goodwithtech / dockle Goto Github PK

View Code? Open in Web Editor NEW

2.7K 2.7K 135.0 6.32 MB

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Home Page: https://containers.goodwith.tech/

License: Apache License 2.0

Go 99.35% Dockerfile 0.65%

containers docker go golang kubernetes linter security security-audit security-tools vulnerability

dockle's People

Contributors

Stargazers

Watchers

Forkers

keinos d1pakda5 kidmam hmilkovi leaanthony withnic stephanmeijer kotakanbe chlangjou shosta tomoyamachi trendingtechnology taka-hatakeyama acumenix ssmbcloud max-wittig mwmfund dolftax rvirus0817 sethips poeblu k-ayano isgasho karandpr bassemmagdy vvalorous kato-hiro xucaiyong swipswaps fixl lastravex pombredanne rmkanda 02bx pilgrim2go tolidano lorenzleutgeb bollwarm sepiros62 ravi102465 variableexp0rt diokhancze kabilan1290 sadpdtchr portshift datoma maxpeal shimada-toy-box kokizzu steven-zou erwinkersten mt-pooh shubhambhargava oooh-name franklinharry matsumotosyu bugwrangler alainlompo thesattiraju fragaly dwtcourses firebuggirl sfish223 akingscote fukubaka0825 habakke hhlp derekhjray amanhardikar masayatahara cqr-cryeye-forks vishnudxb mathew-fleisch petermosmans mattew16 doytsujin vwasthename fjsnogueira rbouikila owenrumney developer-guy moisestapia unthoiz craftyc0der lior-orca sharpboy2008 hammerhead-phl brinhosa trietminh rajkrishnamurthy massongit varas security-champions-beta qequ ru5j4r0 slashtec regmarmcem kynefuk shashankhacker730 rodriguez-miguel-angel

dockle's Issues

improve phrasing

I'm not familiar with English.
So I wanna fix incorrect phrases at README and messages.

Please PR me😄

exit code should support a level to exit on

Description

Exit-code should support an error level as well as exit code.

If exit-code is set to 1, it should have a level that will exit 1 on. Currently Info will exit 1 if exit-code is set, Ideally you could set the level so if i want WARN or greater then I would set --exit-code=1 --exit-level=warn, or if i only wanted to exit on fatal, exit-level would be set to fatal.

Host the dockle Docker image on GitHub Container Registry

You currently host an image for dockle on Docker Hub. It would be nice if you also hosted it on GitHub Container Registry. I want to use dockle inside a GitHub Actions pipeline, and it will be faster to download the container image if the image is hosted on GitHub in the first place.

Support Linuxbrew

As homebrew now supports Linux environment, it'd be better to distribute linux bin on brew as well ._.

Scratch image scan reports DKL-LI-0001: Avoid empty password

Description

Running a Dockle scan on a simple SCRATCH image reports a CVE for Alpine

What did you expect to happen?

Expected successful run without issue being reported

What happened instead?

FATAL   - DKL-LI-0001: Avoid empty password

Output of run with -debug:

2019-11-21T13:57:11.033-0700    DEBUG   There is no .dockleignore file
2019-11-21T13:57:11.034-0700    DEBUG   Fetch latest version from github
2019-11-21T13:57:11.219-0700    DEBUG   Start assessments...
2019-11-21T13:57:11.225-0700    DEBUG   Start scan : password files
2019-11-21T13:57:11.225-0700    DEBUG   Start scan : /etc/passwd
2019-11-21T13:57:11.225-0700    DEBUG   Start scan : /etc/group
2019-11-21T13:57:11.225-0700    DEBUG   Start scan : /etc/hosts
2019-11-21T13:57:11.225-0700    DEBUG   Start scan : credential files
2019-11-21T13:57:11.225-0700    DEBUG   Scan start : config file
2019-11-21T13:57:11.226-0700    DEBUG   Scan start : DOCKER_CONTENT_TRUST
2019-11-21T13:57:11.226-0700    DEBUG   Start scan : cache files
2019-11-21T13:57:11.226-0700    DEBUG   End assessments...
FATAL   - DKL-LI-0001: Avoid empty password
        *
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build

Output of dockle -v:

dockle version 0.2.3

Additional details (base image name, container registry info...):

Dockerfile:

FROM scratch
COPY etc/ /etc/
USER myuser
HEALTHCHECK NONE

etc/group:

nogroup:x:65534:myuser

etc/passwd:

myuser:x:65534:65534::/dev/null:/bin/false

Allow ADD with getting files from a URL

Description

FATAL	- CIS-DI-0009: Use COPY instead of ADD in Dockerfile
	* Use COPY : ADD https://github.com/jwilder/docker-gen/releases/download/0.7.4/docker-gen-linux-amd64-0.7.4.tar.gz /tmp/
	* Use COPY : ADD https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-amd64.tar.gz /tmp/
	* Use COPY : ADD https://raw.githubusercontent.com/diafygi/acme-tiny/5350420d35177eda733d85096433a24e55f8d00e/acme_tiny.py /bin/acme_tiny

This case ADD must be used.

What did you expect to happen?

What happened instead?

Output of run with -debug:

(paste your output here)

Output of dockle -v:

(paste your output here)

Additional details (base image name, container registry info...):

Base image size lint

One of my personal pet-peeves is images using FROM ubuntu, since this image usually contains far more than its dependant could even think to use and seriously clogs up /var in disk-size restrained environments.

While this is hard to detect when included transitively, and of course not always a mistake, I'd argue that it is bad practice to use large dependency images when not necessary. This is easily overlooked, especially by newcomers. Many base images even support alpine tags that should almost always be used, but are rarely the default.

This is also in line with some of the other suggested lints, which suggest installing only "necessary" packages, a rule that is almost always broken simply by depending on the ubuntu image.

