Fork me on GitHub

容器安全之 Dockerfile 安全扫描

一、Dockerfile 扫描工具

  • checkov
  • hadolint(构建最佳实践Docker 镜像。)
  • 也可以考虑 docker scan

二、checkov

Dockerfile Configuration Scaning-checkov

checkov 不仅可以扫描dockfile, 也可以扫描 CloudformationAWS SAMKubernetesHelm chartsKustomize 、镜像等。

Checkov 支持对 Dockerfile 文件的策略进行评估。 使用 checkov 扫描包含 Dockerfile 的目录时,它将验证该文件是否符合 Docker 最佳实践,例如不使用 root 用户、确保运行状况检查存在以及不公开 SSH 端口。

可以在此处找到 Dockerfile 策略检查的完整列表。

2.1、示例配置错误的 Dockerfile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

2.2、安装

Requirements

  • Python >= 3.7 (Data classes are available for Python 3.7+)
  • Terraform >= 0.12
pip3 install checkov   -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

2.3、在 CLI 中运行

checkov -d . --framework dockerfile

2.4、示例输出

# checkov -d . --framework dockerfile
[ dockerfile framework ]: 100%|████████████████████|[1/1], Current File Scanned=..\..\..\..\Dockerfile


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.3.102
Update available 2.3.102 -> 2.3.121
Run pip3 install -U checkov to update


dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_11: "Ensure From Alias are unique for multistage builds."
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-from-alias-is-unique-for-multistage-builds
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-the-base-image-uses-a-non-latest-version-tag
Check: CKV_DOCKER_9: "Ensure that APT isn't used"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-apt-is-not-used
Check: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-update-instructions-are-not-used-alone-in-the-dockerfile
Check: CKV_DOCKER_10: "Ensure that WORKDIR values are absolute paths"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-workdir-values-are-absolute-paths
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
        PASSED for resource: /Dockerfile.HEALTHCHECK
        File: /Dockerfile:7-7
        Guide: https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
        PASSED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Check: CKV2_DOCKER_14: "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_6: "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_12: "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_5: "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_7: "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_11: "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_8: "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_13: "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_4: "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_10: "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_2: "Ensure that certificate validation isn't disabled with curl"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_3: "Ensure that certificate validation isn't disabled with wget"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_9: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"
        FAILED for resource: /Dockerfile.EXPOSE
        File: /Dockerfile:6-6
        Guide: https://docs.bridgecrew.io/docs/ensure-port-22-is-not-exposed

                6 | EXPOSE 3000 22

Check: CKV_DOCKER_8: "Ensure the last USER is not root"
        FAILED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-the-last-user-is-not-root

                8 | USER root

三、hadolint

GitHub - hadolint/hadolint: Dockerfile linter, validate inline bash, 用 Haskell 编写

3.1、在线网站

Dockerfile Linter (hadolint.github.io)

3.2、DockerFile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

3.3、基于容器运行

docker run --rm -i hadolint/hadolint < Dockerfile
# OR
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile

3.4、Centos 安装运行

[root@ops-pinpoint-123 tmp]# wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# chmod +x hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# hadolint-Linux-x86_64 ./Dockerfile
[root@ops-pinpoint-123 tmp]# ./hadolint-Linux-x86_64  /root/Dockerfile  
/root/Dockerfile:8 DL3002 warning: Last USER should not be root

我们可以发现 hadolint 扫描出来的是基于他特定的规则和最佳实践。

四、两者对比

我们前面进行检查的 Dockerfile 是一样的,我们发现两者给出来的信息还是有些差异的。

hadolint 检测出来的 USERROOT 的问题。 checkov 不仅检测出了 USERROOT 的问题, 还有一个 22 端口的问题。因为 22 端口一般都是我们 ssh 使用的端口,我们也不应该暴露出来。

posted @ 2023-03-29 09:38  自由早晚乱余生  阅读(362)  评论(0编辑  收藏  举报