{"id":20716858,"url":"https://github.com/blacktop/seccomp-gen","last_synced_at":"2025-04-23T13:30:16.663Z","repository":{"id":71730380,"uuid":"159998356","full_name":"blacktop/seccomp-gen","owner":"blacktop","description":"Docker Secure Computing Profile Generator","archived":false,"fork":false,"pushed_at":"2021-10-22T21:31:57.000Z","size":54,"stargazers_count":48,"open_issues_count":1,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-30T00:05:06.392Z","etag":null,"topics":["docker","generator","golang","seccomp","seccomp-profile"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blacktop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-02T00:00:29.000Z","updated_at":"2025-02-01T23:00:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"a9356b17-00d7-4440-a389-9adc7b2c37a0","html_url":"https://github.com/blacktop/seccomp-gen","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacktop%2Fseccomp-gen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacktop%2Fseccomp-gen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacktop%2Fseccomp-gen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacktop%2Fseccomp-gen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blacktop","download_url":"https://codeload.github.com/blacktop/seccomp-gen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250440063,"owners_count":21430945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","generator","golang","seccomp","seccomp-profile"],"created_at":"2024-11-17T03:07:00.054Z","updated_at":"2025-04-23T13:30:16.607Z","avatar_url":"https://github.com/blacktop.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# seccomp-gen\n\n[![Go](https://github.com/blacktop/seccomp-gen/workflows/Go/badge.svg?branch=master)](https://github.com/blacktop/seccomp-gen/actions) [![Github All Releases](https://img.shields.io/github/downloads/blacktop/seccomp-gen/total.svg)](https://github.com/blacktop/seccomp-gen/releases/latest) [![GitHub release](https://img.shields.io/github/release/blacktop/seccomp-gen.svg)](https://github.com/blacktop/seccomp-gen/releases) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org)\n\n\u003e Docker Secure Computing Profile Generator\n\n---\n\n## Why 🤔\n\nThis tool allows you to pipe the output of [strace](https://strace.io) through it and will auto-generate a docker seccomp profile that can be used to only whitelist the syscalls your container needs to run and blacklists everything else.\n\nThis adds a LOT of security by drastically limiting your attack surface to only what is needed.\n\n## Syscall Arch Supported _(so far)_\n\n- `SCMP_ARCH_X86`\n- `SCMP_ARCH_X32`\n\n## Install\n\n### macOS\n\n```bash\n$ brew install blacktop/tap/seccomp-gen\n```\n\n### linux/windows\n\nDownload from [releases](https://github.com/blacktop/seccomp-gen/releases/latest)\n\n## Getting Started\n\n```bash\n$ strace -ff curl github.com 2\u003e\u00261 | scgen -verbose\n\n   • found syscall: execve\n   • found syscall: brk\n   • found syscall: access\n   • found syscall: access\n   • found syscall: openat\n   • found syscall: fstat\n   • found syscall: mmap\n   ...\n```\n\n```bash\n$ ls -lah\n\n-rw-r--r--   1 blacktop  staff   6.7K Dec  1 21:23 seccomp.json\n```\n\n### Inside Docker\n\nCreate a new Dockerfile\n\n```dockerfile\nFROM \u003cyour\u003e/\u003cimage\u003e:\u003ctag\u003e\nRUN apt-get update \u0026\u0026 apt-get install -y strace\nCMD [\"strace\",\"-ff\",\"/your-entrypoint.sh\"]\n```\n\nBuild `scgen` image\n\n```bash\n$ docker build -t \u003cyour\u003e/\u003cimage\u003e:scgen .\n```\n\nGenerate `seccomp` profile from docker logs output\n\n```bash\ndocker run --rm --security-opt seccomp=unconfined \u003cyour\u003e/\u003cimage\u003e:scgen 2\u003e\u00261 | scgen -verbose\n```\n\nUse your :new: `seccomp` profile\n\n```bash\ndocker run --rm --security-opt no-new-privileges --security-opt seccomp=/path/to/seccomp.json \u003cyour\u003e/\u003cimage\u003e:\u003ctag\u003e\n```\n\n#### Know Issue :warning:\n\nI have noticed that `strace` misses things, but if you run with the generate seccomp profile docker should tell you the next syscall it needs by erroring out. Then you can add that one manually and repeat the process.\n\n## Credits\n\n- https://blog.jessfraz.com/post/how-to-use-new-docker-seccomp-profiles/\n- https://github.com/antitree/syscall2seccomp\n- https://github.com/xfernando/go2seccomp\n\n## TODO\n\n- [x] filter strace through linux (32|64bit) [tbl](https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl) files like Jess does\n- [ ] add support for consuming sysdig output\n- [ ] only add current arch to arches\n- [ ] https://github.com/opencontainers/runc/pull/1951\n- [ ] https://github.com/moby/moby/issues/38333\n\n## Issues\n\nFind a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to [file an issue](https://github.com/blacktop/seccomp-gen/issues/new)\n\n## License\n\nMIT Copyright (c) 2018 **blacktop**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacktop%2Fseccomp-gen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblacktop%2Fseccomp-gen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacktop%2Fseccomp-gen/lists"}