Maybe it would be feasible to detect when a base image is larger than, say, 100MB, possibly by checking with a registry/local docker daemon/podman at run time?

Is HEALTHCHECK really necessary?

In the Docker Best practices document, I could not find any instructions about HEALTHCHECK.

I understand how it works and I know it is useful in some ways, but I don't think it is "essential".

I think WARNING would be good instead of FATAL.

In what point did you define the classification? :)

Upgrading to v0.3.1 Results in Fatal Error

Description

After upgrading from v0.2.4 to v0.3.1 we recieve a FATAL error when running dockle.

What did you expect to happen?
I expected dockle to work as it currently does with v0.2.4.

What happened instead?

I recieved the following error:

circleci@c22b8c7913dd:~$ dockle $REDACTED
2020-08-17T12:33:56.018Z	FATAL	unable to initialize a image struct: failed to initialize source: Error reading manifest latest in docker.io/library/$REDACTED: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Output of run with -debug:

circleci@c22b8c7913dd:~$ dockle -debug $REDACTED
2020-08-17T12:46:28.803Z	DEBUG	There is no .dockleignore file
2020-08-17T12:46:28.803Z	DEBUG	Fetch latest version from github
2020-08-17T12:46:33.872Z	DEBUG	Start assessments...
2020-08-17T12:46:33.917Z	FATAL	unable to initialize a image struct:
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
  - failed to initialize source:
    github.com/goodwithtech/deckoder/extractor/image.NewImage
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
  - errors:
    denied: requested access to the resource is denied
    unauthorized: authentication required

    Error reading manifest latest in docker.io/library/$REDACTED
    github.com/containers/image/v5/docker.(*dockerImageSource).fetchManifest
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:157
    github.com/containers/image/v5/docker.(*dockerImageSource).ensureManifestIsLoaded
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:183
    github.com/containers/image/v5/docker.newImageSource
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:87
    github.com/containers/image/v5/docker.dockerReference.NewImageSource
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_transport.go:144
    github.com/goodwithtech/deckoder/extractor/image.newSource
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:109
    github.com/goodwithtech/deckoder/extractor/image.NewImage
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
    github.com/goodwithtech/deckoder/extractor/docker.NewDockerExtractor
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:57
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
    	/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:30
    github.com/goodwithtech/dockle/pkg.Run
    	/go/src/github.com/goodwithtech/dockle/pkg/run.go:71
    github.com/urfave/cli.HandleAction
    	/go/pkg/mod/github.com/urfave/[email protected]/app.go:523
    github.com/urfave/cli.(*App).Run
    	/go/pkg/mod/github.com/urfave/[email protected]/app.go:285
    main.main
    	/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
    runtime.main
    	/usr/local/go/src/runtime/proc.go:203
    runtime.goexit
    	/usr/local/go/src/runtime/asm_amd64.s:1357
circleci@c22b8c7913dd:~$

Output of dockle -v:

dockle version 0.3.1

Additional details (base image name, container registry info...):

I redacted the name of our built container, the container is built on the local instance and visable when running docker images. The container is pushed to Amazons ECR but this only happens after Dockle is run.

We don't have any issues running Dockle against other images on the same instance, it runs find against an official redis container.

If you need any additional info or want me to test something please let me know.

CIS-DI-0007 is not a correct option for apt-get

Description

It says Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile. but in fact there's no such an option for apt-get command.

# apt-get update --no-cache
E: Command line option --no-cache is not understood in combination with the other options

Maybe you're talking about apk command for Alpine?

What did you expect to happen?

What happened instead?

Output of run with -debug:

(paste your output here)

Output of guard -v:

(paste your output here)

Additional details (base image name, container registry info...):

Support TCP for CircleCI

Allocating a remote Docker Engine
Specified using docker layer caching, but build has not been whitelisted.
Contact CircleCI to be whitelisted

Assigned Docker Engine request id: 1234567
  provisioning: ......
Remote Docker engine created. Using VM 'default-UUID'
Created container accessible with:
  DOCKER_CERT_PATH=/tmp/docker-certs1234567
  DOCKER_HOST=tcp://<IP>:2376
  DOCKER_MACHINE_NAME=1234567
  DOCKER_TLS_VERIFY=1
  NO_PROXY=127.0.0.1,localhost,circleci-internal-outer-build-agent,<IP>:2376

Please, not only support UNIX sockets but do support TCP as well.

Scan fails when dockle is called inside from a shell script

TL;DR

On macOS, when dockle command is called inside a shell script, the scan fails as below, but running the same command directly in the terminal dockle analyzes perfectly.

FATAL	failed scan <my_image>:<my_tag>: %!w(<nil>):

Description

I have a simple shell script such as below, which builds the docker image then calls dockle to analyze it. (The Docker container simply echoes "Hello World")

#!/bin/sh
# - Script Name: build.sh

export DOCKER_CONTENT_TRUST=1 && \
docker build --no-cache -t my_image:my_test . && \
dockle --debug --clear-cache my_image:my_test

The above shell script fails in the last line which dockle is called. But running the last command directly like below, it works.

$ dockle --debug --clear-cache my_image:my_test

What did you expect to happen?

Same result of running directly in the shell.

What happened instead?

Fails to scan image if dockle is called inside the shell script.

