Hayi Habr!
Ngokwenyani yale mihla, ngenxa yendima ekhulayo yokufakwa kwezikhongozelo kwiinkqubo zophuhliso, umba wokuqinisekisa ukhuseleko lwamanqanaba ahlukeneyo kunye namaqumrhu anxulumene nezikhongozeli ayingowona mba ubalulekileyo. Ukwenza iitshekhi zemanuwali kudla ixesha, ngoko ke iya kuba licebo elilungileyo ukuthatha ubuncinci amanyathelo okuqala malunga nokuzenzekelayo le nkqubo.
Kweli nqaku, ndiza kwabelana ngezikripthi esele zenziwe ukuze kuphunyezwe izixhobo zokhuseleko ezininzi ze-Docker kunye nemiyalelo malunga nendlela yokubeka idemo encinci yokuvavanya le nkqubo. Unokusebenzisa izixhobo ukuzama indlela yokucwangcisa inkqubo yokuvavanya ukhuseleko lwemifanekiso yeDockerfile kunye nemiyalelo. Kucacile ukuba uphuhliso lomntu wonke kunye nokuphunyezwa kweziseko zophuhliso lwahlukile, ngoko ke apha ngezantsi ndiya kubonelela ngeendlela ezininzi ezinokubakho.
Ukhuseleko khangela eziluncedo
Kukho inani elikhulu lezicelo ezahlukeneyo zabancedisi kunye nezikripthi ezenza iitshekhi kwimiba eyahlukeneyo yesiseko seDocker. Ezinye zazo sele zichazwe kwinqaku elidlulileyo (), kwaye kule nto ndingathanda ukugxila kwiintathu zazo, ezigubungela ubuninzi beemfuno zokhuseleko kwimifanekiso yeDocker eyakhiwe ngexesha lenkqubo yophuhliso. Ukongeza, ndiza kubonisa kwakhona umzekelo wendlela ezi zixhobo zintathu zinokudityaniswa ngayo kumbhobho omnye ukwenza iitshekhi zokhuseleko.
Hadolint
Usetyenziso olulula lweconsole olunceda, njengoqikelelo lokuqala, ukuvavanya ukuchaneka kunye nokhuseleko lwemiyalelo yeDockerfile (umzekelo, usebenzisa kuphela iirejistri zemifanekiso ezigunyazisiweyo okanye ukusebenzisa i-sudo).
Dockle
Into eluncedo yeconsole esebenza ngomfanekiso (okanye ngogcino lwetar olugciniweyo lomfanekiso), olujonga ukuchaneka kunye nokhuseleko lomfanekiso othile njengolu hlobo, luhlalutya iileya kunye noqwalaselo-okwenziwa ngabasebenzisi, imiyalelo esetyenziswayo, esetyenziswayo. Imiqulu iyanyuswa, ubukho begama lokugqitha elingenanto, njalo njalo. d. Ukuza kuthi ga ngoku inani lokutshekisha alilikhulu kakhulu kwaye lisekelwe kwiitshekhi zethu ezininzi kunye neengcebiso. yeDocker.
I-Trivy
Esi sixhobo sijolise ekufumaneni iindidi ezimbini zobuthathaka - iingxaki kunye nokwakhiwa kwe-OS (ixhaswa yi-Alpine, i-RedHat (EL), i-CentOS, i-Debian GNU, Ubuntu) kunye neengxaki zokuxhomekeka (Gemfile.lock, Pipfile.lock, composer.lock, iphakheji -lock.json , yarn.lock, cargo.lock). I-Trivy inokuskena zombini umfanekiso kwindawo yokugcina kunye nomfanekiso wendawo, kwaye ingaskena kwakhona ngokusekelwe kwifayile edluliselwe .tar kunye nomfanekiso weDocker.
Iinketho zokuphumeza eziluncedo
Ukuze uzame usetyenziso oluchaziweyo kwindawo ekwanti, ndiya kubonelela ngemiyalelo yokuhlohla zonke izinto eziluncedo kwinkqubo ethile eyenziwe lula.
Umbono ophambili kukubonisa indlela onokuthi uphumeze ngayo ukuqinisekiswa komxholo ngokuzenzekelayo kwiiDockerfiles kunye nemifanekiso yeDocker eyenziwe ngexesha lophuhliso.
