Haye Habr!

Xaqiiqda casriga ah, iyada oo ay ugu wacan tahay doorka sii kordhaya ee weel wareejinta ee hababka horumarinta, arrinta hubinta amniga marxaladaha kala duwan iyo hay'adaha la xidhiidha weelasha maaha arrin ugu yar. Samaynta jeegaga gacanta ayaa wakhti badan qaadanaysa, marka waxa ay ahaan lahayd fikrad wanaagsan in la qaado ugu yaraan tillaabooyinka ugu horreeya ee hab-socodkan otomatiga ah.

Maqaalkan, waxaan ku wadaagi doonaa qoraallo diyaarsan oo lagu hirgelinayo dhowr adeeg oo amniga Docker ah iyo tilmaamo ku saabsan sida loo geeyo meel yar oo demo ah si loo tijaabiyo nidaamkan. Waxaad u isticmaali kartaa qalabka si aad u tijaabiso sida loo habeeyo habka tijaabinta amniga sawirada iyo tilmaamaha Dockerfile. Way caddahay in qof walba horumarkiisa iyo kaabayaasha fulinta ay ka duwan yihiin, sidaas darteed hoos waxaan ku siin doonaa dhowr ikhtiyaar oo suurtagal ah.

Hubinta ammaanka utility

Waxaa jira tiro badan oo codsiyo caawiye oo kala duwan ah iyo qoraallo kuwaas oo sameeya hubinno dhinacyo kala duwan oo kaabayaasha Docker ah. Qaar ka mid ah ayaa horey loogu sifeeyay maqaalkii hore (https://habr.com/ru/company/swordfish_security/blog/518758/#docker-security), iyo walxahan waxaan jeclaan lahaa inaan diirada saaro saddex ka mid ah, kuwaas oo daboolaya inta badan shuruudaha amniga ee sawirada Docker ee la dhisay inta lagu jiro habka horumarinta. Intaa waxaa dheer, waxaan sidoo kale tusin doonaa tusaale ku saabsan sida saddexdan adeeg loogu xidhi karo hal dhuumo si loo hubiyo ammaanka.

Hadolint
https://github.com/hadolint/hadolint

Utility Console fudud oo fudud kaas oo caawiya, sida qiyaasta koowaad, qiimee saxnaanta iyo badbaadada tilmaamaha Dockerfile (tusaale, adoo isticmaalaya kaliya diiwaanka sawirka la oggol yahay ama isticmaalka sudo).

Dockle
https://github.com/goodwithtech/dockle

Qalabka konsole ee la shaqeeya sawirka (ama kaydka daamurka ee sawirka), kaas oo hubinaya saxnaanta iyo amniga sawir gaar ah, oo falanqaynaya lakabyadiisa iyo qaabaynta - isticmaalayaasha la abuuray, tilmaamaha la isticmaalo, kuwaas oo mugga waa la rakibay, joogitaanka furaha sirta ah ee madhan, iwm. d. Ilaa hadda tirada jeegaggu aad uma badna waxayna ku salaysan tahay dhawr jeegag iyo talooyin noo gaar ah CIS (Xarunta Amniga Internetka) Benchmark ee Docker.

Waxyeello
https://github.com/aquasecurity/trivy

Utility-gan waxaa loogu talagalay in lagu helo laba nooc oo dayacan - dhibaatooyinka dhismaha OS (ay taageeraan Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) iyo dhibaatooyinka ku tiirsanaanta (Gemfile.lock, Pipfile.lock, composer.lock, xirmo -lock.json, dun.quful, xamuul.quful). Trivy waxay baari kartaa sawirka ku jira kaydka iyo sawirka maxaliga ah labadaba, sidoo kale wuxuu iskaan karaa iyadoo lagu salaynayo faylka .tar ee la wareejiyay oo wata sawirka Docker.

Ikhtiyaarada hirgelinta adeegyada

Si aan isugu dayo codsiyada lagu sharraxay deegaan go'doonsan, waxaan ku siin doonaa tilmaamo lagu rakibo dhammaan yutiilitiyada hab xoogaa la fududeeyay.