Output of run with -debug:

2019-06-13T12:05:39.979+0900	DEBUG	Fetch latest version from github
2019-06-13T12:05:41.007+0900	WARN	A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:05:41.007+0900	INFO	Removing image caches...
2019-06-13T12:05:41.008+0900	DEBUG	Start assessments...
2019-06-13T12:05:41.233+0900	DEBUG	Start scan : password files
2019-06-13T12:05:41.233+0900	DEBUG	Start scan : /etc/passwd
2019-06-13T12:05:41.233+0900	DEBUG	Start scan : /etc/group
2019-06-13T12:05:41.233+0900	DEBUG	Start scan : /etc/hosts
2019-06-13T12:05:41.233+0900	DEBUG	Start scan : credential files
2019-06-13T12:05:41.233+0900	DEBUG	Scan start : config file
2019-06-13T12:05:41.233+0900	DEBUG	Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:05:41.234+0900	FATAL	failed scan my_image:my_test: %!w(<nil>):
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
        /go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:53

Output of guard -v:

How to produce the error:

I made a repo to produce the error.
- Sample_Dockle @ GitHub

Additional details (base image name, container registry info...):

It seems that assessor.GetAssessments() is not returning the assessments right when the image_name was given in the shell script.

ENV INFO

Dockle Version: v0.0.18
Host OS: macOS Mojave (OSX 10.14.5, darwin/amd64)
/bin/sh --version: GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Docker Engine: v18.09.0 (Community Version)
Base Image: alpine:latest
Dockerfile

RESULT DETAILS

Results of running via shell script. (See source of build.sh)

$ ./build.sh
Sending build context to Docker daemon   76.8kB
Step 1/6 : FROM alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6
 ---> 055936d39205
Step 2/6 : COPY src /app
 ---> 886b6c29e463
Step 3/6 : RUN addgroup appgroup &&     adduser -S dockle appgroup
 ---> Running in edea519fb364
Removing intermediate container edea519fb364
 ---> 1f08283aea47
Step 4/6 : HEALTHCHECK --interval=1h --timeout=15s --start-period=5s --retries=2 CMD [ "/app/healthcheck.sh" ]
 ---> Running in 584193c4ada6
Removing intermediate container 584193c4ada6
 ---> 76975fea7a9a
Step 5/6 : CMD [ "/app/hello-world.sh" ]
 ---> Running in d6ee59afa44a
Removing intermediate container d6ee59afa44a
 ---> 2c75e3edfb9e
Step 6/6 : USER dockle
 ---> Running in bdcb1d4f926b
Removing intermediate container bdcb1d4f926b
 ---> 4481ee34427e
Successfully built 4481ee34427e
Successfully tagged my_image:my_test
Tagging alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 as alpine:latest
2019-06-13T12:34:07.573+0900	DEBUG	Fetch latest version from github
2019-06-13T12:34:08.455+0900	WARN	A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:34:08.455+0900	INFO	Removing image caches...
2019-06-13T12:34:08.456+0900	DEBUG	Start assessments...
2019-06-13T12:34:08.686+0900	DEBUG	Start scan : password files
2019-06-13T12:34:08.686+0900	DEBUG	Start scan : /etc/passwd
2019-06-13T12:34:08.686+0900	DEBUG	Start scan : /etc/group
2019-06-13T12:34:08.686+0900	DEBUG	Start scan : /etc/hosts
2019-06-13T12:34:08.686+0900	DEBUG	Start scan : credential files
2019-06-13T12:34:08.686+0900	DEBUG	Scan start : config file
2019-06-13T12:34:08.687+0900	DEBUG	Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:34:08.687+0900	FATAL	failed scan my_image:my_test: %!w(<nil>):
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
        /go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:53
$ 
$ echo $?
1

Results running via shell command

$ # Same command in the shell script
$ dockle --debug --clear-cache my_image:my_test
2019-06-13T12:45:35.765+0900	DEBUG	Fetch latest version from github
2019-06-13T12:45:36.792+0900	WARN	A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:45:36.792+0900	INFO	Removing image caches...
2019-06-13T12:45:36.793+0900	DEBUG	Start assessments...
2019-06-13T12:45:37.043+0900	DEBUG	Start scan : password files
2019-06-13T12:45:37.043+0900	DEBUG	Start scan : /etc/passwd
2019-06-13T12:45:37.043+0900	DEBUG	Start scan : /etc/group
2019-06-13T12:45:37.043+0900	DEBUG	Start scan : /etc/hosts
2019-06-13T12:45:37.043+0900	DEBUG	Start scan : credential files
2019-06-13T12:45:37.043+0900	DEBUG	Scan start : config file
2019-06-13T12:45:37.043+0900	DEBUG	Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:45:37.043+0900	DEBUG	End assessments...
2019-06-13T12:45:37.043+0900	DEBUG	There is no .dockleignore file
PASS	- CIS-DI-0001: Create a user for the container
WARN	- CIS-DI-0005: Enable Content trust for Docker
	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
PASS	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
PASS	- CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS	- CIS-DI-0008: Remove setuid and setgid permissions in the images
PASS	- CIS-DI-0009: Use COPY instead of ADD in Dockerfile
PASS	- CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS	- CIS-DI-0010: Do not store secret files
PASS	- DKL-DI-0001: Avoid sudo command
PASS	- DKL-DI-0002: Avoid sensitive directory mounting
PASS	- DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS	- DKL-DI-0004: Use apk add with --no-cache
PASS	- DKL-DI-0005: Clear apt-get caches
PASS	- DKL-DI-0006: Avoid latest tag
PASS	- DKL-LI-0001: Avoid empty password
PASS	- DKL-LI-0002: Be unique UID
PASS	- DKL-LI-0002: Be unique GROUP
$
$ echo $?
0

DKL-DI-0003 should be removed

The best practice of avoiding apt-get upgrade in Dockerfile has been removed from Docker's documentation. Dockle should also remove this check by default.

https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#dkl-di-0003

Hadolint has already removed this check. Please see the discussion in the following link.

docker/docs#12571
hadolint/hadolint#562

Pass input via standard input

I'd like to be able to do:

docker save ${IMAGE} | dockle --input /dev/stdin

docker save ${IMAGE} | dockle --input -

you get the idea...

it fails to parse gitlab-ci repository local images

Description
it fails to parse gitlab-ci repository local images.

container_linting:
  stage: deploy
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker pull ${IMAGE_TAG}
    - VERSION=$(wget -q "https://api.github.com/repos/goodwithtech/dockle/releases/latest" -O - | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - docker run --rm goodwithtech/dockle:v${VERSION} -debug -f json ${IMAGE_TAG} > container-linting-report.json
  artifacts:
    paths: [container-linting-report.json]

What did you expect to happen?
It should find the local image.

