Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jumanjihouse/docker-ssllabs-scan

Qualys sslabs-scan utility in a tiny docker image
https://github.com/jumanjihouse/docker-ssllabs-scan

docker scanner security-tools tls

Last synced: 8 days ago
JSON representation

Qualys sslabs-scan utility in a tiny docker image

Host: GitHub
URL: https://github.com/jumanjihouse/docker-ssllabs-scan
Owner: jumanjihouse
License: other
Created: 2015-05-16T18:27:23.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2024-07-22T23:00:43.000Z (4 months ago)
Last Synced: 2024-08-02T16:08:35.408Z (3 months ago)
Topics: docker, scanner, security-tools, tls
Language: Shell
Homepage: https://registry.hub.docker.com/u/jumanjiman/ssllabs-scan/
Size: 217 KB
Stars: 115
Watchers: 7
Forks: 24
Open Issues: 3
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md

Awesome Lists containing this project

README

SSL site scanner
================

[![Docker Registry](https://img.shields.io/docker/pulls/jumanjiman/ssllabs-scan.svg)](https://registry.hub.docker.com/u/jumanjiman/ssllabs-scan "Go to Docker hub")
[![Circle CI](https://circleci.com/gh/jumanjihouse/docker-ssllabs-scan.png?style=svg&circle-token=b75db48608f115c0cb9760708be3839b48d41f8e)](https://circleci.com/gh/jumanjihouse/docker-ssllabs-scan/tree/master 'View CI builds')

Source code: https://github.com/jumanjihouse/docker-ssllabs-scan/

Docker image: https://registry.hub.docker.com/u/jumanjiman/ssllabs-scan/

:warning: You must use version 1.4.0 or later of this image
for compatibility with the Qualys SSL Labs Service API.

- [About](#about)
- [Overview](#overview)
- [Build integrity](#build-integrity)
- [License](#license)
- [How-to](#how-to)
- [Build and test](#build-and-test)
- [Pull an already-built image](#pull-an-already-built-image)
- [View image labels](#view-image-labels)
- [Scan public sites](#scan-public-sites)
- [Scan private sites](#scan-private-sites)

About
-----

### Overview

This git repo downloads golang source code from
https://github.com/ssllabs/ssllabs-scan
and builds a tiny docker image that scans secure websites
with the Qualys SSL Labs service.

The build takes about 30 seconds and results in a 5 MiB Docker image.

The runtime image contains **only**:

* a static binary,
* CA certificates,
* `/etc/nsswitch.conf` so golang net resolver uses `/etc/hosts`, and
* `/etc/passwd` to provide an unprivileged user.

The container runs as an unprivileged user via the technique described in
[this Medium post](https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341).

Before you use this tool please review the terms and conditions,
which can be found here:
https://www.ssllabs.com/about/terms.html

### Build integrity

The repo is set up to compile the software in a "builder" container, then
copy the statically-compiled binary into a "runtime" container
free of development tools or other binaries that could be abused.
An unattended test harness runs the build script and runs acceptance tests.
If all tests pass on master branch in the unattended test harness,
it pushes the built images to the Docker hub.

![workflow](assets/docker_hub_workflow.png)

### License

See [LICENSE.md](https://github.com/jumanjiman/docker-ssllabs-scan/blob/master/LICENSE.md)
in this git repo.

How-to
------

### Build and test

:warning: Build requires Docker CE 17.06.1 (for multi-stage builds) or later
as well as docker-compose.

ci/build
ci/test

### Pull an already-built image

For user convenience, each published image is tagged with
`-T-git-` to correlate
with both the upstream software release and the git commit
of this repo. The "latest" tag always points to the most
recent build.

docker pull jumanjiman/ssllabs-scan:latest

### View image labels

Each built image has labels that generally follow http://label-schema.org/

We add a label, `ci-build-url`, that is not currently part of the schema.
This extra label provides a permanent link to the CI build for the image.

View the ci-build-url label on a built image:

docker inspect \
-f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
jumanjiman/ssllabs-scan

Query all the labels inside a built image:

docker inspect jumanjiman/ssllabs-scan | jq -M '.[].Config.Labels'

### Scan public sites

The following example uses `--read-only` and `--cap-drop all` as recommended by the
CIS Docker Security Benchmarks:

* [Docker 1.6](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf)
* [Docker 1.11](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf)
* [Docker 1.12](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf)
* [Docker 1.13](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf)

Example:

$ docker_opts="--read-only --cap-drop all --rm -it"
$ image="jumanjiman/ssllabs-scan:latest"
$ scan_opts="-grade -usecache"
$ url_to_scan="https://github.com/"
$ docker run ${docker_opts} ${image} ${scan_opts} ${url_to_scan}
2015/06/14 23:01:01 [INFO] SSL Labs v1.18.1 (criteria version 2009j)
2015/06/14 23:01:01 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2015/06/14 23:01:03 [INFO] Assessment starting: https://github.com
2015/06/14 23:01:04 [INFO] Assessment complete: https://github.com (1 host in 96 seconds)
192.30.252.129: A+
"https://github.com": "A+"

2015/06/14 23:01:04 [INFO] All assessments complete; shutting down

You can also use the `-hostfile` option if you inject a local
file into the container:

# Create a hostfile in local filesystem.
$ ls -la /tmp/sites.txt
-rw-r--r-- 1 user user 48 Mar 12 15:39 /tmp/sites.txt

# Use docker `-v` option to inject a file into the container to use -hostfile option.
$ docker run -v /tmp:/tmp:ro ${docker_opts} ${image} -hostfile /tmp/sites.txt ${scan_opts}
2016/03/12 15:45:01 [INFO] SSL Labs v1.22.37 (criteria version 2009l)
2016/03/12 15:45:01 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2016/03/12 15:45:03 [INFO] Assessment starting: https://www.github.com/
2016/03/12 15:45:04 [INFO] Assessment starting: https://www.google.com/
2016/03/12 15:45:04 [INFO] Assessment complete: https://www.github.com/ (1 host in 83 seconds)
192.30.252.129: A
2016/03/12 15:45:05 [INFO] Assessment complete: https://www.google.com/ (2 hosts in 109 seconds)
2607:f8b0:4005:802:0:0:0:2004: B
172.217.2.36: B
"https://www.github.com/": "A"
"https://www.google.com/": "B"

2016/03/12 15:45:05 [INFO] All assessments complete; shutting down

You can use `docker-compose` with the `docker-compose.yaml` file in this git repo:

$ docker-compose run --rm scanner -grade -usecache https://github.com
2017/05/13 15:35:37 [INFO] SSL Labs v1.28.5 (criteria version 2009o)
2017/05/13 15:35:37 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2017/05/13 15:35:39 [INFO] Assessment starting: https://github.com
2017/05/13 15:35:40 [INFO] Assessment complete: https://github.com (2 hosts in 108 seconds)
192.30.255.112: A+
192.30.255.113: A+
"https://github.com": "A+"

2017/05/13 15:35:40 [INFO] All assessments complete; shutting down

### Scan private sites

You can add entries to `/etc/hosts` via `docker run --add-host`
or via the docker-compose `extra_hosts` option.
However, this scanner is only a client to the
[Qualys SSL Labs service](https://www.ssllabs.com/ssltest/).
If the hosted service cannot resolve your hostname,
it cannot scan your server.
If the hosted service cannot reach your server,
it cannot perform the scan.

Consider to use https://github.com/jumanjihouse/docker-testssl
if you need to scan internal sites that are not reachable from
the public Internet.