠã€ããŸãã
11. URL ãšç»é²ããŒã¯ã³ã眮ãæããŠã©ã³ããŒãç»é²ããŸãã
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"
ãã®çµæãæ¢è£œã®åäœãã GitLab ãåŸãããŸããããã«ããŠãŒãã£ãªãã£ãéå§ããããã®åœä»€ãè¿œå ããå¿ èŠããããŸãã ãã®ãã¢ã«ã¯ãã¢ããªã±ãŒã·ã§ã³ãæ§ç¯ããŠã³ã³ããåããæé ããããŸããããå®éã®ç°å¢ã§ã¯ããããã®æé ãã¹ãã£ã³æé ã®åã«è¡ãããåæçšã®ã€ã¡ãŒãžãš Dockerfile ãçæãããŸãã
ãã€ãã©ã€ã³æ§æ
1. ãªããžããªã«ãã¡ã€ã«ãè¿œå ããŸã mydockerfile.df (ããã¯ç§ãã¡ããã§ãã¯ãããã¹ã Dockerfile ã§ã) ãš GitLab CI/CD ããã»ã¹æ§æãã¡ã€ã« .gitlab-cicd.ymlãã¹ãã£ããŒã®æé ããªã¹ããããŠããŸã (ãã¡ã€ã«åã®ãããã«æ³šæããŠãã ãã)ã
YAML æ§æãã¡ã€ã«ã«ã¯ãéžæãã Dockerfile ãš DOCKERFILE å€æ°ã§æå®ãããã€ã¡ãŒãžãåæãã XNUMX ã€ã®ãŠãŒãã£ãªã㣠(HadolintãDockleãTrivy) ãå®è¡ããããã®åœä»€ãå«ãŸããŠããŸãã å¿
èŠãªãã¡ã€ã«ã¯ãã¹ãŠãªããžããªããååŸã§ããŸãã
ããã®æç² mydockerfile.df (ããã¯ããŠãŒãã£ãªãã£ã®åäœã説æããããã ãã«ä»»æã®åœä»€ã®ã»ãããå«ãæœè±¡ãã¡ã€ã«ã§ã)ã ãã¡ã€ã«ãžã®çŽæ¥ãªã³ã¯:
mydockerfile.df ã®å 容
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root
æ§æ YAML ã¯æ¬¡ã®ããã«ãªããŸã (ãã¡ã€ã«èªäœã¯ã次ã®çŽæ¥ãªã³ã¯ããèŠã€ããããšãã§ããŸã:
.gitlab-ci.yml ã®å 容
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.html
å¿ èŠã«å¿ããŠã.tar ã¢ãŒã«ã€ãã®åœ¢åŒã§ä¿åãããã€ã¡ãŒãžãã¹ãã£ã³ããããšãã§ããŸã (ãã ããYAML ãã¡ã€ã«å ã®ãŠãŒãã£ãªãã£ã®å ¥åãã©ã¡ãŒã¿ãå€æŽããå¿ èŠããããŸã)ã
泚æ: Trivy ãã€ã³ã¹ããŒã«ããå¿ èŠããããŸã rpm О gitã ããããªããšãRedHat ããŒã¹ã®ã€ã¡ãŒãžãã¹ãã£ã³ããè匱æ§ããŒã¿ããŒã¹ã®æŽæ°ãåä¿¡ãããšãã«ãšã©ãŒãçæãããŸãã
2. èšå®ãã¡ã€ã«ã®æ瀺ã«åŸã£ãŠãªããžããªã«ãã¡ã€ã«ãè¿œå ãããšãGitLab ã¯èªåçã«ãã«ããšã¹ãã£ã³ã®ããã»ã¹ãéå§ããŸãã [CI/CD] â [ãã€ãã©ã€ã³] ã¿ãã§ãæ瀺ã®é²è¡ç¶æ³ã確èªã§ããŸãã
ãã®çµæãã¿ã¹ã¯ã¯ XNUMX ã€ãããŸãã ãã®ãã¡ã® XNUMX ã€ã¯ã¹ãã£ã³ãçŽæ¥åŠçããæåŸã®ãã® (ã¬ããŒã) ã¯æ£åšãããã¡ã€ã«ããã¹ãã£ã³çµæãå«ãåçŽãªã¬ããŒããåéããŸãã
ããã©ã«ãã§ã¯ãã€ã¡ãŒãžãŸãã¯äŸåé¢ä¿ã«é倧ãªè匱æ§ãæ€åºãããå ŽåãTrivy ã¯å®è¡ãåæ¢ããŸãã åæã«ãHadolint ã¯åžžã«æåã³ãŒããè¿ããŸããããã¯ãåžžã«ã³ã¡ã³ããçæããããã«ããåæ¢ããããã§ãã
ç¹å®ã®èŠä»¶ã«å¿ããŠããããã®ãŠãŒãã£ãªãã£ãç¹å®ã®é倧床ã®åé¡ãæ€åºãããšãã«ãã«ã ããã»ã¹ãåæ¢ããããã«çµäºã³ãŒããæ§æã§ããŸãã ãã®å Žåããã«ãã¯ãTrivy ã SHOWSTOPPER å€æ°ã§æå®ããé倧床ã®è匱æ§ãæ€åºããå Žåã«ã®ã¿åæ¢ããŸãã .gitlab-ci.yml.