What happened instead?
2019-12-24T18:23:12.094Z FATAL failed to analyze image: &{%!w(string=failed to extract files: &{%!w(string=failed to fetch manifest: &{%!w(string=error unmarshalling content: invalid character '<' looking for beginning of value)})})}

Output of run with -debug:

none

Output of dockle -v:

dockle version dev

Additional details (base image name, container registry info...):

$ docker image ls
REPOSITORY                                                  TAG                 IMAGE ID            CREATED             SIZE
git.xxxxxx.com:4567/emanuelelevo/gitlab-templates/emanuelelevo   docker-template     da293e8e44e8        52 seconds ago      121MB
$ echo $IMAGE_TAG
git.xxxxxx.com:4567/emanuelelevo/gitlab-templates/emanuelelevo:docker-template
$ docker run --rm goodwithtech/dockle:v${VERSION} ${IMAGE_TAG}
2019-12-24T18:23:12.094Z	FATAL	failed to analyze image: &{%!w(string=failed to extract files: &{%!w(string=failed to fetch manifest: &{%!w(string=error unmarshalling content: invalid character '<' looking for beginning of value)})})}

`--insecure` option does not work

Description

dockle's usage explains that insecure connection to the registry is possible by specifying the --insecure option.
However, the --insecure option does not provide an insecure connection.

What did you expect to happen?
Insecure connection shall be possible by specifying --insecure options.

What happened instead?

The --insecure option does not result in an insecure connection.

$ dockle --insecure $REDACTED
2021-02-01T08:47:34.137Z        FATAL   unable to initialize a image struct: failed to initialize source: error pinging docker registry $REDACTED: Get https://$REDACTED/v2/: x509: certificate signed by unknown authority

Output of run with -debug:

$ dockle --debug --insecure $REDACTED
2021-02-01T08:26:24.777Z        DEBUG   Add new ignore code: CIS-DI-0006
2021-02-01T08:26:24.777Z        DEBUG   Fetch latest version from github
2021-02-01T08:26:25.451Z        DEBUG   Start assessments...
2021-02-01T08:26:25.466Z        FATAL   unable to initialize a image struct:
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
  - failed to initialize source:
    github.com/goodwithtech/deckoder/extractor/image.NewImage
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
  - Get https://$REDACTED/v2/: x509: certificate signed by unknown authority
    error pinging docker registry $REDACTED
    github.com/containers/image/v5/docker.(*dockerClient).detectPropertiesHelper
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:642
    github.com/containers/image/v5/docker.(*dockerClient).detectProperties.func1
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:675
    sync.(*Once).doSlow
        /usr/local/go/src/sync/once.go:66
    sync.(*Once).Do
        /usr/local/go/src/sync/once.go:57
    github.com/containers/image/v5/docker.(*dockerClient).detectProperties
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:675
    github.com/containers/image/v5/docker.(*dockerClient).makeRequest
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:395
    github.com/containers/image/v5/docker.(*dockerImageSource).fetchManifest
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:151
    github.com/containers/image/v5/docker.(*dockerImageSource).ensureManifestIsLoaded
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:183
    github.com/containers/image/v5/docker.newImageSource
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:87
    github.com/containers/image/v5/docker.dockerReference.NewImageSource
        /go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_transport.go:144
    github.com/goodwithtech/deckoder/extractor/image.newSource
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:109
    github.com/goodwithtech/deckoder/extractor/image.NewImage
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
    github.com/goodwithtech/deckoder/extractor/docker.NewDockerExtractor
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:57
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
        /go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:30
    github.com/goodwithtech/dockle/pkg.Run
        /go/src/github.com/goodwithtech/dockle/pkg/run.go:71
    github.com/urfave/cli.HandleAction
        /go/pkg/mod/github.com/urfave/[email protected]/app.go:523
    github.com/urfave/cli.(*App).Run
        /go/pkg/mod/github.com/urfave/[email protected]/app.go:285
    main.main
        /go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
    runtime.main
        /usr/local/go/src/runtime/proc.go:203
    runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1357

Output of dockle -v:

dockle version 0.3.1

Additional details (base image name, container registry info...):

Dockle exit code

Hello, I have a problem. I need to have exit code not equal to zero if dockle has WARN or FATAL output. I read about option -c and I used it. But, if I use if else operator, if's always true but should have false. Could u explain how is it possible ?

I tried different status codes but they have doing nothing.

Add skip latest tag check option

When you just want to quickly check if the latest version of this docker image is valid, it should be able to skip the latest tag check in some use cases.

it probably goes something like this :)

dockle hoge/fuga:latest --ignore-latest

show files may not need [Info level]

e.g.) /.cache, *template*, Dockerfile*, docker-compose.yml

check file capability and permission in /etc, /root...

check file capability
check permission to /etc, /root... files

these files only exec root user

Got warning while I install dockle

After I install dockle, I got warning from brew doctor

Warning: Found Ruby file outside goodwithtech/dockle tap formula directory.
(/usr/local/Homebrew/Library/Taps/goodwithtech/homebrew-dockle/Formula):
  /usr/local/Homebrew/Library/Taps/goodwithtech/homebrew-dockle/dockle.rb

PrivilegeAssessor shouldn't exclude any directory

PrivilegeAssessor is currently ignoring any path containing bin/ or usr/lib/ (excluding therefore /bin/, /sbin/, /usr/bin/, /usr/lib, but strange enough not /usr/sbin/ or /lib/), but the misuse of SUID is higher to happen on executables in one of the ignored paths than someone else.

