{"id":15685950,"url":"https://github.com/konstruktoid/docker-covenant","last_synced_at":"2025-03-11T09:31:06.705Z","repository":{"id":82394284,"uuid":"52750996","full_name":"konstruktoid/docker-covenant","owner":"konstruktoid","description":"Enforces a basic container argument policy","archived":true,"fork":false,"pushed_at":"2020-11-05T08:39:44.000Z","size":27,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-13T09:19:03.084Z","etag":null,"topics":["docker","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/konstruktoid.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-02-28T23:48:17.000Z","updated_at":"2024-10-10T13:06:18.000Z","dependencies_parsed_at":"2023-04-19T23:31:42.094Z","dependency_job_id":null,"html_url":"https://github.com/konstruktoid/docker-covenant","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/konstruktoid%2Fdocker-covenant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/konstruktoid%2Fdocker-covenant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/konstruktoid%2Fdocker-covenant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/konstruktoid%2Fdocker-covenant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/konstruktoid","download_url":"https://codeload.github.com/konstruktoid/docker-covenant/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243007059,"owners_count":20220765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","security"],"created_at":"2024-10-03T17:33:38.866Z","updated_at":"2025-03-11T09:31:06.348Z","avatar_url":"https://github.com/konstruktoid.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"= docker-covenant\nEnforces a basic container argument policy.\n\nBy default all containers have to use `--cap-drop=all`, have a `--security-opt` and not permitted to use `--privileged=true`.\n\n== Configuration example\n[source, yaml]\n----\n---\nsyslog_ident: docker-covenant // \u003c1\u003e\ndebug: yes // \u003c2\u003e\n\ndocker-covenant:\n  privileged: no\n  cap_drop_required: yes\n\ndocker-bench-security:\n  privileged: yes // \u003c3\u003e\n  cap_drop_required: no // \u003c4\u003e\n\nprivoxy:\n  cap_drop_required: yes\n  security_opt_required: no // \u003c5\u003e\n...\n----\n\u003c1\u003e Syslog identifier, default `docker-covenant`.\n\u003c2\u003e Enable debug logging, default yes.\n\u003c3\u003e Allow container to use `--privileged=true`, default no.\n\u003c4\u003e Don't force `--cap-drop=all`, default yes.\n\u003c5\u003e Require security options, default yes.\n\n== Docker example build\n`docker build --no-cache -t docker-covenant -f Dockerfile .` +\n`docker run --name docker-covenant --cap-drop=all -v /var/run/docker.sock:/var/run/docker.sock:rw docker-covenant`\n\n== Logging\nAll container actions is written to syslog and `debug: yes` writes to console as well.\n\n`sudo journalctl SYSLOG_IDENTIFIER=docker-covenant`\n\n=== Logging, journald\n[source, shell]\n----\n$ sudo journalctl -r SYSLOG_IDENTIFIER=docker-covenant\n-- Logs begin at Thu 2020-11-05 08:10:16 UTC, end at Thu 2020-11-05 08:30:44 UTC. --\nNov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: stopping container\nNov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: all capabilities not dropped\nNov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: no security options has been set\n----\n\n=== Logging, verbose\n[source, shell]\n----\n('container_name: ', 'nginx')\n('containerStatus: ', 'restart')\n('container_event_id: ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')\n('container_inspect: ', {'Id': 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6', 'Created': '2020-11-05T08:17:23.005343333Z', 'Path': '/usr/sbin/nginx', 'Args': ['-g', 'daemon off;'], 'State': {'Status': 'exited', 'Running': False, 'Paused': False, 'Restarting': False, 'OOMKilled': False, 'Dead': False, 'Pid': 0, 'ExitCode': 0, 'Error': '', 'StartedAt': '2020-11-05T08:29:38.162316239Z', 'FinishedAt': '2020-11-05T08:29:38.235187974Z', 'Health': {'Status': 'unhealthy', 'FailingStreak': 0, 'Log': []}}, 'Image': 'sha256:4200c10e8acb59be1b13508c1aafcec482929e3b096512a7881c0519211d86d6', 'ResolvConfPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/resolv.conf', 'HostnamePath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/hostname', 'HostsPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/hosts', 'LogPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6-json.log', 'Name': '/nginx', 'RestartCount': 0, 'Driver': 'overlay2', 'Platform': 'linux', 'MountLabel': '', 'ProcessLabel': '', 'AppArmorProfile': 