α αα α!
αα αααα»αααΆααα·αααΆααααα αα α»ααααααααα αααααΆαααααΆαααΎαα‘αΎαααΌααα½ααΆααΈαααα»αααΊααααα αααα»αααααΎαααΆαα’αα·αααααα αααα αΆααααΆαααΆααΆαα»ααααα·ααΆαααααααΆααααΆααααααα αα·αα’αααααΆααααααΆαααααααααΆαα½ααα»αααΊαααααΊαα·ααααα·ααα ααααααα α»αααααααααααα ααΆαα’αα»ααααααΆααααα½ααα·αα·ααααααααααΊααΆααΆαααΆαααααααΆα ααΌα ααααααΆααΆααΆααααααΎαααΆαααααα»αααΆαα αΆαααα·ααΆαααΆααααΆαα αα ααΆααααα αΆαααααΌαααααααα ααααααΎαααΆαααααααααααααααααααα·α
αα
αααα»αα’αααααααα αααα»αααΉαα
αααααααααααααΈααααααααααα½α
ααΆααααα
αααααΆααααΆαα’αα»ααααα§αααααααααΎααααΆαααα»ααααα·ααΆα Docker ααΆα
αααΎα αα·αααΆαααααΆαα’αααΈαααααααα
αααΆαααΆαααααααΌα
αα½αααΎααααΈααΆαααααααααΎαααΆααααα α’αααβα’αΆα
βααααΎβαααααΆαβααΎααααΈβαα·αααααβααΆαα½αβααΉαβααααβαααα
αβααααΎαααΆαβααΆαααααβαα»ααααα·ααΆαβααβααΌαααΆα Dockerfile αα·αβααΆαααααΆαα ααΆα
αααΆααααΆααααΆα αααααΆαα
ααΆααααααααααααΆαα’αα·αααααα αα·αααΆαα’αα»ααααααΊαα»αααααΆαααααΆααααα»ααααααααααααΆ ααΌα
ααααααΆααααααααααααα»αααΉαααααααααααΎαααΆα
αααΎααααα’αΆα
ααααΎαα
ααΆαα
α§αααααααααΎααααΆαααααα½ααα·αα·ααααα»ααααα·ααΆα
ααΆααααααα·ααΈαααα½α αα·αααααααΈααα½αα
ααα½ααααααααααΎααΆααααα½ααα·αα·αααααΎαα·αααααΆαααααααααα αααααΆαα
ααΆαααααααα Docker α αα½αααΆααααααααΌαααΆααα·αααααΆαα½α
α αΎααα
αααα»αα’ααααααα»α (
α αΆααΌααΈα
α§αααααααααΎααααΆαααα»αααΌαααααΆααααααααα½αααΆααααααααΈααΆαααααΉαααααΌα αα·ααα»ααααα·ααΆαααααΆαααααΆα Dockerfile ααΆααααΌα (α§ααΆα ααα ααααΎααααΆαα α»ααααααααΌαααΆααααααΆαα’αα»ααααΆα α¬ααααΎ sudo)α
α
α
α§αααααααααΎααααΆαααα»αααΌααααααααΎαααΆαααΎααΌαααΆα (α¬αα
ααΎααααΆααααΌαααΆααααααΆααααααΆαα»α) ααααα·αα·αααααΆαααααΉαααααΌα αα·ααα»ααααα·ααΆαααααΌαααΆαααΆααααΆαααα½α ααΌα
ααααααααΆααα·ααΆααααααΆαα αα·αααΆααααααααααααΆ - α’αααΈαααα’αααααααΎααααΌαααΆααααααΎα ααΆαααααΆαα’αααΈααααααα»αααααΎ ααα·ααΆαααααΌαααΆααααα ααααααΆαααααΆααααααααΆαααααα
αα·ααααααααααα
α§αααααααααΎααααΆαααααααΆαααααααααααααααααΆαααΆααααααααααΈααααααα - αααα αΆαααααΎα OS (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu ααααΌαααΆαααΆαααα) αα·ααααα αΆα’αΆααααα (Gemfile.lock, Pipfile.lock, composer.lock, package-lock .json, yarn.lock, Cargo.lock)α Trivy α’αΆα αααααααΆααααΌαααΆααα αααα»αααααΆαα αα·αααΌαααΆααααα»αααααα α αΎαααα’αΆα ααααααααααα’ααααΎα―αααΆα .tar αααααΆααααααααΆαα½αααΌαααΆα Docker αααααα