Fikradda ugu weyn waa in la muujiyo sida aad u hirgelin karto xaqiijinta nuxurka tooska ah ee Dockerfiles iyo sawirada Docker ee la abuuray inta lagu jiro horumarka.

Jeega laftiisa ayaa ka kooban tillaabooyinka soo socda:

Hubinta saxnaanta iyo badbaadada tilmaamaha Dockerfile iyada oo la adeegsanayo utility-ga Hadolint
Hubinta saxnaanta iyo badbaadada sawirada kama dambaysta ah iyo kuwa dhexe iyadoo la isticmaalayo utility Dockle
Hubinta jiritaanka dayacanka si guud loo yaqaan (CVE) ee sawirka salka iyo tiro ku tiirsanaanta - iyadoo la isticmaalayo utility Waxyeello

Maqaalka dambe waxaan ku siin doonaa saddex doorasho oo lagu hirgelinayo tillaabooyinkan:
Midda kowaad waa in la habeeyo dhuumaha CI/CD iyadoo la adeegsanayo GitLab tusaale ahaan (oo leh sharraxaad habka kor u qaadista tusaalaha tijaabada).
Midda labaad waxay isticmaashaa qoraalka qolofka.
Midka saddexaad wuxuu ku lug leeyahay dhisidda sawirka Docker si loo sawiro sawirrada Docker.
Waxaad dooran kartaa ikhtiyaarka adiga kugu habboon, u wareejin kara kaabayaashaaga oo ku habboon baahiyahaaga.

Dhammaan faylasha lagama maarmaanka ah iyo tilmaamo dheeraad ah ayaa sidoo kale ku yaal kaydka: https://github.com/Swordfish-Security/docker_cicd

Is dhexgalka GitLab CI/CD

Doorashada koowaad, waxaan eegi doonaa sida aad u hirgelin karto hubinta amniga adigoo isticmaalaya nidaamka kaydinta GitLab tusaale ahaan. Halkan waxaan ku mari doonaa tillaabooyinka oo aan ogaan doonaa sida loogu rakibo jawi tijaabo ah oo leh GitLab xoqan, abuurista habka iskaanka iyo bilaabista yutiilitida hubinta tijaabada Dockerfile iyo muuqaal random - codsiga JuiceShop.

Ku rakibida GitLab
1. Ku rakib Docker:

sudo apt-get update && sudo apt-get install docker.io

2. Kudar isticmaalaha hadda kooxda docker si aad ula shaqeyso docker adigoon isticmaalin sudo:

sudo addgroup <username> docker

3. Raadi IP-gaaga:

ip addr

4. Ku rakib oo billow GitLab weelka dhexdiisa, adigoo ku beddelaya ciwaanka IP-ga ee magaca martida loo yahay:

docker run --detach 
--hostname 192.168.1.112 
--publish 443:443 --publish 80:80 
--name gitlab 
--restart always 
--volume /srv/gitlab/config:/etc/gitlab 
--volume /srv/gitlab/logs:/var/log/gitlab 
--volume /srv/gitlab/data:/var/opt/gitlab 
gitlab/gitlab-ce:latest

Waxaan sugeynaa ilaa GitLab uu dhamaystiro dhammaan hababka rakibaadda lagama maarmaanka ah (waxaad kula socon kartaa habka iyada oo loo marayo soo-saarka faylka log: docker logs -f gitlab).

5. Ka fur IP-ga deegaankaaga browserka oo arag bog ku weydiinaya inaad beddesho erayga sirta ah ee isticmaalaha xididka:

Deji furaha sirta ah ee cusub oo aad GitLab.

