容器安全之 Dockerfile 安全扫描

2023-03-29 10:06:31 来源：博客园

【资料图】

一、Dockerfile 扫描工具

checkov
hadolint(构建最佳实践Docker 镜像。)
也可以考虑 docker scan

二、checkov

Dockerfile Configuration Scaning-checkov
checkov 不仅可以扫描dockfile，也可以扫描 Cloudformation、AWS SAM、Kubernetes、Helm charts、Kustomize 、镜像等。

Checkov 支持对 Dockerfile 文件的策略进行评估。使用 checkov 扫描包含 Dockerfile 的目录时，它将验证该文件是否符合 Docker 最佳实践，例如不使用 root 用户、确保运行状况检查存在以及不公开 SSH 端口。

可以在此处找到 Dockerfile 策略检查的完整列表。

2.1、示例配置错误的 Dockerfile

FROM node:alpineWORKDIR /usr/src/appCOPY package*.json ./RUN npm installCOPY . .EXPOSE 3000 22HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1USER rootCMD ["node","app.js"]

2.2、安装

Requirements

Python >= 3.7 (Data classes are available for Python 3.7+)
Terraform >= 0.12

pip3 install checkov   -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

2.3、在 CLI 中运行

checkov -d . --framework dockerfile

2.4、示例输出

# checkov -d . --framework dockerfile[ dockerfile framework ]: 100%|████████████████████|[1/1], Current File Scanned=..\..\..\..\Dockerfile       _               _   ___| |__   ___  ___| | _______   __  / __| "_ \ / _ \/ __| |/ / _ \ \ / / | (__| | | |  __/ (__|   < (_) \ V /  \___|_| |_|\___|\___|_|\_\___/ \_/By bridgecrew.io | version: 2.3.102Update available 2.3.102 -> 2.3.121Run pip3 install -U checkov to updatedockerfile scan results:Passed checks: 21, Failed checks: 2, Skipped checks: 0Check: CKV_DOCKER_11: "Ensure From Alias are unique for multistage builds."        PASSED for resource: /Dockerfile.        File: /Dockerfile:1-9        Guide: https://docs.bridgecrew.io/docs/ensure-docker-from-alias-is-unique-for-multistage-buildsCheck: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"        PASSED for resource: /Dockerfile.        File: /Dockerfile:1-9        Guide: https://docs.bridgecrew.io/docs/ensure-the-base-image-uses-a-non-latest-version-tagCheck: CKV_DOCKER_9: "Ensure that APT isn"t used"        PASSED for resource: /Dockerfile.        File: /Dockerfile:1-9        Guide: https://docs.bridgecrew.io/docs/ensure-docker-apt-is-not-usedCheck: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"        PASSED for resource: /Dockerfile.        File: /Dockerfile:1-9        Guide: https://docs.bridgecrew.io/docs/ensure-update-instructions-are-not-used-alone-in-the-dockerfileCheck: CKV_DOCKER_10: "Ensure that WORKDIR values are absolute paths"        PASSED for resource: /Dockerfile.        File: /Dockerfile:1-9        Guide: https://docs.bridgecrew.io/docs/ensure-docker-workdir-values-are-absolute-pathsCheck: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"        PASSED for resource: /Dockerfile.HEALTHCHECK        File: /Dockerfile:7-7        Guide: https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-imagesCheck: CKV_DOCKER_3: "Ensure that a user for the container has been created"        PASSED for resource: /Dockerfile.USER        File: /Dockerfile:8-8        Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-createdCheck: CKV2_DOCKER_14: "Ensure that certificate validation isn"t disabled for git by setting the environment variable "GIT_SSL_NO_VERIFY" to any value"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_6: "Ensure that certificate validation isn"t disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_12: "Ensure that certificate validation isn"t disabled for npm via the "NPM_CONFIG_STRICT_SSL" environmnet variable"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_5: "Ensure that certificate validation isn"t disabled with the PYTHONHTTPSVERIFY environmnet variable"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_7: "Ensure that packages with untrusted or missing signatures are not used by apk via the "--allow-untrusted" option"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_11: "Ensure that the "--force-yes" option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_8: "Ensure that packages with untrusted or missing signatures are not used by apt-get via the "--allow-unauthenticated" option"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_13: "Ensure that certificate validation isn"t disabled for npm or yarn by setting the option strict-ssl to false"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_4: "Ensure that certificate validation isn"t disabled with the pip "--trusted-host" option"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_10: "Ensure that packages with untrusted or missing signatures are not used by rpm via the "--nodigest", "--nosignature", "--noverify", or "--nofiledigest" options"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_2: "Ensure that certificate validation isn"t disabled with curl"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_3: "Ensure that certificate validation isn"t disabled with wget"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_1: "Ensure that sudo isn"t used"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV2_DOCKER_9: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the "--nogpgcheck" option"        PASSED for resource: /Dockerfile.RUN        File: /Dockerfile:4-4Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"        FAILED for resource: /Dockerfile.EXPOSE        File: /Dockerfile:6-6        Guide: https://docs.bridgecrew.io/docs/ensure-port-22-is-not-exposed                6 | EXPOSE 3000 22Check: CKV_DOCKER_8: "Ensure the last USER is not root"        FAILED for resource: /Dockerfile.USER        File: /Dockerfile:8-8        Guide: https://docs.bridgecrew.io/docs/ensure-the-last-user-is-not-root                8 | USER root

三、hadolint

GitHub - hadolint/hadolint： Dockerfile linter， validate inline bash，用 Haskell 编写

3.1、在线网站

Dockerfile Linter (hadolint.github.io)

3.2、DockerFile

FROM node:alpineWORKDIR /usr/src/appCOPY package*.json ./RUN npm installCOPY . .EXPOSE 3000 22HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1USER rootCMD ["node","app.js"]

3.3、基于容器运行

docker run --rm -i hadolint/hadolint < Dockerfile# ORdocker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile

3.4、Centos 安装运行

[root@ops-pinpoint-123 tmp]# wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64[root@ops-pinpoint-123 tmp]# chmod +x hadolint-Linux-x86_64[root@ops-pinpoint-123 tmp]# hadolint-Linux-x86_64 ./Dockerfile[root@ops-pinpoint-123 tmp]# ./hadolint-Linux-x86_64  /root/Dockerfile  /root/Dockerfile:8 DL3002 warning: Last USER should not be root

我们可以发现 hadolint扫描出来的是基于他特定的规则和最佳实践。

四、两者对比

我们前面进行检查的 Dockerfile是一样的，我们发现两者给出来的信息还是有些差异的。

hadolint检测出来的 USER为 ROOT的问题。 checkov不仅检测出了 USER为 ROOT的问题，还有一个 22 端口的问题。因为 22 端口一般都是我们 ssh使用的端口，我们也不应该暴露出来。

关键词：