Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sysdiglabs/benchmark-dockerfile
Github action to benchmark dockerfiles in github repository.
https://github.com/sysdiglabs/benchmark-dockerfile
action cis dockerfile github
Last synced: about 1 month ago
JSON representation
Github action to benchmark dockerfiles in github repository.
- Host: GitHub
- URL: https://github.com/sysdiglabs/benchmark-dockerfile
- Owner: sysdiglabs
- License: apache-2.0
- Created: 2020-03-11T20:54:57.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2023-01-10T18:07:13.000Z (almost 2 years ago)
- Last Synced: 2024-11-13T06:19:26.687Z (about 1 month ago)
- Topics: action, cis, dockerfile, github
- Language: Shell
- Size: 24.4 KB
- Stars: 12
- Watchers: 3
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Sysdig Benchmark Dockerfile
The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10)
## Inputs
### `directory`
Directory of dockerfiles (default "./")
### `dockerfilePattern`
dockerfile name pattern (default "dockerfile")
### `disallowedPackages`
list of disallowed packages separated by comma (default ")
### `trustedBaseImages`
list of trusted base images separated by comma (default "", meaning trust any base image)
### `secretPatterns`
list of secret patterns separated by comma (default "")
## Ouptuts
### `violation_report`
Violation report generated from CIS Dockerfile benchmark
Dockerfile name pattern (default "dockerfile", case insensitive)
## Use Cases
0. Integrate the `sysdig-benchmark-dockerfile` action into the git workflow.
1. Run CIS benchmark check for dockerfiles with the following rules:
- CIS 4.1 Create a user for the container
- CIS 4.2 Use trusted base images for containers (user provide trusted base image list)
- CIS 4.3 Do not install unnecessary packages in the container (user provide the disallowed package list)
- CIS 4.6 Add HEALTHCHECK instruction to the container image
- CIS 4.7 Do not use update instructions alone in the Dockerfile
- CIS 4.9 Use COPY instead of ADD in Dockerfile
- CIS 4.10 Do not store secrets in Dockerfiles (user provide the secret pattern, only checks contents in `ENV` and `LABEL` instructions)
2. Define your own criteria based on the lint result, for example:
- Send lint report to slack channel.
- Fail the check on the PR if any violation is detected.
- Assign extra reviewers (security architect/engineer) to the PR.
## Example Usage in Git workflow
## Outputs
```
INFO[2020-03-16T15:16:36-07:00] Trusted base images: []
INFO[2020-03-16T15:16:36-07:00] Disallowed packages: [netcat]
INFO[2020-03-16T15:16:36-07:00] Secret patterns: [aws_secret pass]
{
"cis_docker_benchmark_violation_report": [
{
"rule": "CIS 4.1 Create a user for the container",
"violations": [
"test/Dockerfile_fail"
]
},
{
"rule": "CIS 4.3 Do not install unnecessary packages in the container",
"violations": [
"test/Dockerfile_fail: netcat"
]
},
{
"rule": "CIS 4.6 Add HEALTHCHECK instruction to the container image",
"violations": [
"test/Dockerfile_fail"
]
},
{
"rule": "CIS 4.7 Do not use update instructions alone in the Dockerfile",
"violations": [
"test/Dockerfile_fail"
]
},
{
"rule": "CIS 4.9 Use COPY instead of ADD in Dockerfile",
"violations": [
"test/Dockerfile_fail"
]
},
{
"rule": "CIS 4.10 Do not store secrets in Dockerfiles",
"violations": [
"test/Dockerfile_fail: ENV contains 'aws_secret'"
]
}
]
}
```
See [Example PR](https://github.com/sysdiglabs/dockerfile-benchmarker/pull/1/checks) for more details