αααααΎαααααΆαα’αα»ααααα§αααααααααΎααααΆαα
ααΎααααΈααΆααααααααααα·ααΈαααααΆααα·αααααΆαα αααα»αααααααααααΆα αααααΆα αααα»αααΉααααααααΆαααααΆααααααΆααααΆαααα‘αΎαα§αααααααααΎααααΆααααΆααα’ααααΆαααααααααααΎαααΆαααΆαααααα½αα
αααα·αα ααααααΊααΎααααΈαααα αΆαααΈαααααααα’αααα’αΆα α’αα»ααααααΆααααααααααΆααααΆαα·ααΆαααααααααααααααα·αα Dockerfiles αα·αααΌαααΆα Docker αααααααΌαααΆααααααΎαα‘αΎαααα‘α»ααααα’αα·ααααα
ααΆααααααααααΆαααααα½αα―αααΆαααα αΆαααΌα ααΆααααααα
- αα·αα·αααααΎαααΆαααααΉαααααΌα αα·ααα»ααααα·ααΆαααααΆαααααΆα Dockerfile ααΆαα½αααΉαα§αααααααααΎααααΆαα linter α αΆααΌααΈα
- αα·αα·αααααΎαααΆαααααΉαααααΌααα·ααα»ααααα·ααΆαααααΌαααΆαα α»αααααααα·αααααα - α§αααααααααΎααααΆαααα½αα α α
- αα·αα·αααααααΆαααΆαααααααααααααααααΆααααΆααΌαα (CVE) αα αααα»αααΌαααΆαααΌαααααΆα αα·ααα½αα ααα½αααααΆαα’αΆααααα - αααα§αααααααααΎααααΆαα αα·ααααααααααα
α’ααααααααααΆαααααα»αααΉαααααααααααΎαααΈαααααΆααα’αα»ααααααα αΆαααΆαααααα
ααΈαα½αααΊαααααααααα
ααΆααααααααααααα CI / CD αααααααΎα§ααΆα ααααααα GitLab (ααΆαα½αααΉαααΆααα·αααααΆα’αααΈααααΎαααΆαααααΆααααααΎαα§ααΆα αααααΆααααα) α
ααΈααΈαααΊααααΎααααααΈααααα
ααΈααΈααΊααΆαα½αααΉαααΆααααααΎαααΌαααΆα Docker ααΎααααΈαααααααΌαααΆα Docker α
α’αααα’αΆα
ααααΎαααΎααααααΎααααααΆαααααΉαα’ααααααα»α αααααααΆαα
α αααααΆαα
ααΆααααααααααααα’ααα α αΎααααααααΆαα
ααΆααααααΌαααΆαααααα’αααα
α―αααΆαα
αΆαααΆα
αααΆααα’αα αα·αααΆαααααΆαααααααααααΆααα
αααα»αααααΆαααααααα
ααΆααα½ααααα αΌα GitLab CI/CD
αα αααα»ααααααΎαααΈαα½α ααΎαααΉααα·αα·αααααΎαααΈαααααααααΆααααα½ααα·αα·ααααα»ααααα·ααΆαα’αΆα ααααΌαααΆαα’αα»αααααααααααΎαααααααααααα»α GitLab ααΆα§ααΆα ααααα½αα αα ααΈαααααΎαααΉαααααααΆααααα αΆα αα·αααΎαααΈαααααααα αααα·ααΆααΆαααΆαααααααΆαα½α GitLab ααΈααααΌα αααααΎαααααΎαααΆαααααα αα·αααααΎαααΆαα§αααααααααΎααααΆααααΎααααΈααΆααααα Dockerfile ααΆααααα αα·αααΌαααΆαα ααααα - αααααα·ααΈ JuiceShop α
ααΆαααα‘αΎα GitLab
1. ααα‘αΎα Dockerα
sudo apt-get update && sudo apt-get install docker.io
2. ααααααα’αααααααΎααααΆαααα αα α»αααααααα αααα»α docker ααΌα ααααα’αααα’αΆα ααααΎααΆαααΆαα½α docker ααααα·αααααΎ sudoα
sudo addgroup <username> docker
3. ααααααα IP ααααα’αααα
ip addr
4. ααα‘αΎα αα·αααααΎαααΆα GitLab αα αααα»ααα»αααΊααα ααααααα½αα’αΆααααααΆα IP ααΆ hostname ααααα’αααα
