docker-security-checker

May 16, 2020 ยท View on GitHub

This repository contains OPA Rego policies for Dockerfile Security checks using Conftest

Sample rego policy for using COPY instead of ADD in Dockerfile

deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

Running the conftest with security policies

  • Run the following command to test security policies against the Dockerfile
conftest test Dockerfile
  • Now you can see the below example output
WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try it out yourself

  • I have created this scenario in katacoda playground to learn and try out yourself

Katacoda Playground for docker-security-checker

Contribution

  • You can add more policies at policy directory with more information by adding comments