If crafting a malicious image with a SUID in it, I'd rather try to hide it under /usr/bin or so than placing somewhere else, where someone looking at the root-filesystem might find it strange.

I therefore wouldn't ignore any path. The corresponding checkpoint (CIS-DI-0008) can be ignored with --ignore CIS-DI-0008. Even if getting the issue reported, it's only INFO level!

The next step would be making the paths to be ignored configurable.

How to use under proxy?

Environment variables http_proxy, HTTP_PROXY, https_proxy, and HTTP_PROXY didn't work.

using docker image in the bitbucket pipeline

hi,
trying to use the dockle image directly in the bitbucket pipeline steps but not being able to fetch the artifact generated/ exported by the 1st step in the pipeline. the other pipeline steps with different docker images can use the .tar artifact from the 1 step but dockle image not being able to see it.
Not sure if this is dockle issue, but have you guys tried to run this in the bitbucket pipeline?

thanks

Respect $DOCKER_CONFIG env variable

Version

dockle version: 0.3.1

Description

Currently if I use docker login to authenticate to a private registry, this will generate a config.json in ~/.docker/config.json. Dockle calls to the private registry will work properly after this config is created.

The problem arises when the config is not located in that exact location , that is when $DOCKER_CONFIG is different than ~/.docker

This is useful within CI/CD agents where the config.json may be be generated in a random temporary directory identified by DOCKER_CONFIG. This is also something that works with other similar tools like Trivy or Buildkit's buildctl.

Move `IGNORE` output to debug mode?

Description

Is it possible to remove the IGNORE - [checkpoint code and discription] output in normal mode? In debug mode, it's fine.

The reason for this request is to lower the amount of unnecessary output.

What did you expect to happen?

No output.

What happened instead?

Output of the ignored checkpoint code is displayed.

$ dockle --exit-code=1 --ignore CIS-DI-0005 123456789012.dkr.ecr.region.amazonaws.com/my-image:0.1.0
IGNORE	- CIS-DI-0005: Enable Content trust for Docker

Output of dockle -v:

$ dockle -v
dockle version 0.3.1

Does not recognize Dockerfile path with `--input` arg

Description

dockle --input './Dockerfile' does not work as expected like dockle $DOCKER_IMAGE_NAME

What did you expect to happen?

It should work?

What happened instead?

2020-08-21T12:33:21.470+0300 FATAL unable to initialize a image struct: failed to initialize source: failed to initialize: Error loading tar component manifest.json: archive/tar: invalid tar header

Output of run with -debug:

2020-08-21T12:34:59.157+0300	DEBUG	There is no .dockleignore file
2020-08-21T12:34:59.157+0300	DEBUG	Fetch latest version from github
2020-08-21T12:35:00.701+0300	DEBUG	Start assessments...
2020-08-21T12:35:00.705+0300	FATAL	unable to initialize a image struct:
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
  - failed to initialize source:
    github.com/goodwithtech/deckoder/extractor/image.NewImage
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
  - failed to initialize:
    github.com/goodwithtech/deckoder/extractor/image.newSource
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:118
  - archive/tar: invalid tar header
    Error loading tar component manifest.json
    github.com/containers/image/v5/docker/tarfile.(*Source).readTarComponent
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:209
    github.com/containers/image/v5/docker/tarfile.(*Source).loadTarManifest
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:269
    github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresentPrivate
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:232
    github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresent.func1
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:223
    sync.(*Once).doSlow
    	/usr/local/go/src/sync/once.go:66
    sync.(*Once).Do
    	/usr/local/go/src/sync/once.go:57
    github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresent
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:222
    github.com/containers/image/v5/docker/tarfile.(*Source).GetManifest
    	/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:376
    github.com/containers/image/v5/image.(*UnparsedImage).Manifest
    	/go/pkg/mod/github.com/containers/image/[email protected]/image/unparsed.go:46
    github.com/containers/image/v5/image.FromUnparsedImage
    	/go/pkg/mod/github.com/containers/image/[email protected]/image/sourced.go:74
    github.com/containers/image/v5/image.FromSource
    	/go/pkg/mod/github.com/containers/image/[email protected]/image/sourced.go:34
    github.com/goodwithtech/deckoder/extractor/image.newSource
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:116
    github.com/goodwithtech/deckoder/extractor/image.NewImage
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
    github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
    github.com/goodwithtech/deckoder/extractor/docker.NewDockerArchiveExtractor
    	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:63
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
    	/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:35
    github.com/goodwithtech/dockle/pkg.Run
    	/go/src/github.com/goodwithtech/dockle/pkg/run.go:71
    github.com/urfave/cli.HandleAction
    	/go/pkg/mod/github.com/urfave/[email protected]/app.go:523
    github.com/urfave/cli.(*App).Run
    	/go/pkg/mod/github.com/urfave/[email protected]/app.go:285
    main.main
    	/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
    runtime.main
    	/usr/local/go/src/runtime/proc.go:203
    runtime.goexit
    	/usr/local/go/src/runtime/asm_amd64.s:1357

Output of dockle -v:

dockle version 0.3.1

Dockle can't detect when an image is built using buildkit mount caches

Making use of buildkit's mount caches to cache package caches is very useful for ensuring builds on local developer machines, when the layer cache is invalidated avoid needing to download every package that was downloaded the last time the layer was built locally if the same packages are to be used.