Itshekhi ngokwayo inala manyathelo alandelayo:
- Ukujonga ukuchaneka kunye nokhuseleko lwemiyalelo yeDockerfile usebenzisa i-linter utility Hadolint
- Ukujonga ukuchaneka kunye nokhuseleko lwemifanekiso yokugqibela kunye nephakathi usebenzisa i-utility Dockle
- Ukujonga ubukho bobuthathaka obaziwayo esidlangalaleni (CVE) kumfanekiso osisiseko kunye nenani labaxhomekeke - usebenzisa into eluncedo I-Trivy
Kamva kwinqaku ndiza kunika iindlela ezintathu zokusebenzisa la manyathelo:
Eyokuqala kukuqwalasela umbhobho we-CI/CD usebenzisa i-GitLab njengomzekelo (kunye nenkcazo yenkqubo yokuphakamisa umzekelo wovavanyo).
Okwesibini kukusebenzisa umbhalo weqokobhe.
Eyesithathu ibandakanya ukwakha umfanekiso weDocker ukuskena imifanekiso yeDocker.
Unokukhetha ukhetho olulungele wena, lugqithisele kwisiseko sakho kwaye ulungelelanise iimfuno zakho.
Zonke iifayile eziyimfuneko kunye nemiyalelo eyongezelelweyo zikwabekwe kwindawo yokugcina:
Ukudityaniswa kwi-GitLab CI/CD
Kukhetho lokuqala, siza kujonga indlela onokuthi uphumeze ngayo iitshekhi zokhuseleko usebenzisa inkqubo yogcino lweGitLab njengomzekelo. Apha siza kutyhubela amanyathelo kwaye sifumanise indlela yokufaka indawo yovavanyo nge-GitLab ukusuka ekuqaleni, ukwenza inkqubo yokuskena kwaye uqalise izinto eziluncedo zokujonga uvavanyo lweDockerfile kunye nomfanekiso ongacwangciswanga - isicelo seJuiceShop.
Ukufakela iGitLab
1. Faka iDocker:
sudo apt-get update && sudo apt-get install docker.io2. Yongeza umsebenzisi wangoku kwiqela le-docker ukuze usebenze ngedocker ngaphandle kokusebenzisa i-sudo:
sudo addgroup <username> docker3. Fumana iIP yakho:
ip addr4. Faka kwaye uqalise i-GitLab kwisikhongozeli, ubuyisela idilesi ye-IP kwigama lenginginya ngeyakho:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestSilinda de i-GitLab igqibezele zonke iinkqubo eziyimfuneko zokufakela (uyakwazi ukubeka iliso kwinkqubo ngokuphuma kwefayile yelog: logs docker -f gitlab).
5. Vula i-IP yakho yendawo kwisikhangeli kwaye ubone iphepha ekucela ukuba utshintshe igama eligqithisiweyo lomsebenzisi oyingcambu:
Seta igama eligqithisiweyo elitsha kwaye uye kwi-GitLab.
6. Yenza iprojekthi entsha, umzekelo cicd-test kwaye uyiqalise ngefayile yokuqala FUNDA.md:
7. Ngoku kufuneka sifake i-GitLab Runner: i-arhente eya kuqhuba yonke imisebenzi eyimfuneko xa iceliwe.
Khuphela uguqulelo lwamva nje (kule meko, yeLinux 64-bit):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Yenze iphunyezwe:
sudo chmod +x /usr/local/bin/gitlab-runner9. Yongeza umsebenzisi we-OS weMbaleki kwaye uqalise inkonzo:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startIfanele ibukeke ngolu hlobo:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Ngoku sibhalisa iMbaleki ukuze ikwazi ukusebenzisana nomzekelo wethu weGitLab.
Ukwenza oku, vula i-Izicwangciso ze-CI/CD iphepha (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) kwaye kwi-Runners thebhu fumana i-URL kunye nethokheni yoBhaliso:
11. Bhalisa uMbaleki ngokufaka endaweni ye URL kunye nethokheni yoBhaliso:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Ngenxa yoko, sifumana i-GitLab esele ilungile, apho kufuneka songeze imiyalelo ukuze siqalise izixhobo zethu. Kule demo asinawo amanyathelo okwakha isicelo kunye nokusifaka kwisingxobo, kodwa kwindawo yokwenyani ezi ziyakwandulela amanyathelo okuskena kwaye zenze imifanekiso kunye neDockerfile yohlalutyo.
uqwalaselo lombhobho
1. Yongeza iifayile kwindawo yokugcina mydockerfile.df (olu luvavanyo lweDockerfile esiza kuyijonga) kunye neGitLab CI/CD ifayile yoqwalaselo lwenkqubo .gitlab-cicd.yml, edwelisa imiyalelo yeskena (qaphela ichaphaza kwigama lefayile).
