dockerfile-sec

Release 1.0.6

Simple but powerful rules-based checker for Dockerfiles

Homepage PyPI Python

Keywords
devops, devsecops, docker, security, static-analyzer
License
OSET-PL-2.1
Install
pip install dockerfile-sec==1.0.6

Documentation

Dockerfile-sec

Dockerfile-sec is a simple but powerful rules-based checker for Dockerfiles.

Install

> pip install dockerfile-sec

Quick start

Analyze a Dockerfile

> dockerfile-sec examples/Dockerfile-example
+----------+-------------------------------------------+----------+
| Rule Id  | Description                               | Severity |
+----------+-------------------------------------------+----------+
| core-002 | Missing USER sentence in dockerfile       | Medium   |
| core-003 | Posible text plain password in dockerfile | High     |
| core-005 | Recursive copy found                      | Medium   |
| core-006 | Use of COPY instead of ADD                | Low      |
| core-007 | Use image tag instead of SHA256 hash      | Medium   |
| cred-001 | Generic credential                        | Medium   |
+----------+-------------------------------------------+----------+

Using docker

> cat Dockerfile | docker run --rm -t cr0hn/dockerfile-sec  
IMPORTANT: By using docker you can pass a rules file or a docker file as paramenter. You need to use a pipe or mount a volume

Usage

With remote rules

> dockerfile-sec -r http://127.0.0.1:9999/rules/credentials.yaml Dockerfile

With built-in rules

All rules

All rules are enabled by default:

> dockerfile-sec Dockerfile

Core rules only

https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/core.yaml

> dockerfile-sec -R core Dockerfile

Credentials rules only

https://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/credentials.yaml

> dockerfile-sec -R credentials Dockerfile

Disabling built-in rules

> dockerfile-sec -R none Dockerfile

With user defined rules

> dockerfile-sec -r my-rules.yaml Dockerfile

Export results as json

> dockerfile-sec -o results.json Dockerfile

Quiet mode

Not writing anything in the console:

> dockerfile-sec -q -o results.json Dockerfile

Filtering false positives

By ignore file

Dockerfile-sec allows to ignore rules by using a file that contains the rules you want to ignore.

> dockerfile-sec -F ignore-rules.text Dockerfile

Ignore file format contains the IDs of rules you want to ignore. one ID per line. Example:

> ls ignore-rules.text
core-001
core-007

By using the cli

You also can use cli to ignore specific IDs:

> dockerfile-sec -i core-001,core007 Dockerfile

Using as a pipeline

You also can use dockerfile-sec as UNIX pipeline.

Loading Dockerfile from stdin:

> cat Dockerfile | dockerfile-sec -i core-001,core007

Exposing results via pipe:

> cat Dockerfile | dockerfile-sec -i core-001,core007 | jq

Output formats

JSON Output format

[
  {
    "description": "Missing USER sentence in dockerfile",
    "id": "core-002",
    "reference": "https://snyk.io/blog/10-docker-image-security-best-practices/",
    "severity": "Medium"
  }
]

References

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
7
Latest release
First release
Stars
93
Forks
11
Watchers
4
Contributors
3
Repository size
29.3 KB
SourceRank
11

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

Contributors

cr0hn Mark D. Gray Mariusz Michalowski


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2024-03-20 14:38:35 UTC

Login to resync this project