It would be great if Dockle could detect when such caches are in place and avoid flagging failure to use --no-cache options for package installs because the cached files won't be present in the resulting image.

Example:

RUN --mount=type=cache,target=/var/cache/apk apk add --progress \
        ca-certificates \
        git \
        python3 \
        openssh \
        openssl \
        sshpass \
    ;

Or:

RUN --mount=type=cache,target=${HOME}/.cache set -xe \
    && pip3 install --upgrade pip \
    && pip3 install -r requirements.txt \
    ;

It's unclear whether based on scanning the image history only whether this will even be feasible, as I don't know if anything records the additional options passed to the RUN command that can be picked out. Calling docker history --no-trunc on the image won't show the options, so perhaps it's not available.

In such a case it may only be possible to fully detect use of mount caches if dockle provides support to be provided the source Dockerfile to perform additional interrogation to identify this scenario.

The alternative is to inspect the file list of the corresponding layer and see if any files are present under the directory, using the absence to infer use of mount caching and downgrade the FATAL to SKIP?

false warning: "WARN A new version is now available! You have v0.3.11."

Description

False warning for new version is avaible

"2021-04-20T20:00:29.138+0200 WARN A new version is now available! You have v0.3.11."
v03.11 is marked as latest version

What did you expect to happen?
No Warning.

Output of run with -debug:

2021-04-20T20:00:29.138+0200	WARN	A new version  is now available! You have v0.3.11.

Output of dockle -v:

dockle version 0.3.11

"Failed to remove image layer cache" error

Description

On a clean virtual machine Dockle has started to throw an error with cache.
Supposedly it started after improper interruption of its execution.

What did you expect to happen?
After running dockle scanning process should start

What happened instead?
Dockle exited with "Failed to remove image layer cache" error

Output of run with -debug:

:~/docker_tools$ ./dockle
2019-09-03T15:49:58.672Z        FATAL   failed to remove image layer cache
osboxes@osboxes:~/docker_tools$ ./dockle --debug
2019-09-03T15:50:25.783Z        DEBUG   There is no .dockleignore file
2019-09-03T15:50:25.784Z        DEBUG   Fetch latest version from github
2019-09-03T15:50:26.744Z        FATAL   failed to remove image layer cache:
    github.com/goodwithtech/dockle/pkg.Run
        /go/src/github.com/goodwithtech/dockle/pkg/run.go:43

Output of dockle -v:

dockle version 0.1.16

Additional details (base image name, container registry info...):
Error is thrown even when running Dockle without parameters.
Is there any way to manually clear cache?

gin-gonic / auth request

Hi all,

Hope you are all well !

In order to set easily a htpasswd filter, you could use gin-gonic like that

admin := router.Group("/", gin.BasicAuth(gin.Accounts{"[USERNAME]": "[PASSWORD]"}))
{
	admin.Any("/*resources", gin.WrapH(mux))
}

Thanks in advance for any insights or inputs on that topic.

Cheers,
X

Looking for maintainers 🙏

Dockle looking for maintainers.
If you are interested in becoming a maintainer, please reach out to me at the email/twitter on my GitHub profile.

can't trace symbolic link layer.tar (rare case)

Description

COPY sample.txt /app/sample.txt
RUN chmod u+s /app/sample.txt
RUN chmod u-s /app/sample.txt

This sample.txt is not suid file, but Dockle sometimes detect to suid file.
※ Docker version 19.03.3, build a872fc2

This cause of symbolic linked layer.tar file.

├── 99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52
│   ├── VERSION
│   ├── json
│   └── layer.tar #=> extract /app/sample.txt
├── 9e54adcf82bab951408ca086571b79a04f34afe2e5984f16a36147c3bd2bdff5
│   ├── VERSION
│   ├── json
│   └── layer.tar
├── cc9cb9922a613543e7600f4ad3101855d2dd2f04043e46dbf2824adb9aff886b
│   ├── VERSION
│   └── layer.tar -> ../99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52/layer.tar

I can't reproduce simplified image.

symbolic linked Dockerfile

This Dockerfile create symbolic linked layer.tar.

FROM debian:jessie-slim
RUN apt-get update && apt-get install -y git
RUN useradd nopasswd -p ""
RUN chmod u+s /etc/shadow
RUN chmod g+s /etc/passwd
ADD credentials.json /app/credentials.json
COPY suid.txt /app/suid.txt
RUN chmod u+s /app/suid.txt
COPY guid.txt /app/guid.txt
RUN chmod g+s /app/guid.txt
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt

simplified PoC Dockerfile

This Dockerfile does not create symbolic linked layer.tar.

FROM debian:jessie-slim
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt

What happened instead?

Always not detect suid file.

Incorrect detection of ADD

Description
dockle miss identified the string ADD anywhere in a dockerfile as the ADD instruction even though it is not at the beginning of a line.
In this specific case it thinks an env variable named RETHINKDB_CLUSTER_IP_ADDR is an ADD instruction.
This indicates an incorrect Dockerfile/docker history parser.

