{"id":13416264,"url":"https://github.com/docker/docker-bench-security","last_synced_at":"2025-05-13T22:00:20.441Z","repository":{"id":31827613,"uuid":"35394510","full_name":"docker/docker-bench-security","owner":"docker","description":"The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.","archived":false,"fork":false,"pushed_at":"2024-10-21T07:26:06.000Z","size":4535,"stargazers_count":9362,"open_issues_count":21,"forks_count":1032,"subscribers_count":235,"default_branch":"master","last_synced_at":"2025-04-29T13:13:00.617Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-11T00:57:26.000Z","updated_at":"2025-04-29T07:50:42.000Z","dependencies_parsed_at":"2023-02-18T00:46:08.283Z","dependency_job_id":"2eb8c9d8-bfed-4f5a-896d-fd59bb769f70","html_url":"https://github.com/docker/docker-bench-security","commit_stats":{"total_commits":583,"total_committers":82,"mean_commits":7.109756097560975,"dds":"0.40823327615780447","last_synced_commit":"5c42b8ad5f367e2988b9889171e9ec4f11f446e0"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fdocker-bench-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fdocker-bench-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fdocker-bench-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fdocker-bench-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker","download_url":"https://codeload.github.com/docker/docker-bench-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254036806,"owners_count":22003651,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T21:00:56.182Z","updated_at":"2025-05-13T22:00:20.407Z","avatar_url":"https://github.com/docker.png","language":"Shell","readme":"# Docker Bench for Security\n\n![Docker Bench for Security running](img/benchmark_log.png)\n\nThe Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.6.0](https://www.cisecurity.org/benchmark/docker/).\n\nWe are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.\n\nRelease | CIS |\n:---:|:---:|\n1.6.0|1.6.0|\n1.5.0|1.5.0|\n1.3.6|1.4.0|\n1.3.5|1.2.0|\n1.3.3|1.1.0|\n1.3.0|1.13.0|\n\n## Running Docker Bench for Security\n\n### Run from your base host\n\nYou can simply run this script from your base host by running:\n\n```sh\ngit clone https://github.com/docker/docker-bench-security.git\ncd docker-bench-security\nsudo sh docker-bench-security.sh\n```\n\n\u003e Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.\n\n### Run with Docker\n\n#### Building Docker image\n\nYou have two options if you wish to build and run this container yourself:\n\n1. Use Docker Build:\n\n```sh\ngit clone https://github.com/docker/docker-bench-security.git\ncd docker-bench-security\ndocker build --no-cache -t docker-bench-security .\n```\n\nFollowed by an appropriate `docker run` command as stated below.\n\n2. Use Docker Compose:\n\n```sh\ngit clone https://github.com/docker/docker-bench-security.git\ncd docker-bench-security\ndocker-compose run --rm docker-bench-security\n```\n\n_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._\n\nNote that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.\n\n### Using the container\n\n```sh\ndocker run --rm --net host --pid host --userns host --cap-add audit_control \\\n    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \\\n    -v /etc:/etc:ro \\\n    -v /usr/bin/containerd:/usr/bin/containerd:ro \\\n    -v /usr/bin/runc:/usr/bin/runc:ro \\\n    -v /usr/lib/systemd:/usr/lib/systemd:ro \\\n    -v /var/lib:/var/lib:ro \\\n    -v /var/run/docker.sock:/var/run/docker.sock:ro \\\n    --label docker_bench_security \\\n    docker-bench-security\n```\n\nDon't forget to adjust the shared volumes according to your operating system.\nSome examples are:\n\n1. On Ubuntu the `docker.service` and `docker.secret` files are located in\n   `/lib/systemd/system` folder by default.\n\n```sh\ndocker run --rm --net host --pid host --userns host --cap-add audit_control \\\n    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \\\n    -v /etc:/etc:ro \\\n    -v /lib/systemd/system:/lib/systemd/system:ro \\\n    -v /usr/bin/containerd:/usr/bin/containerd:ro \\\n    -v /usr/bin/runc:/usr/bin/runc:ro \\\n    -v /usr/lib/systemd:/usr/lib/systemd:ro \\\n    -v /var/lib:/var/lib:ro \\\n    -v /var/run/docker.sock:/var/run/docker.sock:ro \\\n    --label docker_bench_security \\\n    docker-bench-security\n```\n\n2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker\n    binaries.\n\n```sh\nsudo touch /etc/hostname\n\ndocker run --rm --net host --pid host --userns host --cap-add audit_control \\\n    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \\\n    -v /etc:/etc \\\n    -v /var/lib:/var/lib:ro \\\n    -v /var/run/docker.sock:/var/run/docker.sock:ro \\\n    --label docker_bench_security \\\n    docker-bench-security\n```\n\n### Note\n\nDocker bench requires Docker 1.13.0 or later in order to run.\n\nNote that when distributions don't contain `auditctl`, the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.\n\n### Docker Bench for Security options\n\n```sh\n  -b           optional  Do not print colors\n  -h           optional  Print this help message\n  -l FILE      optional  Log output in FILE, inside container if run using docker\n  -u USERS     optional  Comma delimited list of trusted docker user(s)\n  -c CHECK     optional  Comma delimited list of specific check(s) id\n  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude\n  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check\n  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check\n  -t LABEL     optional  Comma delimited list of labels within a container or image to check\n  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).\n  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.\n```\n\nBy default the Docker Bench for Security script will run all available CIS tests and produce\nlogs in the log folder from current directory, named `docker-bench-security.log.json` and\n`docker-bench-security.log`.\n\nIf the docker container is used then the log files will be created inside the container in location `/usr/local/bin/log/`. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.\n\nThe CIS based checks are named `check_\u003csection\u003e_\u003cnumber\u003e`, e.g. `check_2_6` and community contributed checks are named `check_c_\u003cnumber\u003e`.\n\n`sh docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.\n\n`sh docker-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.\n\n`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group\n\n`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`\n\n`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks\n\n`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`\n\nNote that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.\n","funding_links":[],"categories":["Shell","Container Operations","Security \u0026 Compliance","Tools","Containers","Container Tools","others","2 Defensive","Security","Compliance","Container Security Scanners","📚 Learning Resources","Spécifiques à un langage/écosystème","Инструменты","Tools to check security hardening","Shell Aliases","0x02 工具 :hammer_and_wrench:","Container Scanning","工具：覆盖攻防全流程的实用利器","Container Security"],"sub_categories":["Security","Infrastructure as Code Analysis","MultiCloud Governance","2.7 Tools","Threat modelling","A05:2021 – Security Misconfiguration","Compliance","Docker et conteneurs","Проверка Docker / Kubernetes на соответствие","Docker","Chess :chess_pawn:","Tools","Professional Security","2 云原生工具","3. 合规检查（对齐行业基准，自动化加固）","Image Scanning"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fdocker-bench-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker%2Fdocker-bench-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fdocker-bench-security/lists"}