6. Abuur mashruuc cusub, tusaale ahaan cicd-test oo ku bilow faylka bilowga AKHRISO.md:

7. Hadda waxaan u baahanahay inaan ku rakibno GitLab Runner: wakiil ka shaqeyn doona dhammaan howlaha lagama maarmaanka ah marka la codsado.
Soo deji nooca ugu dambeeyay (xaaladdan, Linux 64-bit):

sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64

8. Ka dhig mid la fulin karo:

sudo chmod +x /usr/local/bin/gitlab-runner

9. Ku dar isticmaalaha OS ee Runner oo bilow adeegga:

sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start

Waa inay u ekaato sidatan:

local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1

10. Hadda waxaan diiwaangelineynaa Orodyahanka si uu ula falgalo tusaale ahaan GitLab.
Si tan loo sameeyo, fur bogga Settings-CI/CD (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) oo tabka Runners-ka ka hel URL iyo calaamadda Diiwaangelinta:

11. Is diwaangeli Orodyahanka adiga oo bedelaya URL iyo calaamada Diiwaangelinta:

sudo gitlab-runner register 
--non-interactive 
--url "http://<URL>/" 
--registration-token "<Registration Token>" 
--executor "docker" 
--docker-privileged 
--docker-image alpine:latest 
--description "docker-runner" 
--tag-list "docker,privileged" 
--run-untagged="true" 
--locked="false" 
--access-level="not_protected"

Natiijo ahaan, waxaan helnaa GitLab shaqeyneysa oo diyaarsan, kaas oo aan u baahanahay inaan ku darno tilmaamo si aan u bilowno adeegyadeena. Muujintan kuma lihin tillaabooyinka lagu dhisayo arjiga iyo weelka lagu kaydinayo, laakiin jawiga dhabta ah kuwani waxay ka hor mari lahaayeen tillaabooyinka iskaanka waxayna soo saari doonaan sawirro iyo Dockerfile si loo falanqeeyo.

qaabeynta dhuumaha

1. Ku dar faylasha kaydka mydockerfile.df (tani waa tijaabo Dockerfile ah oo aan hubin doono) iyo habka habaynta nidaamka GitLab CI/CD .gitlab-cicd.yml, kaas oo taxaya tilmaamaha sawir-qaadayaasha (xusuusnow dhibicda magaca faylka).

Faylka qaabeynta YAML wuxuu ka kooban yahay tilmaamo lagu socodsiiyo saddex adeeg (Hadolint, Dockle, iyo Trivy) kuwaas oo falanqeyn doona Dockerfile-ka la doortay iyo sawirka lagu qeexay doorsoomaha DOCKERFILE. Dhammaan faylasha lagama maarmaanka ah waxaa laga soo qaadan karaa kaydka: https://github.com/Swordfish-Security/docker_cicd/

Xigasho mydockerfile.df (kani waa fayl aan la taaban karin oo wata tilmaamo aan sabab lahayn oo kaliya si loo muujiyo hawlgalka utility). Isku xirka tooska ah ee faylka: mydockerfile.df

Nuxurka mydockerfile.df

FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root

Qaabeynta YAML waxay u egtahay sidan (faylka laftiisa waxaa laga heli karaa xiriirka tooska ah halkan: .gitlab-ci.yml):

Nuxurka .gitlab-ci.yml

variables:
    DOCKER_HOST: "tcp://docker:2375/"
    DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse   
    DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
    # DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
    SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
    TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
    ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
 
services:
    - docker:dind # to be able to build docker images inside the Runner
 
stages:
    - scan
    - report
    - publish
 
HadoLint:
    # Basic lint analysis of Dockerfile instructions
    stage: scan
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/hadolint_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
     
    # NB: hadolint will always exit with 0 exit code
    - ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
 
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/hadolint_results.json
 
Dockle:
    # Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
    stage: scan   
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/dockle_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
    - ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE   
     
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/dockle_results.json
 
Trivy:
    # Analysing docker image and package dependencies against several CVE bases
    stage: scan   
    image: docker:git
 
    script:
    # getting the latest Trivy
    - apk add rpm
    - export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
     
    # displaying all vulnerabilities w/o failing the build
    - ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE    
    
    # write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE    
 
    # failing the build if the SHOWSTOPPER priority is found
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
         
    artifacts:
        when: always # return artifacts even after job failure
        paths:
        - $ARTIFACT_FOLDER/trivy_results.json
 
    cache:
        paths:
        - .cache
 
Report:
    # combining tools outputs into one HTML
    stage: report
    when: always
    image: python:3.5
     
    script:
    - mkdir json
    - cp $ARTIFACT_FOLDER/*.json ./json/
    - pip install json2html
    - wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
    - python ./convert_json_results.py
     
    artifacts:
        paths:
        - results.html

Haddii loo baahdo, waxa kale oo aad sawiri kartaa sawirada la kaydiyay oo ah qaabka kaydka .tar (si kastaba ha ahaatee, waxaad u baahan doontaa inaad bedesho cabbirada gelinta ee yutiilitida faylka YAML)

