Hey Habr!
Ni otitọ ode oni, nitori ipa ti ndagba ti apoti ninu awọn ilana idagbasoke, ọran ti aridaju aabo ti awọn ipele pupọ ati awọn nkan ti o ni nkan ṣe pẹlu awọn apoti kii ṣe ọran pataki ti o kere julọ. Ṣiṣe awọn sọwedowo afọwọṣe jẹ akoko n gba, nitorinaa yoo jẹ imọran ti o dara lati ṣe o kere ju awọn igbesẹ akọkọ si adaṣe adaṣe ilana yii.
Ninu nkan yii, Emi yoo pin awọn iwe afọwọkọ ti a ti ṣetan fun imuse ọpọlọpọ awọn ohun elo aabo Docker ati awọn itọnisọna lori bi o ṣe le mu iduro demo kekere kan lati ṣe idanwo ilana yii. O le lo awọn ohun elo lati ṣe idanwo pẹlu bi o ṣe le ṣeto ilana ti idanwo aabo ti awọn aworan Dockerfile ati awọn ilana. O han gbangba pe idagbasoke gbogbo eniyan ati awọn amayederun imuse yatọ, nitorina ni isalẹ Emi yoo pese ọpọlọpọ awọn aṣayan ti o ṣeeṣe.
Aabo ayẹwo igbesi
Nọmba nla ti awọn ohun elo oluranlọwọ oriṣiriṣi wa ati awọn iwe afọwọkọ ti o ṣe awọn sọwedowo lori ọpọlọpọ awọn aaye ti amayederun Docker. Diẹ ninu wọn ni a ti ṣapejuwe tẹlẹ ninu nkan ti tẹlẹ (), ati ninu ohun elo yii Emi yoo fẹ lati dojukọ mẹta ninu wọn, eyiti o bo ọpọlọpọ awọn ibeere aabo fun awọn aworan Docker ti a ṣe lakoko ilana idagbasoke. Ni afikun, Emi yoo tun ṣafihan apẹẹrẹ ti bii awọn ohun elo mẹta wọnyi ṣe le sopọ si opo gigun ti epo kan lati ṣe awọn sọwedowo aabo.
Hadolint
IwUlO console ti o rọrun ti o rọrun ti o ṣe iranlọwọ, bi isunmọ akọkọ, ṣe iṣiro deede ati ailewu ti awọn ilana Dockerfile (fun apẹẹrẹ, lilo awọn iforukọsilẹ aworan ti a fun ni aṣẹ tabi lilo sudo).
Dockle
IwUlO console ti o ṣiṣẹ pẹlu aworan kan (tabi pẹlu ibi ipamọ tar ti o fipamọ ti aworan kan), eyiti o ṣayẹwo deede ati aabo ti aworan kan bi iru, ṣe itupalẹ awọn ipele rẹ ati iṣeto ni - eyiti awọn olumulo ṣẹda, awọn ilana wo ni a lo, eyiti Awọn ipele ti wa ni gbigbe, wiwa ti ọrọ igbaniwọle ṣofo, bbl d. Nitorinaa nọmba awọn sọwedowo ko tobi pupọ ati pe o da lori ọpọlọpọ awọn sọwedowo ati awọn iṣeduro ti ara wa fun Docker.
Alailowaya
IwUlO yii ni ifọkansi lati wa awọn oriṣi meji ti awọn ailagbara - awọn iṣoro pẹlu awọn itumọ OS (atilẹyin nipasẹ Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) ati awọn iṣoro pẹlu awọn igbẹkẹle (Gemfile.lock, Pipfile.lock, composer.lock, package -lock.json , yarn.lock, cargo.lock). Trivy le ṣe ayẹwo aworan mejeeji ni ibi ipamọ ati aworan agbegbe, ati pe o tun le ṣe ọlọjẹ da lori faili .tar ti o gbe pẹlu aworan Docker.
Awọn aṣayan fun imuse awọn ohun elo
Lati le gbiyanju awọn ohun elo ti a ṣalaye ni agbegbe ti o ya sọtọ, Emi yoo pese awọn ilana fun fifi sori gbogbo awọn ohun elo ni ilana irọrun diẹ.
Ero akọkọ ni lati ṣafihan bawo ni o ṣe le ṣe ijẹrisi akoonu aifọwọyi ti Dockerfiles ati awọn aworan Docker ti o ṣẹda lakoko idagbasoke.
