{"id":13803196,"url":"https://github.com/Swordfish-Security/docker_cicd","last_synced_at":"2025-05-13T15:32:39.573Z","repository":{"id":109522917,"uuid":"206351071","full_name":"Swordfish-Security/docker_cicd","owner":"Swordfish-Security","description":null,"archived":false,"fork":false,"pushed_at":"2020-10-20T12:17:41.000Z","size":71,"stargazers_count":10,"open_issues_count":0,"forks_count":7,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-05-19T05:23:15.989Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Swordfish-Security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-09-04T15:23:42.000Z","updated_at":"2024-03-21T06:52:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"9a01917e-da78-4b17-b141-4a2985c486ba","html_url":"https://github.com/Swordfish-Security/docker_cicd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Swordfish-Security%2Fdocker_cicd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Swordfish-Security%2Fdocker_cicd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Swordfish-Security%2Fdocker_cicd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Swordfish-Security%2Fdocker_cicd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Swordfish-Security","download_url":"https://codeload.github.com/Swordfish-Security/docker_cicd/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225239719,"owners_count":17442816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T01:00:24.957Z","updated_at":"2024-11-18T19:31:25.323Z","avatar_url":"https://github.com/Swordfish-Security.png","language":"Shell","funding_links":[],"categories":["Статьи"],"sub_categories":[],"readme":"# Docker CI/CD security analysis\nIntegrating Docker scanning tools into CI/CD\n\nThis repository contains different approaches to utilize a set of tools for scanning various aspects of Docker security.\nThe pack could be integrated with different CI/CD processes.  \n\nThe set of tools consists of \n* Hadolint (https://github.com/hadolint/hadolint) - Dockerfile linter\n* Dockle (https://github.com/goodwithtech/dockle) - Docker image linter\n* Trivy (https://github.com/knqyf263/trivy/) - Light-weight CVE analyser for Docker images and dependencies\n* Small Python script to combine all tools output in json and make a simple HTML report\n\nThe pack comes in three flavours:  \n## GitLab CI/CD configuration YAML  \nPurpose: to integrate Docker security tools into CI/CD process via GitLab  \nYou can import the YAML file into your test project, download sample Dockerfile and try the integration process.\n\n## sh-script  \nPurpose: to install and run all tools on a dedicated host (VM or whatever you like) via simple shell script  \n\nFirst, make sure you have Docker installed and current user is in docker group\n```\n$ sudo apt-get install -y docker.io\n$ sudo usermod -a -G docker $(whoami)\n```\nThen reconnect the terminal session.\n\n## Dockerfiles  \nPurpose: to build a Docker container with all the tools\n\nInput includes a Dockerfile and the name of the image to scan  \nOutput is results.html report, containing all findings from all 3 tools\n\nAfter you clone the repo and cd into it you can build Docker images for scanning using the following commands (tagged as \"image\"):\n```\n~/docker_cicd$ cd Dockerfile\n./Dockerfile$ docker build -t dscan:image -f docker_security.df .\n./Dockerfile$ cd ..\n```\nor if you would need to scan exported images in .tar form use another Dockerfile (tagged as \"tar_file\"):\n```\n~/docker_cicd$ cd Dockerfile_tar\n./Dockerfile$ docker build -t dscan:tar_file -f docker_security_tar.df .\n./Dockerfile$ cd ..\n```\n\nAfter building images of the scanning tools you can run the scan like this:  \n! Substitute $(pwd)/Dockerfile/docker_security.df for the absolute path to your Dockerfile to scan and specify the image:tag you want to scan in DOCKERIMAGE variable\n```\n~/docker_cicd$ docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE=\"bkimminich/juice-shop\" dscan:image\n```\nor if you would need to scan exported images in .tar form - use an image tagged as \"tar_file\":\n```\n~/docker_cicd$ docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security_tar.df:/Dockerfile -v $(pwd)/image_to_scan.tar:/image_to_scan.tar -e DOCKERIMAGE=\"image_to_scan.tar\" dscan:tar_file\n```\n\nWhen the scanning is done you can find raw json results and humanified HTML results file in ./results folder.  \n\nI would recommend rebuilding the docker image on a daily basis in a non-peak time to fetch Trivy databases. This is because CVE bases in Trivy are updated every now and then and running image will take less time as Trivy will not fetch the complete data (3+ Gb) each time you run a scan.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSwordfish-Security%2Fdocker_cicd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSwordfish-Security%2Fdocker_cicd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSwordfish-Security%2Fdocker_cicd/lists"}