åãŠãŒãã£ãªãã£ã®çµæã¯ãåã¹ãã£ã³ ã¿ã¹ã¯ã®ãã°ãã¢ãŒãã£ãã¡ã¯ã ã»ã¯ã·ã§ã³ã® json ãã¡ã€ã«ã§çŽæ¥ããŸãã¯åçŽãª HTML ã¬ããŒãã§è¡šç€ºã§ããŸã (詳现ã¯ä»¥äžãåç
§)ã
3. ãŠãŒãã£ãªã㣠ã¬ããŒããããå°ã人éãèªã¿ããã圢åŒã§è¡šç€ºããã«ã¯ãå°ã㪠Python ã¹ã¯ãªããã䜿çšããŠãXNUMX ã€ã® JSON ãã¡ã€ã«ããæ¬ é¥ã®ããŒãã«ãå«ã XNUMX ã€ã® HTML ãã¡ã€ã«ã«å€æããŸãã
ãã®ã¹ã¯ãªããã¯å¥ã®ã¬ããŒã ã¿ã¹ã¯ã«ãã£ãŠèµ·åããããã®æçµææç©ã¯ã¬ããŒããå«ã HTML ãã¡ã€ã«ã§ãã ã¹ã¯ãªãã ãœãŒã¹ããªããžããªã«ãããããŒãºãè²ãªã©ã«åãããŠèª¿æŽã§ããŸãã
ã·ã§ã«ã¹ã¯ãªãã
XNUMX çªç®ã®ãªãã·ã§ã³ã¯ãCI/CD ã·ã¹ãã ã®å€éšã§ Docker ã€ã¡ãŒãžããã§ãã¯ããå¿ èŠãããå ŽåããŸãã¯ãã¹ãäžã§çŽæ¥å®è¡ã§ãã圢åŒã§ãã¹ãŠã®åœä»€ãçšæããå¿ èŠãããå Žåã«é©ããŠããŸãã ãã®ãªãã·ã§ã³ã¯ãã¯ãªãŒã³ãªä»®æ³ (ãŸãã¯å®éã®) ãã·ã³äžã§å®è¡ã§ããæ¢è£œã®ã·ã§ã« ã¹ã¯ãªããã§ã«ããŒãããŠããŸãã ãã®ã¹ã¯ãªããã¯ãäžã§èª¬æãã gitlab-runner ãšåãåœä»€ãå®è¡ããŸãã
ã¹ã¯ãªãããæ£åžžã«å®è¡ããã«ã¯ãDocker ãã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããŠãããçŸåšã®ãŠãŒã¶ãŒã Docker ã°ã«ãŒãã«å±ããŠããå¿ èŠããããŸãã
ã¹ã¯ãªããèªäœã¯æ¬¡ã®å Žæã«ãããŸãã
ãã¡ã€ã«ã®å é ã§ãã¹ãã£ã³ããå¿ èŠãããã€ã¡ãŒãžãšãæå®ããããšã©ãŒ ã³ãŒã㧠Trivy ãŠãŒãã£ãªãã£ãçµäºãããé倧ãªæ¬ é¥ãå€æ°ã§æå®ããŸãã
ã¹ã¯ãªããã®å®è¡äžã«ããã¹ãŠã®ãŠãŒãã£ãªãã£ããã£ã¬ã¯ããªã«ããŠã³ããŒããããŸãã docker_toolsãäœæ¥ã®çµæã¯ãã£ã¬ã¯ããªã«ãããŸã docker_tools/jsonãã¬ããŒããå«ã HTML ããã¡ã€ã«ã«å«ãŸããŸãã çµæ.html.
