一、Dockerfile 掃描工具

checkov
hadolint(構建最佳實踐Docker 鏡像。)
也可以考慮 docker scan

二、checkov

Dockerfile Configuration Scaning-checkov

checkov 不僅可以掃描dockfile，也可以掃描 Cloudformation、AWS SAM、Kubernetes、Helm charts、Kustomize 、鏡像等。

Checkov 支持對 Dockerfile 文件的策略進行評估。使用 checkov 掃描包含 Dockerfile 的目錄時，它將驗證該文件是否符合 Docker 最佳實踐，例如不使用 root 用戶、確保運行狀況檢查存在以及不公開 SSH 端口。

可以在此處找到 Dockerfile 策略檢查的完整列表。

2.1、示例配置錯誤的 Dockerfile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

2.2、安裝

Requirements

Python >= 3.7 (Data classes are available for Python 3.7+)
Terraform >= 0.12

pip3 install checkov   -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

2.3、在 CLI 中運行

checkov -d . --framework dockerfile

2.4、示例輸出

# checkov -d . --framework dockerfile
[ dockerfile framework ]: 100%|████████████████████|[1/1], Current File Scanned=..\..\..\..\Dockerfile


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.3.102
Update available 2.3.102 -> 2.3.121
Run pip3 install -U checkov to update


dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_11: "Ensure From Alias are unique for multistage builds."
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-from-alias-is-unique-for-multistage-builds
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-the-base-image-uses-a-non-latest-version-tag
Check: CKV_DOCKER_9: "Ensure that APT isn't used"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-apt-is-not-used
Check: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-update-instructions-are-not-used-alone-in-the-dockerfile
Check: CKV_DOCKER_10: "Ensure that WORKDIR values are absolute paths"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-workdir-values-are-absolute-paths
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
        PASSED for resource: /Dockerfile.HEALTHCHECK
        File: /Dockerfile:7-7
        Guide: https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
        PASSED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Check: CKV2_DOCKER_14: "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_6: "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_12: "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_5: "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_7: "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_11: "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_8: "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_13: "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_4: "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_10: "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_2: "Ensure that certificate validation isn't disabled with curl"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_3: "Ensure that certificate validation isn't disabled with wget"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_9: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"
        FAILED for resource: /Dockerfile.EXPOSE
        File: /Dockerfile:6-6
        Guide: https://docs.bridgecrew.io/docs/ensure-port-22-is-not-exposed

                6 | EXPOSE 3000 22

Check: CKV_DOCKER_8: "Ensure the last USER is not root"
        FAILED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-the-last-user-is-not-root

                8 | USER root

三、hadolint

GitHub - hadolint/hadolint： Dockerfile linter， validate inline bash，用 Haskell 編寫

3.1、在線網站

Dockerfile Linter (hadolint.github.io)

3.2、DockerFile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

3.3、基於容器運行

docker run --rm -i hadolint/hadolint < Dockerfile
# OR
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile

3.4、Centos 安裝運行

[root@ops-pinpoint-123 tmp]# wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# chmod +x hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# hadolint-Linux-x86_64 ./Dockerfile
[root@ops-pinpoint-123 tmp]# ./hadolint-Linux-x86_64  /root/Dockerfile  
/root/Dockerfile:8 DL3002 warning: Last USER should not be root

我們可以發現 hadolint 掃描出來的是基於他特定的規則和最佳實踐。

四、兩者對比

我們前面進行檢查的 Dockerfile 是一樣的，我們發現兩者給出來的信息還是有些差異的。

hadolint 檢測出來的 USER 爲 ROOT 的問題。 checkov 不僅檢測出了 USER 爲 ROOT 的問題，還有一個 22 端口的問題。因爲 22 端口一般都是我們 ssh 使用的端口，我們也不應該暴露出來。

容器安全之 Dockerfile 安全掃描

一、Dockerfile 掃描工具

二、checkov

2.1、示例配置錯誤的 Dockerfile

2.2、安裝

Requirements

2.3、在 CLI 中運行

2.4、示例輸出

三、hadolint

3.1、在線網站

3.2、DockerFile

3.3、基於容器運行

3.4、Centos 安裝運行

四、兩者對比

探究職業發展的關鍵：能力模型解讀

高效率使用windows

智能決策新時代：可視化大屏是否能夠超越傳統白板？

解密Prompt系列28. LLM Agent之金融領域摸索：FinMem & FinAgent

分享幾個.NET開源的AI和LLM相關項目框架

一次有關 DNS 解析導致 APP 慢的問題探究

容器安全之鏡像掃描

容器安全之 Dockerfile 安全掃描

2023年2月份CKA考試歷程

K8s configmap Secrets 更新滾動更新pod

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結