'docker-default', 'ExecIDs': None, 'HostConfig': {'Binds': None, 'ContainerIDFile': '', 'LogConfig': {'Type': 'json-file', 'Config': {}}, 'NetworkMode': 'default', 'PortBindings': {}, 'RestartPolicy': {'Name': 'no', 'MaximumRetryCount': 0}, 'AutoRemove': False, 'VolumeDriver': '', 'VolumesFrom': None, 'CapAdd': None, 'CapDrop': None, 'Capabilities': None, 'Dns': [], 'DnsOptions': [], 'DnsSearch': [], 'ExtraHosts': None, 'GroupAdd': None, 'IpcMode': 'private', 'Cgroup': '', 'Links': None, 'OomScoreAdj': 0, 'PidMode': '', 'Privileged': False, 'PublishAllPorts': False, 'ReadonlyRootfs': False, 'SecurityOpt': None, 'UTSMode': '', 'UsernsMode': '', 'ShmSize': 67108864, 'Runtime': 'runc', 'ConsoleSize': [0, 0], 'Isolation': '', 'CpuShares': 0, 'Memory': 0, 'NanoCpus': 0, 'CgroupParent': '', 'BlkioWeight': 0, 'BlkioWeightDevice': [], 'BlkioDeviceReadBps': None, 'BlkioDeviceWriteBps': None, 'BlkioDeviceReadIOps': None, 'BlkioDeviceWriteIOps': None, 'CpuPeriod': 0, 'CpuQuota': 0, 'CpuRealtimePeriod': 0, 'CpuRealtimeRuntime': 0, 'CpusetCpus': '', 'CpusetMems': '', 'Devices': [], 'DeviceCgroupRules': None, 'DeviceRequests': None, 'KernelMemory': 0, 'KernelMemoryTCP': 0, 'MemoryReservation': 0, 'MemorySwap': 0, 'MemorySwappiness': None, 'OomKillDisable': False, 'PidsLimit': None, 'Ulimits': None, 'CpuCount': 0, 'CpuPercent': 0, 'IOMaximumIOps': 0, 'IOMaximumBandwidth': 0, 'MaskedPaths': ['/proc/asound', '/proc/acpi', '/proc/kcore', '/proc/keys', '/proc/latency_stats', '/proc/timer_list', '/proc/timer_stats', '/proc/sched_debug', '/proc/scsi', '/sys/firmware'], 'ReadonlyPaths': ['/proc/bus', '/proc/fs', '/proc/irq', '/proc/sys', '/proc/sysrq-trigger']}, 'GraphDriver': {'Data': {'LowerDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901-init/diff:/var/lib/docker/overlay2/86bc68389322e5432131496208c8122774eba319ab79c959604d5ac7c0745938/diff:/var/lib/docker/overlay2/b2c9cbc84fd80c40c4bcc99b15431a54308d9f2d61645ce1a3fdfe8e83572504/diff:/var/lib/docker/overlay2/3c9f46b7bf4c295370b15ea16437e1666b6c6061f93479c5d3432f9b9371011a/diff:/var/lib/docker/overlay2/0dc6004bd594ad280bde8a703be09a5882ad53c00653fea715a554af79156fc3/diff', 'MergedDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/merged', 'UpperDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/diff', 'WorkDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/work'}, 'Name': 'overlay2'}, 'Mounts': [], 'Config': {'Hostname': 'aecf471c3575', 'Domainname': '', 'User': '', 'AttachStdin': False, 'AttachStdout': False, 'AttachStderr': False, 'ExposedPorts': {'443/tcp': {}, '80/tcp': {}}, 'Tty': False, 'OpenStdin': False, 'StdinOnce': False, 'Env': ['PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], 'Cmd': ['-g', 'daemon off;'], 'Healthcheck': {'Test': ['CMD-SHELL', 'curl -f http://127.0.0.1/ || exit 1'], 'Interval': 300000000000, 'Timeout': 3000000000}, 'Image': 'konstruktoid/nginx', 'Volumes': None, 'WorkingDir': '', 'Entrypoint': ['/usr/sbin/nginx'], 'OnBuild': None, 'Labels': {'org.label-schema.name': 'nginx', 'org.label-schema.vcs-url': 'git@github.com:konstruktoid/Nginx_Build.git'}, 'StopSignal': 'SIGQUIT'}, 'NetworkSettings': {'Bridge': '', 'SandboxID': '4ae1e0a7540fb5f7d3ebfb675d5a716002d96cd82d6a38d814b555929eeeb8f0', 'HairpinMode': False, 'LinkLocalIPv6Address': '', 'LinkLocalIPv6PrefixLen': 0, 'Ports': {}, 'SandboxKey': '/var/run/docker/netns/4ae1e0a7540f', 'SecondaryIPAddresses': None, 'SecondaryIPv6Addresses': None, 'EndpointID': '', 'Gateway': '', 'GlobalIPv6Address': '', 'GlobalIPv6PrefixLen': 0, 'IPAddress': '', 'IPPrefixLen': 0, 'IPv6Gateway': '', 'MacAddress': '', 'Networks': {'bridge': {'IPAMConfig': None, 'Links': None, 'Aliases': None, 'NetworkID': '29f523fef3aab49826d775873be4edfa86c56f86a02ecd24af84a6195fddc236', 'EndpointID': '', 'Gateway': '', 'IPAddress': '', 'IPPrefixLen': 0, 'IPv6Gateway': '', 'GlobalIPv6Address': '', 'GlobalIPv6PrefixLen': 0, 'MacAddress': '', 'DriverOpts': None}}}})\n('containerID: ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')\n('container_cap_drop: ', None)\n('container_cap_add: ', None)\n('container_security_opt: ', None)\n('container_privileged: ', False)\n('container_stop: ', False)\n('container_stop: ', True)\n('CLIENT.stop sent to ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')\n----\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkonstruktoid%2Fdocker-covenant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkonstruktoid%2Fdocker-covenant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkonstruktoid%2Fdocker-covenant/lists"}