Output of run with -debug:

# dockle -debug mterron/rethinkdb
2019-07-10T20:15:24.504+1200	DEBUG	Fetch latest version from github
2019-07-10T20:15:26.115+1200	DEBUG	Start assessments...
2019-07-10T20:15:31.986+1200	DEBUG	Start scan : password files
2019-07-10T20:15:31.994+1200	DEBUG	Start scan : /etc/passwd
2019-07-10T20:15:31.996+1200	DEBUG	Start scan : /etc/group
2019-07-10T20:15:31.997+1200	DEBUG	Start scan : /etc/hosts
2019-07-10T20:15:31.998+1200	DEBUG	Start scan : credential files
2019-07-10T20:15:31.999+1200	DEBUG	Scan start : config file
2019-07-10T20:15:32.002+1200	DEBUG	Scan start : DOCKER_CONTENT_TRUST
2019-07-10T20:15:32.011+1200	DEBUG	End assessments...
2019-07-10T20:15:32.012+1200	DEBUG	There is no .dockleignore file
WARN	- CIS-DI-0001: Create a user for the container
	* Last user should not be root
INFO	- CIS-DI-0005: Enable Content trust for Docker
	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
WARN	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
	* not found HEALTHCHECK statement
PASS	- CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS	- CIS-DI-0008: Remove setuid and setgid permissions in the images
FATAL	- CIS-DI-0009: Use COPY instead of ADD in Dockerfile
	* Use COPY : /bin/sh -c #(nop)  ENTRYPOINT ["/bin/sh" "-c" "exec su-exec daemon:daemon rethinkdb --bind all -d /data -n ${HOSTNAME} --server-tag ${RETHINKDB_TAGS:=default} --join \"${RETHINKDB_CLUSTER_IP_ADDR:=$(nslookup ${RETHINKDB_SVC_NAME:=rethinkdb} 127.0.0.1 2>/dev/null | awk '{print $3}' | egrep -v \"(127.0.0.1|^$|$(hostname -i))\" | sort | head -1)}:${RETHINKDB_CLUSTER_PORT:=29015}\" --join-delay $((RANDOM%50+9)) --cluster-reconnect-timeout 600 --no-update-check"]
PASS	- CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS	- CIS-DI-0010: Do not store secret files
PASS	- DKL-DI-0001: Avoid sudo command
PASS	- DKL-DI-0002: Avoid sensitive directory mounting
PASS	- DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS	- DKL-DI-0004: Use apk add with --no-cache
PASS	- DKL-DI-0005: Clear apt-get caches
WARN	- DKL-DI-0006: Avoid latest tag
	* Avoid 'latest' tag
PASS	- DKL-LI-0001: Avoid empty password
PASS	- DKL-LI-0002: Be unique UID
PASS	- DKL-LI-0002: Be unique GROUP

Output of dockle -v:

dockle version 0.1.13

Additional details (base image name, container registry info...):
mterron/rethinkdb

Wrong command line argument for installation from source

I tried to install dockle from source, but got an error below.

package github.com/goodwithtech/dockle: no Go files in /path/to/go/src/github.com/goodwithtech/dockle

In Installation from source section of README.md,
command shoud be go get -u github.com/goodwithtech/dockle/cmd/dockle?

Detect secrets in build args?

I noticed dockle can detect secrets in env vars, but could it also detect them in build args?

image on docker hub is EOL: This OS version is no longer supported by the distribution: alpine 3.9.6

Description
This OS version is no longer supported by the distribution: alpine 3.9.6
2020-11-22T02:37:50.916Z WARN The vulnerability detection may be insufficient because security updates are not provided
...
Run docker run aquasec/trivy:latest --cache-dir /var/lib/trivy --exit-code 1 --no-progress $IMAGE:v0.3.1
Digest: sha256:37af346e8b0100035df20f330c49f96cccfd809ddb0ab2d3ca26bbb781e1d81f
Status: Downloaded newer image for aquasec/trivy:latest
2020-11-22T02:37:48.724Z INFO Need to update DB
2020-11-22T02:37:48.724Z INFO Downloading DB...
2020-11-22T02:37:50.916Z INFO Detecting Alpine vulnerabilities...
2020-11-22T02:37:50.916Z WARN This OS version is no longer supported by the distribution: alpine 3.9.6
2020-11-22T02:37:50.916Z WARN The vulnerability detection may be insufficient because security updates are not provided

goodwithtech/dockle:v0.3.1 (alpine 3.9.6)

Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Option "--output" don't work on Windows

Description

Option "--output" don't work on Windows (possibly because combined with --debug).
After execute dockle.exe --debug --output report.log <image_name> the log file (report.log) was created, but it is empty.

What did you expect to happen?

I expect the application output to be redirected \ duplicated to the "report.log" file.

What happened instead?

Logs are output to stdout \ strerr.
The log file is created, but not filled.

Output of run with -debug:

