{"id":21392143,"url":"https://github.com/sysdiglabs/benchmark-dockerfile","last_synced_at":"2025-07-13T18:30:56.372Z","repository":{"id":44775428,"uuid":"246678001","full_name":"sysdiglabs/benchmark-dockerfile","owner":"sysdiglabs","description":"Github action to benchmark dockerfiles in github repository.","archived":false,"fork":false,"pushed_at":"2023-01-10T18:07:13.000Z","size":25,"stargazers_count":12,"open_issues_count":1,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-13T06:19:26.687Z","etag":null,"topics":["action","cis","dockerfile","github"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-11T20:54:57.000Z","updated_at":"2023-09-20T19:02:18.000Z","dependencies_parsed_at":"2023-02-08T19:46:39.570Z","dependency_job_id":null,"html_url":"https://github.com/sysdiglabs/benchmark-dockerfile","commit_stats":{"total_commits":27,"total_committers":1,"mean_commits":27.0,"dds":0.0,"last_synced_commit":"0d2e85f332790bab8df9b64b9d14cb7a71f1ca20"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fbenchmark-dockerfile","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fbenchmark-dockerfile/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fbenchmark-dockerfile/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fbenchmark-dockerfile/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/benchmark-dockerfile/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908232,"owners_count":17543469,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["action","cis","dockerfile","github"],"created_at":"2024-11-22T13:39:17.466Z","updated_at":"2024-11-22T13:39:18.092Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Shell","readme":"# Sysdig Benchmark Dockerfile \n\nThe Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10)\n\n## Inputs\n\n### `directory`\n\nDirectory of dockerfiles (default \"./\")\n\n### `dockerfilePattern`\n\ndockerfile name pattern (default \"dockerfile\")\n\n### `disallowedPackages`\n\nlist of disallowed packages separated by comma (default \")\n\n### `trustedBaseImages`\n\nlist of trusted base images separated by comma (default \"\", meaning trust any base image)\n\n### `secretPatterns`\n\nlist of secret patterns separated by comma (default \"\")\n\n## Ouptuts\n\n### `violation_report`\n\nViolation report generated from CIS Dockerfile benchmark\n\nDockerfile name pattern (default \"dockerfile\", case insensitive)\n\n## Use Cases\n0. Integrate the `sysdig-benchmark-dockerfile` action into the git workflow.\n1. Run CIS benchmark check for dockerfiles with the following rules:\n   - CIS 4.1 Create a user for the container\n   - CIS 4.2 Use trusted base images for containers (user provide trusted base image list)\n   - CIS 4.3 Do not install unnecessary packages in the container (user provide the disallowed package list)\n   - CIS 4.6 Add HEALTHCHECK instruction to the container image\n   - CIS 4.7 Do not use update instructions alone in the Dockerfile\n   - CIS 4.9 Use COPY instead of ADD in Dockerfile\n   - CIS 4.10 Do not store secrets in Dockerfiles (user provide the secret pattern, only checks contents in `ENV` and `LABEL` instructions)\n2. Define your own criteria based on the lint result, for example:\n- Send lint report to slack channel.\n- Fail the check on the PR if any violation is detected.\n- Assign extra reviewers (security architect/engineer) to the PR.\n\n## Example Usage in Git workflow\n\n## Outputs\n```\nINFO[2020-03-16T15:16:36-07:00] Trusted base images: []                      \nINFO[2020-03-16T15:16:36-07:00] Disallowed packages: [netcat]                \nINFO[2020-03-16T15:16:36-07:00] Secret patterns: [aws_secret pass]       \n{\n  \"cis_docker_benchmark_violation_report\": [\n    {\n      \"rule\": \"CIS 4.1 Create a user for the container\",\n      \"violations\": [\n        \"test/Dockerfile_fail\"\n      ]\n    },\n    {\n      \"rule\": \"CIS 4.3 Do not install unnecessary packages in the container\",\n      \"violations\": [\n        \"test/Dockerfile_fail: netcat\"\n      ]\n    },\n    {\n      \"rule\": \"CIS 4.6 Add HEALTHCHECK instruction to the container image\",\n      \"violations\": [\n        \"test/Dockerfile_fail\"\n      ]\n    },\n    {\n      \"rule\": \"CIS 4.7 Do not use update instructions alone in the Dockerfile\",\n      \"violations\": [\n        \"test/Dockerfile_fail\"\n      ]\n    },\n    {\n      \"rule\": \"CIS 4.9 Use COPY instead of ADD in Dockerfile\",\n      \"violations\": [\n        \"test/Dockerfile_fail\"\n      ]\n    },\n    {\n      \"rule\": \"CIS 4.10 Do not store secrets in Dockerfiles\",\n      \"violations\": [\n        \"test/Dockerfile_fail: ENV contains 'aws_secret'\"\n      ]\n    }\n  ]\n}\n```\n\nSee [Example PR](https://github.com/sysdiglabs/dockerfile-benchmarker/pull/1/checks) for more details\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fbenchmark-dockerfile","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fbenchmark-dockerfile","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fbenchmark-dockerfile/lists"}