ã¹ã¯ãªããã®åºåäŸ
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - âDockerfileâ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
ãã¹ãŠã®ãŠãŒãã£ãªãã£ãå«ã Docker ã€ã¡ãŒãž
XNUMX çªç®ã®ä»£æ¿æ¡ãšããŠãXNUMX ã€ã®åçŽãª Dockerfile ãã³ã³ãã€ã«ããŠãã»ãã¥ãªã㣠ãŠãŒãã£ãªãã£ãåããã€ã¡ãŒãžãäœæããŸããã XNUMX ã€ã® Dockerfile ã¯ãªããžããªããã€ã¡ãŒãžãã¹ãã£ã³ããããã®ã»ããã®æ§ç¯ã«åœ¹ç«ã¡ãXNUMX ã€ç® (Dockerfile_tar) ã¯ã€ã¡ãŒãžãå«ã tar ãã¡ã€ã«ãã¹ãã£ã³ããããã®ã»ããã®æ§ç¯ã«åœ¹ç«ã¡ãŸãã
1. 察å¿ãã Docker ãã¡ã€ã«ãšã¹ã¯ãªããããªããžããªããååŸããŸãã
2. çµã¿ç«ãŠã®ããã«èµ·åããŸãã
docker build -t dscan:image -f docker_security.df .
3.çµã¿ç«ãŠãå®äºããããç»åããã³ã³ãããäœæããŸãã åæã«ãé¢å¿ã®ããã€ã¡ãŒãžã®ååãå«ã DOCKERIMAGE ç°å¢å€æ°ãæž¡ããåæããã Dockerfile ããã·ã³ãããã¡ã€ã«ã«ããŠã³ãããŸãã /Dockerfile (ãã®ãã¡ã€ã«ãžã®çµ¶å¯Ÿãã¹ãå¿ èŠã§ããããšã«æ³šæããŠãã ãã):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
çµæ
ç§ãã¡ã¯ãDocker ã¢ãŒãã£ãã¡ã¯ããã¹ãã£ã³ããããã®ãŠãŒãã£ãªãã£ã®åºæ¬ã»ããã XNUMX ã€ã ãæ€èšããŸãããç§ã®æèŠã§ã¯ãããã¯ã€ã¡ãŒãžã®ã»ãã¥ãªãã£èŠä»¶ã®ããªãã®éšåãéåžžã«å¹æçã«ã«ããŒããŠããŸãã åããã§ãã¯ãå®è¡ããããçŸããã¬ããŒããäœæããããçŽç²ã«ã³ã³ãœãŒã« ã¢ãŒãã§åäœããããã³ã³ãã管çã·ã¹ãã ãã«ããŒãããã§ãããææããã³ç¡æã®ããŒã«ãå€æ°ãããŸãããããã®ããŒã«ã®æŠèŠãšãããã®çµ±åæ¹æ³ã«ã€ããŠã¯ãå°ãåŸã«ãªãå¯èœæ§ããããŸãã ã
ãã®èšäºã§èª¬æãããŠããããŒã« ã»ããã®è¯ãç¹ã¯ããããããã¹ãŠãªãŒãã³ ãœãŒã¹ ã³ãŒãã«åºã¥ããŠæ§ç¯ãããŠããããããã®ããŒã«ãä»ã®åæ§ã®ããŒã«ãè©ŠããŠãèŠä»¶ãã€ã³ãã©ã¹ãã©ã¯ãã£æ©èœã«åã£ããã®ãèŠã€ããããšãã§ããããšã§ãã ãã¡ãããèŠã€ãã£ããã¹ãŠã®è匱æ§ã¯ãç¹å®ã®ç¶æ³ã§ã®é©çšå¯èœæ§ã調æ»ããå¿ èŠããããŸãããããã¯å°æ¥ã®å€§èŠæš¡ãªèšäºã®ãããã¯ã§ãã
ãã®ã¬ã€ããã¹ã¯ãªããããŠãŒãã£ãªãã£ã圹ã«ç«ã¡ãã³ã³ããåã®åéã§ããå®å
šãªã€ã³ãã©ã¹ãã©ã¯ãã£ãäœæããããã®åºçºç¹ãšãªãããšãé¡ã£ãŠããŸãã
åºæïŒ habr.com