dockerfile-benchmarker

command module

v0.0.0-...-65603e6 Latest Latest Go to latest Published: Mar 31, 2021 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sysdiglabs/dockerfile-benchmarker

Links

Open Source Insights

README ¶

dockerfile-benchmarker

CIS Docker Benchmark for dockerfiles

Use cases

Run CIS Docker Benchmark rules for dockerfiles. The following CIS rules are applicable:

CIS 4.1 Create a user for the container
CIS 4.2 Use trusted base images for containers (user provide trusted base image list)
CIS 4.3 Do not install unnecessary packages in the container (user provide the disallowed package list)
CIS 4.6 Add HEALTHCHECK instruction to the container image
CIS 4.7 Do not use update instructions alone in the Dockerfile
CIS 4.9 Use COPY instead of ADD in Dockerfile
CIS 4.10 Do not store secrets in Dockerfiles (user provide the secret pattern, only checks contents in ENV and LABEL instructions)

Build

make build

Usage

$ ./dockerfile-benchmarker -h
dockerfile-benchmarker runs CIS Docker Benchmark for dockerfiles. Rule applicable are 4.1, 4.2, 4.3, 4.6. 4.7, 4.9 and 4.10.

Usage:
  dockerfile-benchmarker [flags]

Flags:
  -d, --directory string             directory to lookup for dockerfile (default "./")
  -p, --disallowed-packages string   list of disallowed packages separated by comma
  -f, --dockerfile-pattern string    dockerfile name pattern (default "dockerfile")
  -h, --help                         help for dockerfile-benchmarker
      --level string                 Log level (default "info")
  -s, --secret-patterns string       list of secret patterns separated by comma
  -b, --trusted-base-images string   list of trusted base images separated by comma

Example output

$ ./dockerfile-benchmarker -p "netcat" -s "secret, key" -b "alpine,golang:1.12-alpine" | jq .
INFO[2020-03-05T16:19:28-08:00] Trusted base images: [alpine golang:1.12-alpine] 
INFO[2020-03-05T16:19:28-08:00] Disallowed packages: [netcat]                
INFO[2020-03-05T16:19:28-08:00] Secret patterns: [secret key]                
{
  "cis_docker_benchmark_violation_report": [
    {
      "rule": "CIS 4.1 Create a user for the container",
      "violations": [
        "test/Dockerfile_fail"
      ]
    },
    {
      "rule": "CIS 4.2 Use trusted base images for containers",
      "violations": [
        "test/Dockerfile_fail: golang:1.10-alpine",
        "container/Dockerfile: golang:1.12.9-alpine3.10"
      ]
    },
    {
      "rule": "CIS 4.3 Do not install unnecessary packages in the container",
      "violations": [
        "test/Dockerfile_fail: netcat"
      ]
    },
    {
      "rule": "CIS 4.6 Add HEALTHCHECK instruction to the container image",
      "violations": [
        "test/Dockerfile_fail"
      ]
    },
    {
      "rule": "CIS 4.7 Do not use update instructions alone in the Dockerfile",
      "violations": [
        "test/Dockerfile_fail"
      ]
    },
    {
      "rule": "CIS 4.9 Use COPY instead of ADD in Dockerfile",
      "violations": [
        "test/Dockerfile_fail"
      ]
    },
    {
      "rule": "CIS 4.10 Do not store secrets in Dockerfiles",
      "violations": [
        "test/Dockerfile_fail: ENV contains 'secret'",
        "test/Dockerfile_fail: ENV contains 'key'"
      ]
    }
  ]
}

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
benchmarker
pkg
benchmark
dockerfile
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL