容器安全之 Dockerfile 安全扫描

Posted 自由早晚乱余生

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了容器安全之 Dockerfile 安全扫描相关的知识,希望对你有一定的参考价值。

一、Dockerfile 扫描工具

  • checkov
  • hadolint(构建最佳实践Docker 镜像。)
  • 也可以考虑 docker scan

二、checkov

Dockerfile Configuration Scaning-checkov

checkov 不仅可以扫描dockfile, 也可以扫描 CloudformationAWS SAMKubernetesHelm chartsKustomize 、镜像等。

Checkov 支持对 Dockerfile 文件的策略进行评估。 使用 checkov 扫描包含 Dockerfile 的目录时,它将验证该文件是否符合 Docker 最佳实践,例如不使用 root 用户、确保运行状况检查存在以及不公开 SSH 端口。

可以在此处找到 Dockerfile 策略检查的完整列表。

2.1、示例配置错误的 Dockerfile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

2.2、安装

Requirements

  • Python >= 3.7 (Data classes are available for Python 3.7+)
  • Terraform >= 0.12
pip3 install checkov   -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

2.3、在 CLI 中运行

checkov -d . --framework dockerfile

2.4、示例输出

# checkov -d . --framework dockerfile
[ dockerfile framework ]: 100%|████████████████████|[1/1], Current File Scanned=..\\..\\..\\..\\Dockerfile


       _               _
   ___| |__   ___  ___| | _______   __
  / __| \'_ \\ / _ \\/ __| |/ / _ \\ \\ / /
 | (__| | | |  __/ (__|   < (_) \\ V /
  \\___|_| |_|\\___|\\___|_|\\_\\___/ \\_/

By bridgecrew.io | version: 2.3.102
Update available 2.3.102 -> 2.3.121
Run pip3 install -U checkov to update


dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_11: "Ensure From Alias are unique for multistage builds."
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-from-alias-is-unique-for-multistage-builds
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-the-base-image-uses-a-non-latest-version-tag
Check: CKV_DOCKER_9: "Ensure that APT isn\'t used"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-apt-is-not-used
Check: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-update-instructions-are-not-used-alone-in-the-dockerfile
Check: CKV_DOCKER_10: "Ensure that WORKDIR values are absolute paths"
        PASSED for resource: /Dockerfile.
        File: /Dockerfile:1-9
        Guide: https://docs.bridgecrew.io/docs/ensure-docker-workdir-values-are-absolute-paths
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
        PASSED for resource: /Dockerfile.HEALTHCHECK
        File: /Dockerfile:7-7
        Guide: https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
        PASSED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Check: CKV2_DOCKER_14: "Ensure that certificate validation isn\'t disabled for git by setting the environment variable \'GIT_SSL_NO_VERIFY\' to any value"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_6: "Ensure that certificate validation isn\'t disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_12: "Ensure that certificate validation isn\'t disabled for npm via the \'NPM_CONFIG_STRICT_SSL\' environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_5: "Ensure that certificate validation isn\'t disabled with the PYTHONHTTPSVERIFY environmnet variable"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_7: "Ensure that packages with untrusted or missing signatures are not used by apk via the \'--allow-untrusted\' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_11: "Ensure that the \'--force-yes\' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_8: "Ensure that packages with untrusted or missing signatures are not used by apt-get via the \'--allow-unauthenticated\' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_13: "Ensure that certificate validation isn\'t disabled for npm or yarn by setting the option strict-ssl to false"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_4: "Ensure that certificate validation isn\'t disabled with the pip \'--trusted-host\' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_10: "Ensure that packages with untrusted or missing signatures are not used by rpm via the \'--nodigest\', \'--nosignature\', \'--noverify\', or \'--nofiledigest\' options"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_2: "Ensure that certificate validation isn\'t disabled with curl"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_3: "Ensure that certificate validation isn\'t disabled with wget"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_1: "Ensure that sudo isn\'t used"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV2_DOCKER_9: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the \'--nogpgcheck\' option"
        PASSED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4
Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"
        FAILED for resource: /Dockerfile.EXPOSE
        File: /Dockerfile:6-6
        Guide: https://docs.bridgecrew.io/docs/ensure-port-22-is-not-exposed

                6 | EXPOSE 3000 22

Check: CKV_DOCKER_8: "Ensure the last USER is not root"
        FAILED for resource: /Dockerfile.USER
        File: /Dockerfile:8-8
        Guide: https://docs.bridgecrew.io/docs/ensure-the-last-user-is-not-root

                8 | USER root

三、hadolint

GitHub - hadolint/hadolint: Dockerfile linter, validate inline bash, 用 Haskell 编写

3.1、在线网站

Dockerfile Linter (hadolint.github.io)

3.2、DockerFile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
USER root
CMD ["node","app.js"]

3.3、基于容器运行

docker run --rm -i hadolint/hadolint < Dockerfile
# OR
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile

3.4、Centos 安装运行

[root@ops-pinpoint-123 tmp]# wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# chmod +x hadolint-Linux-x86_64
[root@ops-pinpoint-123 tmp]# hadolint-Linux-x86_64 ./Dockerfile
[root@ops-pinpoint-123 tmp]# ./hadolint-Linux-x86_64  /root/Dockerfile  
/root/Dockerfile:8 DL3002 warning: Last USER should not be root

我们可以发现 hadolint 扫描出来的是基于他特定的规则和最佳实践。

四、两者对比

我们前面进行检查的 Dockerfile 是一样的,我们发现两者给出来的信息还是有些差异的。

hadolint 检测出来的 USERROOT 的问题。 checkov 不仅检测出了 USERROOT 的问题, 还有一个 22 端口的问题。因为 22 端口一般都是我们 ssh 使用的端口,我们也不应该暴露出来。

以上是关于容器安全之 Dockerfile 安全扫描的主要内容,如果未能解决你的问题,请参考以下文章

Dockerfile 安全性最佳实践

云原生安全:Trivy + Harbor实现镜像漏洞的简单高效扫描

无线WiFi安全渗透与攻防之Windows扫描wifi和破解WiFi密码

安全测试之目录扫描神器DirBuster

CentOS 7系统安全之终端安全控制系统弱口令检测与端口扫描

互联网企业安全高级指南读书笔记之漏洞扫描