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latest
ααΎααααα»ααααα αΆα GitLab ααΎααααΈαααα ααααΈαα·αα·ααΈααα‘αΎαα αΆαααΆα αααΆααα’αα (α’αααα’αΆα α’αα»ααααααΆαααααΎαααΆαααΆααααααααααααα―αααΆααααααα ααα»α docker logs -f gitlab) α
5. ααΎα IP ααΌαααααΆαααααα’ααααα
αααα»ααααααα·ααΈαα»ααα α αΎαααΎααααααααααααααααΌαααΎααααΈααααΆααααααΌαααΆααααααααΆαααααααΆααα’αααααααΎααααΆαα rootα
αααααααΆααααααααΆααααααΈ α αΎαα
αΌααα
ααΆαα GitLab α
6. αααααΎαααααααααααΈ α§ααΆα ααα cicd-test α αΎαα
αΆααααααΎαααΆααΆαα½αα―αααΆαα
αΆααααααΎα README.md:
7. α₯α‘αΌααααααΎαααααΌαααα‘αΎα GitLab Runner: ααααΆααααΆααααααΉαααααΎαααΆαααααα·ααααα·ααΆαα
αΆαααΆα
αααΆααα’ααααΆαααΆαααααΎαα»αα
ααΆαααααααα
α»αααααααααα»α (αααα»αααααΈααααα
αααααααΈαα»α
64 αααΈα)α
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
8. ααααΎα±ααααΆα’αΆα ααααα·ααααα·ααΆαα
sudo chmod +x /usr/local/bin/gitlab-runner
9. ααααααα’αααααααΎααααΆαα OS αααααΆαα Runner α αΎαα αΆααααααΎαααααΆααααα
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start
ααΆαα½αααααΎααα ααΌα αααα
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. α₯α‘αΌααααααΎαα
α»αααααα Runner ααΎααααΈα±ααααΆα’αΆα
ααααΎα’ααααααααααΆαα½αα§ααΆα ααα GitLab ααααααΎαα
ααΎααααΈααααΎααΌα
αααααΎαααααα Settings-CI/CD (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) α αΎααα
ααΎααααΆαα Runners ααααααα URL αα·ααααααΆαααααΆααααΆαα
α»ααααααα
11. α
α»ααααααα’ααααααααΆαααααααα½α URL αα·ααααααΆαααααΆααααΆαα
α»ααααααα
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"
ααΆαααααα ααΎαααα½αααΆα GitLab ααααααα»αααααΎαααΆααααααααααα½α ααΆααααα αααααΎαααααΌαααααααααΆαααααΆαααΎααααΈα αΆααααααΎαα§αααααααααΎααααΆααααααααΎαα αα αααα»αααΆααααα αΆαααα ααΎααα·αααΆαααα αΆααααααΎααααααα·ααΈ αα·ααα»αααΊααααα ααα»αααααα αααα»αααα·ααΆααΆαααΆααααααα αα½αααααΉαααΆααα»αααα αΆαααααα αα·ααααααΎαααΌαααΆα αα·α Dockerfile αααααΆααααΆααα·ααΆαα
ααΆαααααααα ααΆααααααααααααα
1. ααααααα―αααΆααα ααααΆαα mydockerfile.df (αααααΊααΆ Dockerfile ααΆααααααααααΎαααΉαααΆααααα) αα·αα―αααΆαααααααα ααΆααααααααααααΎαααΆα GitLab CI/CD .gitlab-cicd.ymlαααααΆααααααΈααΆαααααΆααααααΆαααααΆαααΈαααααα (α αααΆαα ααα»α αααα»ααααααα―αααΆα)α
α―αααΆαααααααα
ααΆαααααααα YAML ααΆαααΆαααααΆαααΎααααΈααααΎαααΆαα§αααααααααΎααααΆααα
