Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/madhuakula/docker-security-checker
Dockerfile Security Checker using OPA Rego policies with Conftest
https://github.com/madhuakula/docker-security-checker
conftest docker dockerfile infosec opa opa-rego-policies rego security
Last synced: about 1 month ago
JSON representation
Dockerfile Security Checker using OPA Rego policies with Conftest
- Host: GitHub
- URL: https://github.com/madhuakula/docker-security-checker
- Owner: madhuakula
- License: mit
- Created: 2020-05-15T21:31:10.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2022-06-27T10:28:09.000Z (over 2 years ago)
- Last Synced: 2024-08-04T21:07:11.891Z (4 months ago)
- Topics: conftest, docker, dockerfile, infosec, opa, opa-rego-policies, rego, security
- Language: Open Policy Agent
- Homepage: https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f
- Size: 10.7 KB
- Stars: 57
- Watchers: 4
- Forks: 27
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-opa - Docker Security Checker - OPA Rego policies for Dockerfile Security checks using Conftest (Language and Platform Integrations / Docker)
- awesome-hacking-lists - madhuakula/docker-security-checker - Dockerfile Security Checker using OPA Rego policies with Conftest (Open Policy Agent)
README
# docker-security-checker
This repository contains OPA Rego policies for `Dockerfile` Security checks using Conftest
* The rego policy rules can be found at [policy/security.rego](policy/security.rego)
## Sample rego policy for using COPY instead of ADD in Dockerfile
```
deny[msg] {
input[i].Cmd == "add"
val := concat(" ", input[i].Value)
msg = sprintf("Use COPY instead of ADD: %s", [val])
}
```## Running the conftest with security policies
* Run the following command to test security policies against the Dockerfile
```bash
conftest test Dockerfile
```* Now you can see the below example output
```bash
WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code5 tests, 1 passed, 1 warning, 3 failures
```## Try it out yourself
* I have created this scenario in katacoda playground to learn and try out yourself
[![Katacoda Playground for docker-security-checker](https://miro.medium.com/max/1400/1*gO49knu-MTkDBjChMrFGZA.png)](https://katacoda.com/madhuakula/scenarios/docker-security-linter)
* Read more about it at [https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f](https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f)
## Contribution
* You can add more policies at policy directory with more information by adding comments