Ifayile yoqwalaselo yeYAML iqulethe imiyalelo yokusebenzisa izinto ezintathu (iHadolint, iDockle, kunye neTrivy) eza kuhlalutya iDockerfile ekhethiweyo kunye nomfanekiso ochazwe kuguquguquko lweDOCKERFILE. Zonke iifayile eziyimfuneko zinokuthathwa kwindawo yokugcina:
Isicatshulwa ukusuka mydockerfile.df (Le yifayile engabonakaliyo eneqela lemiyalelo engahambelaniyo ukubonisa kuphela umsebenzi oluncedo). Ikhonkco elithe ngqo kwifayile:
Imixholo ye-mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootUqwalaselo YAML lujongeka ngolu hlobo (ifayile ngokwayo inokufunyanwa ngekhonkco elithe ngqo apha: ):
Imixholo ye-.gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlUkuba kuyimfuneko, ungaphinda uskene imifanekiso egciniweyo ngohlobo lwe .tar yogcino (nangona kunjalo, kuya kufuneka uguqule igalelo leparameters kwizinto eziluncedo kwifayile ye YAML)
QAPHELA: I-Trivy ifuna ukufakela rpm ΠΈ yiya. Ngaphandle koko, iya kuvelisa iimpazamo xa iskena imifanekiso esekwe kwi-RedHat kwaye ifumana uhlaziyo kwidathabheyisi yobungozi.
2. Emva kokongeza iifayile kwindawo yokugcina, ngokwemiyalelo ekwifayile yethu yoqwalaselo, iGitLab iya kuqalisa ngokuzenzekelayo inkqubo yokwakha kunye nokuskena. Kwi-CI/CD β Imibhobho thebhu unokuyibona inkqubela phambili yemiyalelo.
Ngenxa yoko, sinemisebenzi emine. Ezintathu zazo zijongana ngokuthe ngqo nokuskena, kwaye yokugqibela (iNgxelo) iqokelela ingxelo elula kwiifayile ezisasazekileyo ezineziphumo zokuskena.
Ngokungagqibekanga, i-Trivy iyayeka ukusebenza ukuba ubuthathaka be-CRITICAL buchongiwe kumfanekiso okanye ukuxhomekeka. Ngexesha elifanayo, i-Hadolint ihlala ibuyisela ikhowudi yeMpumelelo kuba ihlala iphumela kwizimvo, ezibangela ukuba ukwakhiwa kuyeke.
Ngokuxhomekeke kwiimfuno zakho ezithile, unokuqwalasela ikhowudi yokuphuma ukuze xa ezi zixhobo zibona iingxaki zokubaluleka okuthile, ziphinde ziyeke inkqubo yokwakha. Kwimeko yethu, ulwakhiwo luyakumisa kuphela ukuba i-Trivy ibhaqa ubuthathaka ngokubaluleka esikuchazileyo kwi-SHOWSTOPPER eguquguqukayo kwi. .gitlab-ci.yml.
Isiphumo soncedo ngalunye sinokujongwa kwilog yomsebenzi ngamnye wokuskena, ngokuthe ngqo kwiifayile ze-json kwicandelo lezinto zakudala, okanye kwingxelo ye-HTML elula (ngaphezulu koku kungezantsi):
3. Ukunikezela ngeengxelo eziluncedo kwifom efundeka kancinane ngakumbi yomntu, iscript esincinci sePython sisetyenziselwa ukuguqula iifayile zeJSON ezintathu kwifayile enye yeHTML enetafile yeziphene.
Lo mbhalo uqaliswe ngumsebenzi weNgxelo owahlukileyo, kwaye i-artifact yayo yokugqibela yifayile ye-HTML enengxelo. Umthombo weskripthi ukwakwindawo yokugcina kwaye unokulungiswa ukuze ulungele iimfuno zakho, imibala, njl.
