{"id":13764223,"url":"https://github.com/zuBux/drydock","last_synced_at":"2025-05-10T19:30:46.484Z","repository":{"id":80292377,"uuid":"44819795","full_name":"zuBux/drydock","owner":"zuBux","description":"drydock provides a flexible way of assessing the security of your Docker daemon configuration and containers using editable audit templates","archived":false,"fork":false,"pushed_at":"2016-05-13T18:35:52.000Z","size":41,"stargazers_count":65,"open_issues_count":2,"forks_count":9,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-12T02:51:59.775Z","etag":null,"topics":["audit","docker","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zuBux.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audits/__init__.py","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2015-10-23T14:57:06.000Z","updated_at":"2024-09-21T17:24:18.000Z","dependencies_parsed_at":"2024-01-07T21:51:34.226Z","dependency_job_id":null,"html_url":"https://github.com/zuBux/drydock","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuBux%2Fdrydock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuBux%2Fdrydock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuBux%2Fdrydock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuBux%2Fdrydock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zuBux","download_url":"https://codeload.github.com/zuBux/drydock/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253470600,"owners_count":21913700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","docker","security"],"created_at":"2024-08-03T16:00:16.824Z","updated_at":"2025-05-10T19:30:46.152Z","avatar_url":"https://github.com/zuBux.png","language":"Python","funding_links":[],"categories":["Python","Security","Security \u0026 Compliance","Image"],"sub_categories":["Tools","[Actuary](https://github.com/diogomonica/actuary)"],"readme":"#What is drydock?\n\nNOTICE: Development is temporarily slowed down due to involvement with Docker's [Actuary](https://github.com/diogomonica/actuary). Feel free to make PRs, I will review ASAP, and be patient for updates :)\n\n**drydock** is a Docker security audit tool written in Python. It was initially inspired by [docker-bench-security](https://github.com/docker/docker-bench-security) but aims to provide a more flexible way for assesing Docker installations and deployments. drydock allows easy creation and use of **custom audit profiles** in order to eliminate noise and false alarms. Reports are saved in JSON format for easier parsing. drydock makes heavy use of [docker-py](https://github.com/docker/docker-py) client API to communicate with Docker.\n\nAt the moment all of the security checks performed are based on the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). \n\n## Usage\nUsing drydock is as simple as :\n\n```sh\ngit clone https://github.com/zuBux/drydock.git\npip install -r requirements.txt\npython drydock.py\n```\nA profile containing all checks is provided in conf/default.yaml and can be used as reference for creating custom profiles. You can disable an audit by commenting it out (and its options, if any).\n\nSince there are audits which require administrative privileges (e.x examining auditd rules) **users are advised to run drydock as root** for more accurate results.\n\n### Local Docker host\nAssuming that your Docker daemon uses unix sockets (default configuration), the following options are available:\n\n* -o \u003cfile_name\u003e : Specifies the path where JSON output will be saved. Switches to output.json if none specified.\n* -p \u003cpath to profile\u003e : The profile which will be used for the audit. Switches to conf/default.yaml if none specified.\n* -v \u003cverbosity\u003e : Use values 1, 2 or 3 to change verbosity level to ERROR, WARNING or DEBUG accordingly. Default is 1\n* -f \u003cformat\u003e : Output format. Supports JSON (-f json) and JUnit XML (-f xml). Default is JSON\nExample:\n```\npython drydock.py -o audit_aws -f xml -p conf/myprofile.yml -v 2\n```\n### Remote Docker host\nIf your Docker daemon listens on an exposed port, using TLS, you must provide the following :\n\n* -d \u003c*IP:port*\u003e Docker daemon IP and listening port\n* -c \u003c*path*\u003e Client certificate\n* -k \u003c*path*\u003e Client certificate key\n\nExample:\n```\npython drydock.py -d 10.0.0.2:2736 -c /home/user/cert/cert.pem -k /home/user/cert/cert.key -o audit_remote -p conf/myprofile.yml\n```\n## TODO\n- Migrate checks to CIS Docker 1.11 Benchmark\n\n## Contributions\ndrydock is in beta stage and **needs testing under different environments** (currently tested only on Ubuntu/Debian deployments). All contributions ( bugs/improvements/suggestions etc. ) are welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FzuBux%2Fdrydock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FzuBux%2Fdrydock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FzuBux%2Fdrydock/lists"}