1.7 Source File Scanners

Docker Source File Scanners are tools or features used to analyze Docker-related files, such as Dockerfile, docker-compose.yml, or other configuration files, to detect issues, vulnerabilities, or inefficiencies. These scanners help ensure the security, performance, and best practices of Docker containers and images.

1. Categories

1.1 Security Scanners

These scanners analyze Dockerfiles and images to identify known vulnerabilities, insecure configurations, or potential threats.

• Examples:
  • Trivy: Scans Docker images, filesystem, and Git repositories for vulnerabilities.
  • Anchore: Scans Docker images for vulnerabilities, checks for compliance, and provides security reports.

1.2 Best Practices and Linter Tools

These tools analyze Dockerfiles to ensure they follow best practices, such as minimizing image size, avoiding unnecessary layers, and using specific image versions.

• Examples:
  • Hadolint: A linter for Dockerfiles that checks for best practices, errors, and inefficiencies.
  • Dockle: A linter and security checker for Docker images that focuses on Docker best practices.

1.3 Static Analysis Tools

These tools perform static analysis on Docker-related files to detect syntax issues, inefficient commands, and other potential problems.

• Examples:
  • Snyk: Scans Docker images for vulnerabilities and security issues. It also supports integration with Dockerfile to identify risky practices.
  • Dive: Helps explore Docker images layer by layer to find opportunities for reducing image size and optimizing Dockerfile instructions.

1.4 Compliance and Policy Checkers

These scanners ensure that Docker images and containers comply with internal policies, industry standards, or specific security requirements.

• Examples:
  • OpenSCAP: Used to perform security compliance checks on Docker images based on predefined security standards.
  • Kube-bench: While primarily for Kubernetes, it can help ensure Docker images meet security compliance checks as part of the Kubernetes ecosystem.

Benefits of Using Docker Source File Scanners

• Security: Detect vulnerabilities early in the Docker image build process.
• Efficiency: Optimize Dockerfile commands to improve performance and reduce image size.
• Compliance: Ensure images and configurations meet industry or internal security and operational standards.
• Reliability: Identify misconfigurations or bad practices that could lead to unstable containers.

2. Hadolint Linter

wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64

sudo mv hadolint /usr/local/bin/
sudo chmod +x /usr/local/bin/hadolint
hadolint -v

• Sample Dockerfile

FROM ubuntu:latest
MAINTAINER john@generic.com
LABEL org.website="generic.com"
COPY requirements.txt requirements.txt
RUN pip install --upgrade pip
RUN pip install -r requirements.txt
COPY . code
WORKDIR /code
EXPOSE 8080
CMD python manage.py runserver 0.0.0.0:8080

• Run handolint

hadolint Dockerfile

3. Docker Bench Security Tool

This tool will undertake a number of checks based on the CIS Benchmarks which are considered to be industry standard in many organisations.

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security

# run the scanner
sudo sh docker-bench-security.sh

The scanner will go through series of scans which start with a scan of the host to see how it is configured, then the Docker daemon and so on. The output will most likely show warnings of different levels of severity (ranging from INFO to WARN) and at the end will provide a security score. The security score is indicative of the number “issues” that the scanner identified. The higher the score, the better the security posture. How does the score get computed? In short, a PASS will increase the score whereas a WARN will decrease it.

4. Trivy Security Scanner

Trivy is an excellent tool that is commonly used along with the Docker-security-bench. Gain, the first thing to do is to install the scanner.

Below is a set of instructions that when used, will add the Trivy source to the host package repository and this would make it easy to update the tool when a new version is released.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qo - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list

Explanation:

1. First command:

   wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -

   • wget -qO -: Downloads the Trivy GPG public key in a silent mode (-q for quiet) and outputs it to standard output (-O -).
   • | sudo apt-key add -: Pipes the downloaded key to the apt-key command, adding it to the list of trusted keys for APT.

2. Second command:

   echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

   • echo "deb ...": Prints the APT repository URL for Trivy, dynamically inserting the Ubuntu codename ($(lsb_release -sc)) such as focal or jammy.
   • | sudo tee -a /etc/apt/sources.list.d/trivy.list: Appends (-a) the repository information to a new file trivy.list under /etc/apt/sources.list.d/. sudo tee allows the command to write as root.

Next, Install Trivy

sudo apt-get update
sudo apt-get install trivy

Inspect Image

trivy image nginx

The list of options for Trivy should be displayed and there are multiple options available in terms of scanning and type of targets allowed.