FG: Trivy wuxuu u baahan yahay rakibid rpm и git. Haddii kale, waxay dhalin doontaa khaladaad marka la iskaankaro sawirada RedHat ku salaysan iyo helitaanka cusboonaysiinta xogta nuglaanta.

2. Ka dib marka lagu daro faylasha kaydka, sida waafaqsan tilmaamaha faylka qaabeynta, GitLab wuxuu si toos ah u bilaabi doonaa habka dhismaha iyo iskaanka. Bogga CI/CD → Tubooyinka waxaad ka arki kartaa sida ay u socdaan tilmaamaha.

Natiijo ahaan, waxaan haynaa afar hawlood. Saddex ka mid ah waxay si toos ah wax uga qabtaan iskaanka, kan ugu dambeeyana (Warbixin) waxay ka soo ururisaa warbixin fudud faylal kala firidhsan oo leh natiijooyin sawir.

Sida caadiga ah, Trivy wuxuu joojinayaa socodsiinta haddii dayacanka XASAARAN laga helo sawirka ama ku tiirsanaanta. Isla mar ahaantaana, Hadolint had iyo jeer waxay soo celisaa koodka Guusha sababtoo ah had iyo jeer waxay keentaa faallooyin, taas oo keenta in dhismuhu joogsado.

Iyada oo ku xidhan shuruudahaaga gaarka ah, waxaad dejin kartaa koodka bixista si marka ay utility-yadani ogaadaan dhibaatooyinka muhiimad gaar ah, ay sidoo kale joojiyaan habka dhismaha. Xaaladeena, dhismuhu wuxuu joogsan doonaa kaliya haddii Trivy uu ogaado baylahda leh muhiimadda aan ku qeexnay doorsoomaha SHOWSTOPPER ee .gitlab-ci.yml.

Natiijooyinka tasiilaad kasta waxaa lagu arki karaa diiwaanka hawl kasta oo iskaan ah, si toos ah faylalka json ee qaybta farshaxanimada, ama warbixin HTML ah oo fudud (wax badan oo hoos ku qoran):

3. Si loo soo bandhigo warbixinnada tas-hiilaadka qaab waxyar oo bini'aadmigu akhrin karo, far yar oo Python ah ayaa loo isticmaalaa in lagu beddelo saddex faylal JSON hal fayl HTML ah oo leh miis cillado ah.
Qoraalkan waxaa bilaabay hawl Warbixineed gooni ah, farshaxankiisa ugu dambeeyana waa faylka HTML oo warbixin wata. Isha qoraalka ayaa sidoo kale ku jirta kaydka waxaana lagu hagaajin karaa si ay ugu habboonaato baahiyahaaga, midabada, iwm.

Qoraalka Shell

Doorashada labaad waxay ku habboon tahay kiisaska marka aad u baahan tahay inaad hubiso sawirada Docker ee ka baxsan nidaamka CI / CD ama waxaad u baahan tahay inaad haysatid dhammaan tilmaamaha qaab si toos ah loogu fulin karo martida loo yahay. Doorashadan waxaa lagu daboolay qoraal qolof diyaarsan oo lagu maamuli karo mashiin nadiif ah (ama xitaa dhab ah). Qoraalku wuxuu fuliyaa tilmaamo la mid ah tan gitlab-runner ee kor lagu sharaxay.

Si qoraalku u shaqeeyo si guul leh, Docker waa in lagu rakibaa nidaamka iyo isticmaaluhu waa inuu ku jiraa kooxda docker.

Qoraalka laftiisa ayaa laga heli karaa halkan: docker_sek_check.sh

Bilawga faylka, doorsoomayaashu waxay cayimaan sawirka loo baahan yahay in la iskaan karo iyo cilaadaha muhiimka ah ee keenaya in utility Trivy la baxo lambarka khaladka ee la cayimay.