ααα½αααΈ (Hadolint, Dockle αα·α Trivy) αααααΉααα·ααΆα Dockerfile αααααΆαααααΎαααΎα αα·αααΌαααΆααααααΆααααααΆαααα
αααα»αα’ααα DOCKERFILE α α―αααΆαα
αΆαααΆα
αααΆααα’ααα’αΆα
ααααΌαααΆαααα
ααααΈααααΆααα
αααααααα
ααααΈ mydockerfile.df (αααβααΆβα―αααΆαβα’ααΌααΈβαααβααΆαβαααα»αβααβααΆαβααααΆαβαααβααααΆαβααΎααααΈβαααα αΆαβααΈβααααβαααβα§αααααβααααΎααααΆααβααααΎαααΆα)α αααααααΆαααα
ααΆααα―αααΆαα
ααααΉαααΆααα mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root
ααΆαααααααα
ααΆαααααααα YAML ααΎααα
ααΌα
ααα (α―αααΆααααα½αα―αα’αΆα
ααααΌαααΆαααα
ααααΈαααααααΆαααα
ααΈαααα
ααααΉαααΆααα .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.html
ααΎα αΆαααΆα α α’αααααα’αΆα αααααααΌαααΆααααααΆααααααΆαα»αααΆααααααΆα .tar ααααα (αααααΆαααΆαααΆααααα α’αααααΉαααααΌαααααΆααααααΌααααΆαααΆαααααααααα αΌααααααΆααα§αααααααααΎααααΆαααααα»αα―αααΆα YAML)
NB: Trivy ααΆαααΆαααα‘αΎα rpm ΠΈ Git. ααΎαα·αααΌα αααααα ααΆααΉααααααΎαααα α»ααα ααααααααααΌαααΆααααααΆαααΌαααααΆαααΎ RedHat αα·αααα½αααΆααα αα α»ααααααααΆααα ααΌαααααΆααα·ααααααααΆαααΆααααααααα
2. αααααΆααααΈααααααα―αααΆααα ααααΆαα ααααα ααΆαααΆαααααΆααα αααα»αα―αααΆαααααααα ααΆααααααααααααααΎα GitLab ααΉαα αΆααααααΎαααααΎαααΆαααΆαααα αα·αααααααααααααααααααααα·α αα ααΎααααΆαα CI/CD β Pipelines α’αααα’αΆα ααΎααααααααΆαααααΆαααααΆαα
ααΆααααααααΎαααΆαααΆααα·α
αα
α
ααα½ααα½αα αα½αααααΈααΆααααΆααααΆααααααααααααααΆαααααα»αααΆαααααα α αΎαα
α»αααααα (αααΆαααΆααα) αααααΌααααΆαααΆαααααΆαααααα½αααΈα―αααΆααααααα
αΆααααα
αΆαααΆαα½αααΉααααααααααααα
ααΆαααααΆαααΎα Trivy ααααααααΆαααααα·ααααα·ααααααΆ ααααα·αααΎααΆαααΆαααααααα CRITICAL ααααΌαααΆαααααΎααα
αααα»αααΌαααΆα α¬ααΆαα’αΆαααααα αααα»ααααααΆαα½αααααΆααα Hadolint ααααααααα‘αααααα·αααΌαααΆααααααααα
αααα»αααΌαααααα·ααααα· α
αΆααααΆααααΈααΆαααααα·ααααα·ααααααΆαααααααΆαααΆαααααααααΆαα ααααααααΆαα±ααααΆαααααΆαααΆααααΌαααααααα
α’αΆαααααααΎαααααΌαααΆαααΆααααΆααααααα’ααα α’αααα’αΆα
ααααααα
ααΆααααααααααΌαα
αα ααΌα
ααααα§αααααααααΎααααΆααααΆαααααααααααααααααΎαααΆαααΆααααααααα αα
αααααααααα αΆααααΆααα·ααααααΆααααΆαααα½αααααΌαααΆαααααΎαα αααα»αααααΈααααααΎα ααΆαααααΆαααΆααΉααααααααα»αααααΆαα Trivy ααααΎαααΆαααΆααααααααααΆαα½αααΉαααΆαααααααααααααααΎαααΆααααααΆαααα
αααα»αα’ααα SHOWSTOPPER αα
αααα»α .gitlab-ci.yml.