Ayẹwo funrararẹ ni awọn igbesẹ wọnyi:
- Ṣiṣayẹwo deede ati ailewu ti awọn ilana Dockerfile nipa lilo ohun elo linter kan Hadolint
- Ṣiṣayẹwo deede ati ailewu ti ipari ati awọn aworan agbedemeji nipa lilo ohun elo kan Dockle
- Ṣiṣayẹwo fun wiwa ti awọn ailagbara ti a mọ ni gbangba (CVE) ni aworan ipilẹ ati nọmba awọn igbẹkẹle - lilo ohun elo Alailowaya
Nigbamii ninu nkan naa Emi yoo fun awọn aṣayan mẹta fun imuse awọn igbesẹ wọnyi:
Ohun akọkọ ni nipa tunto opo gigun ti epo CI/CD nipa lilo GitLab gẹgẹbi apẹẹrẹ (pẹlu apejuwe ilana ti igbega apẹẹrẹ idanwo).
Awọn keji ti wa ni lilo a ikarahun akosile.
Ẹkẹta pẹlu kikọ aworan Docker kan lati ṣe ọlọjẹ awọn aworan Docker.
O le yan aṣayan ti o baamu fun ọ julọ, gbe lọ si awọn amayederun rẹ ki o ṣe deede si awọn iwulo rẹ.
Gbogbo awọn faili pataki ati awọn ilana afikun tun wa ni ibi ipamọ:
Ijọpọ sinu GitLab CI/CD
Ni aṣayan akọkọ, a yoo wo bii o ṣe le ṣe awọn sọwedowo aabo nipa lilo eto ibi ipamọ GitLab gẹgẹbi apẹẹrẹ. Nibi a yoo lọ nipasẹ awọn igbesẹ ati ṣe akiyesi bii o ṣe le fi agbegbe idanwo kan sori ẹrọ pẹlu GitLab lati ibere, ṣẹda ilana ọlọjẹ kan ati ifilọlẹ awọn ohun elo fun ṣiṣe ayẹwo Dockerfile idanwo ati aworan laileto - ohun elo JuiceShop.
Fifi GitLab sori ẹrọ
1. Fi Docker sori ẹrọ:
sudo apt-get update && sudo apt-get install docker.io2. Ṣafikun olumulo lọwọlọwọ si ẹgbẹ docker ki o le ṣiṣẹ pẹlu docker laisi lilo sudo:
sudo addgroup <username> docker3. Wa IP rẹ:
ip addr4. Fi sori ẹrọ ati ṣe ifilọlẹ GitLab ninu apo eiyan, rọpo adiresi IP ni orukọ olupin pẹlu tirẹ:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestA duro titi GitLab yoo fi pari gbogbo awọn ilana fifi sori ẹrọ pataki (o le ṣe atẹle ilana naa nipasẹ iṣelọpọ faili log: docker logs -f gitlab).
5. Ṣii IP agbegbe rẹ ni ẹrọ aṣawakiri ki o wo oju-iwe kan ti o beere lọwọ rẹ lati yi ọrọ igbaniwọle pada fun olumulo gbongbo:
Ṣeto ọrọ igbaniwọle tuntun ki o lọ si GitLab.
6. Ṣẹda titun kan ise agbese, fun apẹẹrẹ cicd-igbeyewo ki o si initialize o pẹlu awọn ibere faili README.md:
7. Bayi a nilo lati fi sori ẹrọ GitLab Runner: oluranlowo ti yoo ṣiṣẹ gbogbo awọn iṣẹ pataki lori ibeere.
Ṣe igbasilẹ ẹya tuntun (ninu ọran yii, fun Linux 64-bit):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Jẹ ki o ṣiṣẹ:
sudo chmod +x /usr/local/bin/gitlab-runner9. Ṣafikun olumulo OS kan fun Runner ki o bẹrẹ iṣẹ naa:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startO yẹ ki o dabi iru eyi:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Bayi a forukọsilẹ Olusare ki o le ṣe ajọṣepọ pẹlu apẹẹrẹ GitLab wa.
Lati ṣe eyi, ṣii oju-iwe Eto-CI/CD (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) ati lori taabu Awọn olusare wa URL ati ami iforukọsilẹ:
11. Forukọsilẹ Isare nipa fifi URL ati aami Iforukọ silẹ:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Bi abajade, a gba GitLab ti n ṣiṣẹ ti o ti ṣetan, sinu eyiti a nilo lati ṣafikun awọn ilana lati bẹrẹ awọn ohun elo wa. Ninu demo yii a ko ni awọn igbesẹ lati kọ ohun elo naa ati fi sinu apoti, ṣugbọn ni agbegbe gidi awọn wọnyi yoo ṣaju awọn igbesẹ ọlọjẹ ati ṣe agbekalẹ awọn aworan ati Dockerfile kan fun itupalẹ.
opo iṣeto ni
1. Fi awọn faili kun si ibi ipamọ mydockerfile.df (Eyi jẹ Dockerfile idanwo kan ti a yoo ṣayẹwo) ati GitLab CI / faili iṣeto ni ilana CD .gitlab-cicd.yml, eyiti o ṣe atokọ awọn ilana fun awọn ọlọjẹ (ṣe akiyesi aami ni orukọ faili).