Inta lagu jiro fulinta qoraalka, dhammaan adeegyada waxaa lagu soo dejin doonaa hagaha docker_tools, Natiijooyinka shaqadooda waxay ku yaalaan hagaha docker_tools/json, HTML-ka warbixintuna waxay ku jiri doontaa faylka natiijooyinka.html.

Tusaale wax soo saarka qoraalka

~/docker_cicd$ ./docker_sec_check.sh

[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+---------------------+------------------+----------+---------+-------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY | VERSION |             TITLE       |
+---------------------+------------------+----------+---------+-------------------------+
| object-path         | CVE-2020-15256   | HIGH     | 0.11.4  | Prototype pollution in  |
|                     |                  |          |         | object-path             |
+---------------------+------------------+          +---------+-------------------------+
| tree-kill           | CVE-2019-15599   |          | 1.2.2   | Code Injection          |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262   | LOW      | 1.4.1   | Unprotected dynamically |
|                     |                  |          |         | loaded chunks           |
+---------------------+------------------+----------+---------+-------------------------+

juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)

...

juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)

...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Sawirka docker oo leh dhammaan adeegyada

Beddelka seddexaad ahaan, waxaan soo aruuriyay laba Dockerfiles fudud si aan u abuuro muuqaal leh adeegyada amniga. Mid ka mid ah Dockerfile ayaa gacan ka geysan doona dhisidda jaangooyooyin lagu sawirayo sawirka kaydka, kan labaad (Dockerfile_tar) wuxuu gacan ka geysan doonaa dhisidda qaab lagu sawirayo faylka daamurka oo leh sawir.

1. Ka qaad faylka Docker ee u dhigma iyo qoraallada kaydka https://github.com/Swordfish-Security/docker_cicd/tree/master/Dockerfile.
2. Waxaan u daah-furnaa kulanka:

docker build -t dscan:image -f docker_security.df .

3. Ka dib marka la dhammeeyo shirka, waxaan ka abuurnaa weel sawirka. Isla mar ahaantaana, waxaan ku gudubnay doorsoomiyaha deegaanka ee DOCKERIMAGE oo wata magaca sawirka aan xiisayno waxaana ku dhejineynaa Dockerfile-ka aan rabno inaan ku falanqeyno mashiinkayaga faylka. /Dockerfile (ogow in dariiqa saxda ah ee faylkan loo baahan yahay):

docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image


[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement
INFO    - DKL-LI-0003: Only put necessary files
        * unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Результаты

Waxaan eegnay hal qalab oo aasaasi ah oo loogu talagalay iskaanka Docker artifacts, kaas oo, fikradayda, si wax ku ool ah u daboolaya qayb wanaagsan oo ka mid ah shuruudaha amniga sawirka. Waxa kale oo jira tiro badan oo ah qalab lacag-bixineed iyo mid bilaash ah oo samayn kara isla jeegag isku mid ah, sawiri kara warbixino qurux badan ama ka shaqayn kara qaab konsole, daboolaya nidaamyada maaraynta weelka, iwm .

Waxyaabaha wanaagsan ee ku saabsan qalabka lagu sharraxay maqaalkan ayaa ah in dhammaantood ay yihiin ilo furan oo aad tijaabin kartid iyaga iyo qalabka kale ee la midka ah si aad u hesho waxa ku habboon baahiyahaaga iyo kaabayaashaaga. Dabcan, dhammaan baylahda la helay waa in lagu daraaseeyaa ku-dhaqanka shuruudo gaar ah, laakiin tani waa mawduuc loogu talagalay maqaal weyn mustaqbalka.

Waxaan rajeynayaa in hagahan, qoraalada iyo agabka ay ku caawin doonaan oo ay noqon doonaan bar bilawga abuurista kaabayaal ammaan badan oo ku saabsan aagga weelka.

Source: www.habr.com

Hababka iyo tusaalooyinka fulinta adeegyada hubinta amniga ee Docker