ααααααααααααα·ααααα·ααΆαααααα§αααααααααΎααααΆααααΈαα½ααα’αΆα
ααααΌαααΆαααΎααα
αααα»ααααααα ααα»αααα·α
αα
ααΆααααααααΈαα½αααααααααΆαααα
αααα»αα―αααΆα json αα
αααα»ααααααααααα»αα»ααΆα α¬αα
αααα»ααααΆαααΆααα HTML ααΆαααα (ααααααααΎααΆααΆαααααα)α
3. ααΎααααΈαααα αΆααααΆαααΆαααα§αααααααααΎααααΆαααααα»ααααααααααααα»αααα’αΆα
α’αΆαααΆαααααα·α
ααααααΈα Python ααΌα
αα½αααααΌαααΆαααααΎααΎααααΈαααααααα―αααΆα json ααΈαα
ααΆα―αααΆα HTML αααα½ααααααΆαααΆααΆααα·ααΆαααΆαα
ααααααΈααααααααΌαααΆαα
αΆααααααΎαααααα·α
αα
ααΆαααΆαααΆαααααΆα
ααααα‘αα α αΎαααααα»αα»ααΆαα
α»ααααααααααααΆααΊα―αααΆα HTML αααααΆααααΆαααΆαααα αααααααααααΈαααααΆααα
αααα»αααααΆααααα α αΎαα’αΆα
αααααααα½ααα
ααΆααααααΌαααΆαααααα’ααα αααααΆααΎαα
ααααααΈαααα
αααααΎαααΈααΈαααΊαααααααααααΆααααααΈαααα’αααααααΌααα·αα·αααααΎαααΌαααΆα Docker αα·ααα αααα»ααααααααα CI/CD α¬α’αααααααΌαααΆαααΆαααααΆαααΆααα’αααααα»ααααααααααα’αΆα ααααα·ααααα·αααααααΆααααΎαααΆαααΈαα αααααΎααααααααΌαααΆααααααααααααααααααααΈαααααααααααααα½α ααΆααααα αααα’αΆα ααααΎαααΆααα ααΎαααΆαααΈααα·αααα·αααα’αΆα (α¬ααΌααααΈαααα·αααααΆαα) α ααααααΈαααααΎααΆαααΆαααααΆαααΌα ααααΆααΉα gitlab-runner ααΆαααΎα
ααΎααααΈα±ααααααααΈαααααΎαααΆαααααααααα Docker ααααΌαααααααΌαααΆαααα‘αΎααα ααΎαααααααα α αΎαα’αααααααΎααααΆαααα αα α»ααααααααααΌααααααα·ααα αααα»ααααα»α docker α
ααααααΈααααα½αααΆα’αΆα
ααααΆααα
ααΈαααα
αα ααΎαα―αααΆα α’αααβαααααΆααβααΆβααΌαααΆαβαα½αααΆβαα½αβααααΌαβααΆαβααααα α αΎαβααΆαβαααααααααβααβαα·ααΆαααΆαβααΉαβααααΎβα±ααβα§αααααβααααΎααααΆαα Trivy α ααβαααβααΌαβααα α»αβαααβααΆαβαααααΆααα
αααα»αα’αα‘α»ααααααααΎαααΆαααααααΈα α§αααααααααΎααααΆααααΆααα’ααααΉαααααΌαααΆαααΆααααα αα docker_tools, ααααααααααΆαααΆααααααα½ααα - αα αααα»ααα docker_tools/jsonα αΎα HTML αααααΆααααΆαααΆαααααΉαααΆααα αααα»αα―αααΆα results.html.
