容器安全之 Dockerfile 安全扫描
一、Dockerfile 扫描工具
- checkov
- hadolint(构建最佳实践Docker 镜像。)
- 也可以考虑 docker scan
二、checkov
Dockerfile Configuration Scaning-checkov
checkov 不仅可以扫描dockfile, 也可以扫描 Cloudformation、AWS SAM、Kubernetes、Helm charts、Kustomize 、镜像等。
Checkov 支持对 Dockerfile 文件的策略进行评估。 使用 checkov 扫描包含 Dockerfile 的目录时,它将验证该文件是否符合 Docker 最佳实践,例如不使用 root 用户、确保运行状况检查存在以及不公开 SSH 端口。
可以在此处找到 Dockerfile 策略检查的完整列表。
2.1、示例配置错误的 Dockerfile
FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]
2.2、安装
Requirements
- Python >= 3.7 (Data classes are available for Python 3.7+)
- Terraform >= 0.12
pip3 install checkov -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
2.3、在 CLI 中运行
checkov -d . --framework dockerfile
2.4、示例输出
# checkov -d . --framework dockerfile
[ dockerfile framework ]: 100%|████████████████████|[1/1], Current File Scanned=..\..\..\..\Dockerfile
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.3.102
Update available 2.3.102 -> 2.3.121
Run pip3 install -U checkov to update
dockerfile scan results:
Passed checks: 21, Failed checks: 2, Skipped checks: 0
Check: CKV_DOCKER_11: "Ensure From Alias are unique for multistage builds."
PASSED for resource: /Dockerfile.
File: /Dockerfile:1-9
Guide: https://docs.bridgecrew.io/docs/ensure-docker-from-alias-is-unique-for-multistage-builds
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
PASSED for resource: /Dockerfile.
File: /Dockerfile:1-9
Guide: https://docs.bridgecrew.io/docs/ensure-the-base-image-uses-a-non-latest-version-tag
Check: CKV_DOCKER_9: "Ensure that APT isn't used"
PASSED for resource: /Dockerfile.
File: /Dockerfile:1-9
Guide: https://docs.bridgecrew.io/docs/ensure-docker-apt-is-not-used
Check: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"
PASSED for resource: /Dockerfile.
File: /Dockerfile:1-9
Guide: https://docs.bridgecrew.io/docs/ensure-update-instructions-are-not-used-alone-in-the-dockerfile
Check: CKV_DOCKER_10: "Ensure that WORKDIR values are absolute paths"
PASSED for resource: /Dockerfile.
File: /Dockerfile:1-9
Guide: https://docs.bridgecrew.io/docs/ensure-docker-workdir-values-are-absolute-paths
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
PASSED for resource: /Dockerfile.HEALTHCHECK
File: /Dockerfile:7-7
Guide: https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
PASSED for resource: /Dockerfile.USER
File: /Dockerfile:8-8
Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Check: CKV2_DOCKER_14: "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_6: "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_12: "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_5: "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_7: "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_11: "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_8: "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_13: "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_4: "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_10: "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_2: "Ensure that certificate validation isn't disabled with curl"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_3: "Ensure that certificate validation isn't disabled with wget"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV2_DOCKER_9: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option"
PASSED for resource: /Dockerfile.RUN
File: /Dockerfile:4-4
Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"
FAILED for resource: /Dockerfile.EXPOSE
File: /Dockerfile:6-6
Guide: https://docs.bridgecrew.io/docs/ensure-port-22-is-not-exposed
6 | EXPOSE 3000 22
Check: CKV_DOCKER_8: "Ensure the last USER is not root"
FAILED for resource: /Dockerfile.USER
File: /Dockerfile:8-8
Guide: https://docs.bridgecrew.io/docs/ensure-the-last-user-is-not-root
8 | USER root
三、hadolint
GitHub - hadolint/hadolint: Dockerfile linter, validate inline bash, 用 Haskell 编写
3.1、在线网站
Dockerfile Linter (hadolint.github.io)
3.2、DockerFile
FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]
3.3、基于容器运行
docker run --rm -i hadolint/hadolint < Dockerfile
# OR
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile
3.4、Centos 安装运行
[root@ops-pinpoint-123 tmp]# wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# chmod +x hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# hadolint-Linux-x86_64 ./Dockerfile
[root@ops-pinpoint-123 tmp]# ./hadolint-Linux-x86_64 /root/Dockerfile
/root/Dockerfile:8 DL3002 warning: Last USER should not be root
我们可以发现 hadolint
扫描出来的是基于他特定的规则和最佳实践。
四、两者对比
我们前面进行检查的 Dockerfile
是一样的,我们发现两者给出来的信息还是有些差异的。
hadolint
检测出来的 USER
为 ROOT
的问题。 checkov
不仅检测出了 USER
为 ROOT
的问题, 还有一个 22 端口的问题。因为 22 端口一般都是我们 ssh
使用的端口,我们也不应该暴露出来。
作者:理想三旬
本人承接各种项目维护和python项目开发, 如果觉得文章写得不错,或者帮助到您了,请点个赞,加个关注哦。运维学习交流群:544692191
本文版权归作者所有,欢迎转载,如果文章有写的不足的地方,或者是写得错误的地方,请你一定要指出,因为这样不光是对我写文章的一种促进,也是一份对后面看此文章的人的责任。谢谢。