Faili iṣeto ni YAML ni awọn ilana lati ṣiṣẹ awọn ohun elo mẹta (Hadolint, Dockle, ati Trivy) ti yoo ṣe itupalẹ Dockerfile ti o yan ati aworan ti a pato ninu oniyipada DOCKERFILE. Gbogbo awọn faili pataki le ṣee mu lati ibi ipamọ:
Yiyọ lati mydockerfile.df (Eyi jẹ faili áljẹbrà pẹlu ṣeto awọn ilana lainidii nikan lati ṣe afihan iṣẹ ṣiṣe ti ohun elo). Ọna asopọ taara si faili naa:
Awọn akoonu ti mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootIṣeto ni YAML dabi eyi (faili funrararẹ le rii nipasẹ ọna asopọ taara nibi: ):
Awọn akoonu ti .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlTi o ba jẹ dandan, o tun le ṣayẹwo awọn aworan ti o fipamọ ni irisi .tar pamosi (sibẹsibẹ, iwọ yoo nilo lati yi awọn aye igbewọle pada fun awọn ohun elo inu faili YAML)
NB: Trivy nbeere fi sori ẹrọ rpm и Git. Bibẹẹkọ, yoo ṣe awọn aṣiṣe nigbati o ba ṣayẹwo awọn aworan orisun RedHat ati gbigba awọn imudojuiwọn si ibi ipamọ data ailagbara.
2. Lẹhin fifi awọn faili kun si ibi ipamọ, ni ibamu si awọn ilana ti o wa ninu faili iṣeto wa, GitLab yoo bẹrẹ iṣẹ-ṣiṣe ati ilana ọlọjẹ laifọwọyi. Lori CI/CD → Awọn ọna opopona o le rii ilọsiwaju ti awọn ilana.
Bi abajade, a ni awọn iṣẹ-ṣiṣe mẹrin. Mẹta ninu wọn ṣe taara pẹlu ọlọjẹ, ati eyi ti o kẹhin (Ijabọ) gba ijabọ ti o rọrun lati awọn faili tuka pẹlu awọn abajade ọlọjẹ.
Nipa aiyipada, Trivy da ṣiṣiṣẹsẹhin duro ti a ba rii awọn ailagbara pataki ni aworan tabi awọn igbẹkẹle. Ni akoko kanna, Hadolint nigbagbogbo da koodu Aṣeyọri pada nitori pe o nigbagbogbo ni abajade ninu awọn asọye, eyiti o fa ki kikọ duro.
Da lori awọn ibeere rẹ pato, o le tunto koodu ijade kan ki nigbati awọn ohun elo wọnyi ba rii awọn iṣoro ti pataki kan, wọn tun da ilana kikọ duro. Ninu ọran wa, kikọ yoo da duro nikan ti Trivy ṣe awari ailagbara kan pẹlu pataki ti a sọ pato ninu oniyipada SHOWSTOPPER ni .gitlab-ci.yml.
Abajade ti IwUlO kọọkan ni a le wo ni akọọlẹ ti iṣẹ-ṣiṣe ọlọjẹ kọọkan, taara ninu awọn faili json ni apakan awọn ohun-ọṣọ, tabi ni ijabọ HTML ti o rọrun (diẹ sii lori iyẹn ni isalẹ):
3. Lati ṣafihan awọn ijabọ ohun elo ni ọna kika diẹ diẹ sii ti eniyan, iwe afọwọkọ Python kekere kan ni a lo lati yi awọn faili json mẹta pada si faili HTML kan pẹlu tabili awọn abawọn.
Iwe afọwọkọ yii ṣe ifilọlẹ nipasẹ iṣẹ-ṣiṣe Ijabọ lọtọ, ati pe ohun-ini ipari rẹ jẹ faili HTML pẹlu ijabọ kan. Orisun ti iwe afọwọkọ tun wa ni ibi ipamọ ati pe o le ṣe deede lati ba awọn iwulo rẹ, awọn awọ, ati bẹbẹ lọ.