α§ααΆα αααααααααααααααΈα
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - βDockerfileβ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
ααΌαααΆα Docker ααΆαα½αα§αααααααααΎααααΆααααΆααα’ααα
ααΆαααααΎαααΈααΈ αααα»αααΆαα αααααα―αααΆα Dockerfiles ααΆααααα ααα½αααΈαααΎααααΈαααααΎαααΌαααΆαααΆαα½αααΉαα§αααααααααΎααααΆαααα»ααααα·ααΆαα Dockerfile αα½αααΉααα½ααααααΎααααα»αααΎααααΈαααααααΌαααΆαααΈααααΆαα ααΈααΈα (Dockerfile_tar) ααΉααααααΎααααα»αααΎααααΈαααααα―αααΆα tar ααΆαα½αααΌαααΆαα
1. ααα―αααΆα Docker αα·αααααααΈααααααααΌαααααΆααΈααααΆαα
2. ααααΎαααΆαααΆαααααΆααααΆααα½αααααα»αααααΆα
docker build -t dscan:image -f docker_security.df .
3. αααΆαααΆααααΈααΆαααΆαααααα½α ααΆαα ααΌααααααΎααα»ααα½αααΈααΌαααΆαα αααα»ααααααΆαα½αααααΆααα ααΎαααααααΆααα’αααααα·ααααΆα DOCKERIMAGE ααΆαα½αααΉααααααααΌαααΆααααααΎαα αΆααα’αΆαααααα α αΎαααααΆαα Dockerfile αααααΎαα αααα·ααΆαααΈαααΆαααΈαααααααΎααα α―αααΆαα /dockerfile (α αααΆαααΆααααΌαααΆα αααΆααα ααΆααα―αααΆααααααααΌαααΆαααΆαααΆα)α
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ
ααΎαααΆαααααααααααααΎαααα»αααΌαααααΆααα½αααα§ααααααααααααααα»αα»ααΆα Docker ααααααα»ααα·αααΆαααααααααααααααααααα’αααααααΌαααΆααα»ααααα·ααΆαααΌαααΆααααΆαααΆαααααα·αααααΆαα ααΆαα§ααααααααααααΆαα αα·αα₯ααα·αααααααΆα αααΎαααααααα’αΆα ααααΎααΆααααα½ααα·αα·αααααΌα ααααΆ ααΌααααΆαααΆααααααααααααα’αΆα α¬ααααΎαααΆααα»αααααΆααααα»ααααααα»αααΌα ααααααααααααααααααα»αααΊααα ααΆααΎαα αα·αααααΆαααΌαα ααα§αααααααΆααααα αα·ααααααα½ααααα αΌααα½αααΆα’αΆα αααα αΆααα ααααααααααααα·α α
ααααααα·αααααΆααααααα»αα§ααααααααααΆααα·αααααΆαα αααα»αα’αααααααΊααΆαα½αααΆααΆααα’ααααααΌαααΆααααααΎαα‘αΎααα ααΎαααααααΎαα αα α αΎαα’αααα’αΆα αα·αααααααΆαα½ααα½αααΆ αα·αα§αααααααααααααααΆααααααααααΎααααΈαααααααα’αααΈαααααΆαααααΉααααααΌαααΆα αα·αααααααα αααααΆαα ααΆααααααααααααα’αααα ααΆααΆααα·αααΆαα ααΆαααΆααααααααααΆααα’αααααααααΌαααΆαααααΎααα½αααααααΌαααΆααα·ααααΆαααααΆααααΆαα’αα»αααααααα»αααααααααααΆααααΆαα ααα»αααααααααΊααΆαααααΆααααααααΆααα’ααααααααααα½αααΆαααα’ααΆααα
αααα»ααααααΉαααΆααααα»αααααααααα ααααααΈα αα·αα§αααααααααΎααααΆααααΉααα½αα’ααα αα·αααααΆαααΆα
ααα»α
α
αΆααααααΎααααααΆααααΆααααααΎαα αααααΆαα
ααΆαααααααααααααΆααα»ααααα·ααΆαααΆααα»ααα
αααα»ααααααααααΆααα»αααΊαααα
ααααα: www.habr.com