Iskripthi seqokobhe
Inketho yesibini ifanelekile kwiimeko xa ufuna ukujonga imifanekiso yeDocker ngaphandle kwenkqubo yeCI / CD okanye kufuneka ube nayo yonke imiyalelo kwifom enokwenziwa ngokuthe ngqo kwinginginya. Olu khetho lugqunyelelwe ngokwenziwa kweskripthi seqokobhe eselenziweyo esinokuqhutywa kumatshini ococekileyo wenyani (okanye wokwenyani). Iskripthi senza imiyalelo efanayo ne-gitlab-runner echazwe ngasentla.
Ukuze iskripthi sisebenze ngempumelelo, iDocker kufuneka ifakwe kwisistim kwaye umsebenzisi wangoku kufuneka abe kwiqela le-docker.
Umbhalo ngokwawo unokufumaneka apha:
Ekuqaleni kwefayile, izinto eziguquguqukayo zicacisa ukuba nguwuphi umfanekiso ekufuneka uskeniwe kwaye zeziphi iziphene ezibalulekileyo eziza kubangela ukuba i-Trivy isebenze iphume ngekhowudi yempazamo ekhankanyiweyo.
Ngexesha lokwenziwa kweskripthi, zonke izinto eziluncedo ziya kukhutshelwa kulawulo docker_izixhobo, iziphumo zomsebenzi wabo zikuluhlu docker_izixhobo/json, kwaye i-HTML enengxelo iya kuba kwifayile iziphumo.html.
Umzekelo wokuphuma kweskripthi
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - βDockerfileβ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlUmfanekiso weDocker nazo zonke izinto eziluncedo
Njengenye indlela yesithathu, ndiqulunqe iiDockerfiles ezimbini ezilula ukwenza umfanekiso onezixhobo zokhuseleko. Enye iDockerfile iya kunceda ukwakha iseti yokuskena umfanekiso kwindawo yokugcina, eyesibini (Dockerfile_tar) iya kunceda ukwakha iseti yokuskena ifayile yetar ngomfanekiso.
1. Thatha ifayile yeDocker ehambelanayo kunye nezikripthi ezivela kwindawo yokugcina .
2. Siyiphehlelela ukulungiselela ukudibanisa:
docker build -t dscan:image -f docker_security.df .
3. Emva kokuba indibano igqityiwe, senza isitya esivela kumfanekiso. Kwangaxeshanye, sidlula iDOCKERIMAGE imo eguquguqukayo enegama lomfanekiso esinomdla kuwo kwaye sinyuse iDockerfile esifuna ukuyihlalutya kumatshini wethu ukuya kwifayile. /Dockerfile (qaphela ukuba indlela epheleleyo yale fayile iyafuneka):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlIziphumo
Sijonge kuphela iseti enye esisiseko yezixhobo zokuskena izinto zakudala zeDocker, ethi, ngokoluvo lwam, igubungela ngokufanelekileyo indawo efanelekileyo yeemfuno zokhuseleko lomfanekiso. Kukwakho nenani elikhulu lezixhobo ezihlawulweyo nezisimahla ezinokwenza iitshekhi ezifanayo, zoba iingxelo ezintle okanye zisebenze ngokusulungekileyo kwimowudi yeconsole, inkqubo yolawulo lwesikhongozeli sokugquma, njl njl. Isishwankathelo sezi zixhobo kunye nendlela yokuzidibanisa zinokuvela kamva .
Into entle malunga neseti yezixhobo ezichazwe kweli nqaku kukuba zonke ziyimithombo evulekileyo kwaye unokuzama ngazo kunye nezinye izixhobo ezifanayo ukufumana oko kuhambelana neemfuno zakho kunye neziseko. Ngokuqinisekileyo, bonke ubuthathaka obufunyenweyo kufuneka bufundwe ngokusebenza kwiimeko ezithile, kodwa esi sisihloko senqaku elikhulu elizayo.
Ndiyathemba ukuba esi sikhokelo, izikripthi kunye nezinto eziluncedo ziya kukunceda kwaye ube sisiqalo sokwenza isiseko esikhuseleke ngakumbi kwindawo yogcino.
umthombo: www.habr.com