Ikarahun akosile
Aṣayan keji dara fun awọn ọran nigbati o nilo lati ṣayẹwo awọn aworan Docker ni ita ti eto CI/CD tabi o nilo lati ni gbogbo awọn ilana ni fọọmu ti o le ṣe taara lori agbalejo naa. Aṣayan yii ni aabo nipasẹ iwe afọwọkọ ikarahun ti a ti ṣetan ti o le ṣiṣẹ lori ẹrọ foju mimọ (tabi paapaa gidi). Iwe afọwọkọ naa ṣiṣẹ awọn ilana kanna bi gitlab-runner ti salaye loke.
Fun iwe afọwọkọ lati ṣiṣẹ ni aṣeyọri, Docker gbọdọ fi sori ẹrọ lori eto ati olumulo lọwọlọwọ gbọdọ wa ni ẹgbẹ docker.
Iwe afọwọkọ funrararẹ le ṣee rii nibi:
Ni ibẹrẹ faili naa, awọn oniyipada pato iru aworan ti o nilo lati ṣayẹwo ati iru awọn abawọn pataki yoo jẹ ki IwUlO Trivy jade pẹlu koodu aṣiṣe pàtó kan.
Lakoko ipaniyan iwe afọwọkọ, gbogbo awọn ohun elo yoo ṣe igbasilẹ si itọsọna naa docker_tools, awọn esi ti won iṣẹ ni o wa ninu awọn liana docker_tools / json, ati HTML pẹlu ijabọ yoo wa ninu faili naa esi.html.
Ijade iwe afọwọkọ apẹẹrẹ
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlAworan Docker pẹlu gbogbo awọn ohun elo
Gẹgẹbi yiyan kẹta, Mo ṣajọ awọn faili Docker meji ti o rọrun lati ṣẹda aworan kan pẹlu awọn ohun elo aabo. Dockerfile kan yoo ṣe iranlọwọ lati kọ eto kan fun ṣiṣayẹwo aworan kan lati ibi ipamọ kan, keji (Dockerfile_tar) yoo ṣe iranlọwọ lati kọ eto kan fun ṣiṣayẹwo faili tar pẹlu aworan kan.
1. Mu faili Docker ti o baamu ati awọn iwe afọwọkọ lati ibi ipamọ .
2. A ṣe ifilọlẹ fun apejọ:
docker build -t dscan:image -f docker_security.df .
3. Lẹhin ti apejọ ti pari, a ṣẹda eiyan lati aworan naa. Ni akoko kanna, a kọja iyipada agbegbe DOCKERIMAGE pẹlu orukọ aworan ti a nifẹ si ati gbe Dockerfile ti a fẹ ṣe itupalẹ lati ẹrọ wa si faili naa. /Dockerfile (ṣe akiyesi pe ọna pipe si faili yii nilo):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlРезультаты
A wo eto ipilẹ kan ṣoṣo ti awọn ohun elo fun ọlọjẹ awọn ohun-ọṣọ Docker, eyiti, ni ero mi, ni imunadoko ni wiwa apakan to bojumu ti awọn ibeere aabo aworan. Nọmba nla tun wa ti awọn irinṣẹ isanwo ati awọn irinṣẹ ọfẹ ti o le ṣe awọn sọwedowo kanna, fa awọn ijabọ ẹlẹwa tabi ṣiṣẹ ni mimọ ni ipo console, awọn eto iṣakoso apoti ideri, ati bẹbẹ lọ Akopọ ti awọn irinṣẹ wọnyi ati bii o ṣe le ṣepọ wọn le han diẹ diẹ nigbamii. .
Ohun ti o dara nipa ṣeto awọn irinṣẹ ti a ṣalaye ninu nkan yii ni pe gbogbo wọn jẹ orisun ṣiṣi ati pe o le ṣe idanwo pẹlu wọn ati awọn irinṣẹ miiran ti o jọra lati wa ohun ti o baamu awọn iwulo ati awọn amayederun rẹ. Nitoribẹẹ, gbogbo awọn ailagbara ti o rii yẹ ki o ṣe iwadi fun lilo ni awọn ipo kan pato, ṣugbọn eyi jẹ koko-ọrọ fun nkan nla ọjọ iwaju.
Mo nireti pe itọsọna yii, awọn iwe afọwọkọ ati awọn ohun elo yoo ṣe iranlọwọ fun ọ ati di aaye ibẹrẹ fun ṣiṣẹda awọn amayederun aabo diẹ sii ni agbegbe imudani.
orisun: www.habr.com