Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gbrindisi/dockerfile-security
A collection of OPA rules to statically analyze Dockerfiles to improve security
https://github.com/gbrindisi/dockerfile-security
Last synced: 2 months ago
JSON representation
A collection of OPA rules to statically analyze Dockerfiles to improve security
- Host: GitHub
- URL: https://github.com/gbrindisi/dockerfile-security
- Owner: gbrindisi
- License: gpl-3.0
- Created: 2020-10-04T19:30:22.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2022-06-22T15:16:13.000Z (over 2 years ago)
- Last Synced: 2024-08-02T13:25:33.577Z (5 months ago)
- Language: Open Policy Agent
- Homepage: https://cloudberry.engineering/article/dockerfile-security-best-practices/
- Size: 24.4 KB
- Stars: 260
- Watchers: 16
- Forks: 86
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-opa - Dockerfile security - A collection of OPA rules to statically analyze Dockerfiles to improve security (Language and Platform Integrations / Docker)
- awesome-hacking-lists - gbrindisi/dockerfile-security - A collection of OPA rules to statically analyze Dockerfiles to improve security (Open Policy Agent)
README
# Dockerfile Security
A collection of OPA rules to statically analyze Dockerfiles to improve security.
## Dockerfile Security best practices
The rules are a set of [security best practices as explained here](https://cloudberry.engineering/article/dockerfile-security-best-practices/).
## How to use
Rules are written in Rego language from [Open Policy Agent](https://www.openpolicyagent.org/)
You can use [conftest](https://conftest.dev) in your CI/CD pipeline to analyze Dockerfiles:
```
conftest test --policy dockerfile-security.rego Dockerfile
```
Example output:
```
conftest test --policy dockerfile-security.rego Dockerfile
FAIL - Dockerfile - Do not run as root, use USER instead
FAIL - Dockerfile - Line 0: use a trusted base image
FAIL - Dockerfile - Line 6: Use COPY instead of ADD
FAIL - Dockerfile - Line 8: Do not use 'sudo' command
8 tests, 4 passed, 0 warnings, 4 failures, 0 exceptions
```