dockle.exe -debug --output report.log <image_name>
2021-02-15T14:51:55.550+0700 �[35mDEBUG�[0m There is no .dockleignore file
2021-02-15T14:51:55.594+0700 �[35mDEBUG�[0m Fetch latest version from github
2021-02-15T14:51:56.731+0700 �[35mDEBUG�[0m Start assessments...
2021-02-15T14:55:25.275+0700 �[35mDEBUG�[0m Start scan : password files
2021-02-15T14:55:25.275+0700 �[35mDEBUG�[0m Start scan : /etc/passwd
2021-02-15T14:55:25.278+0700 �[35mDEBUG�[0m Start scan : /etc/group
2021-02-15T14:55:25.287+0700 �[35mDEBUG�[0m Start scan : /etc/hosts
2021-02-15T14:55:25.289+0700 �[35mDEBUG�[0m Start scan : credential files
2021-02-15T14:55:25.298+0700 �[35mDEBUG�[0m Scan start : config file
2021-02-15T14:55:25.301+0700 �[35mDEBUG�[0m Scan start : DOCKER_CONTENT_TRUST
2021-02-15T14:55:25.303+0700 �[35mDEBUG�[0m Start scan : cache files
2021-02-15T14:55:25.314+0700 �[35mDEBUG�[0m End assessments...
�[31mFATAL�[0m - �[36mDKL-DI-0005�[0m: Clear apt-get caches
* Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : *hidden by the author*
�[34mSKIP�[0m - �[36mDKL-LI-0001�[0m: Avoid empty password
* failed to detect etc/shadow,etc/master.passwd
�[34mSKIP�[0m - �[36mDKL-LI-0002�[0m: Be unique UID/GROUP
* failed to detect etc/passwd
* failed to detect etc/group
�[33mWARN�[0m - �[36mCIS-DI-0001�[0m: Create a user for the container
* Last user should not be root
�[35mINFO�[0m - �[36mCIS-DI-0005�[0m: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
�[35mINFO�[0m - �[36mCIS-DI-0006�[0m: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
�[35mINFO�[0m - �[36mCIS-DI-0008�[0m: Confirm safety of setuid/setgid files
* setuid file: usr\bin\newgrp urwxr-xr-x
* setuid file: usr\bin\mount urwxr-xr-x
* setgid file: usr\sbin\pam_extrausers_chkpwd grwxr-xr-x
* setuid file: usr\lib\openssh\ssh-keysign urwxr-xr-x
* setuid file: usr\bin\su urwxr-xr-x
* setgid file: usr\bin\ssh-agent grwxr-xr-x
* setuid file: usr\bin\gpasswd urwxr-xr-x
* setuid file: usr\bin\passwd urwxr-xr-x
* setuid file: usr\bin\chsh urwxr-xr-x
* setuid file: usr\bin\umount urwxr-xr-x
* setuid file: usr\lib\dbus-1.0\dbus-daemon-launch-helper urwxr-xr--
* setgid file: usr\sbin\unix_chkpwd grwxr-xr-x
* setgid file: usr\bin\chage grwxr-xr-x
* setgid file: usr\bin\wall grwxr-xr-x
* setuid file: usr\bin\chfn urwxr-xr-x
* setgid file: usr\bin\expiry grwxr-xr-x
�[35mINFO�[0m - �[36mDKL-LI-0003�[0m: Only put necessary files
* unnecessary file : *hidden by the author*

Output of dockle -v:

dockle.exe -v
dockle version 0.3.1

Additional details (base image name, container registry info...):

The image and registry are private, located behind the Proxy.

How does the dockle do with image file?

Hello, I love the Dockle tool.
These are questions about Dockle, could you please take a look and answer?

Q1:
If I run the command to scan an image saved in AWS ECR, how does it do with these images?
Will Dockle download these images and saves them on local disk then scan them?
Or it just download and scan them in memory?
(Appreciate if you could point out the source code where it processes images)

Q2:
For local images, I can scan them without tag:
dockle centos # --> ok
But if the images locates at remote, them tag is must to be assigned'
dockle myrepo/centos:tag1 # --> ok
dockle myrepo/centos # --> ng

Is there any way to skip the tag for remote images also?

Thanks for your time and waiting for your reply.

Add Timeout() to the Fetch Latest Version gorequest

The fetch latest version is taking minutes to timeout causing a slowdown in our pipeline. There is a proxy in place between the container and the destination of the fetch request.

What did you expect to happen?
Timeout quickly if can't reach out with warning displayed.

What happened instead?
Waits for 2 minutes (ish)

DEBUG Fetch latest version from github

Then a long wait...

Scanning an image on the host machine

How does one scan an image that lives on the host machine and not on a remote registry?

My image name is example:latest and the documented command seems to be requesting the image from docker.io registry https://registry-1.docker.io/v2/library/example/manifests/latest

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  goodwithtech/dockle:v0.2.4 example

2020-07-08T19:57:44.399Z        FATAL   failed to analyze image: 
&{%!w(string=failed to extract files: 
&{%!w(string=failed to fetch manifest: 
&{%!w(string=Get) 
%!w(string=https://registry-1.docker.io/v2/library/example/manifests/latest) 
%!w(*registry.httpStatusError=&{...snip...]})})})}

Scanning an image file with dockle docker container doesn't work

Description

Scanning a docker image that has previously been saved as a tar file doesn't work with the dockle docker container:

What did you expect to happen?

Should be able scan image from file.

Steps to reproduce

docker pull alpine
docker save alpine -o alpine.tar
docker run --rm -v $(pwd):/src -w /src goodwithtech/dockle:v0.2.4 --input alpine.tar

Output:

Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
2020-02-16T03:59:03.688Z        FATAL   failed to open stream: &{%!w(string=open) %!w(string=alpine.tar) %!w(syscall.Errno=13)}

JSON output feature (status badges for dockle maybe?)

I would like to have an option to get the results in JSON format.

Since there's a workaround like scraping the results, it's not a strong request but useful in many ways.

dockle --json image_name

$ # Some what like this
$ dockle --json my_image:my_tag
{
    "summary": {
        "image_id": "704f8ff68c6d",
        "image_name": "my_image",
        "image_tag": "my_tag",
        "number_warn": 1,
        "number_fatal": 0,
        "number_pass": 18,
        "number_total": 19
    },
    "details": [
        {
            "code": "CIS-DI-0001",
            "description": "Create a user for the container",
            "level": "WARN",
            "alert": [
                "Last user should not be root"
            ]
        },
        {
            "code": "CIS-DI-0002",
            "description": "Use trusted base images for containers",
            "level": "PASS",
            "alert": [
                ""
            ]
        },
        ⋮
        {
            "code": "DKL-LI-0002",
            "description": "Be unique UID\/GROUPs",
            "level": "PASS",
            "alert": [
                ""
            ]
        }
    ]
}

If I can get the results like so, it would be handy to use the results in other languages.

Sample Usage

So far, my main purpose for this is to generate a status badge of Dockle something like below.

For example, If I can generate a JSON string like below, I can use the Dynamic Badges of shields.IO.

{
  "schemaVersion": 1,
  "label": "Dockle",
  "message": "FATAL 1 WARN 2",
  "color": "red"
}

![](https://img.shields.io/endpoint.svg?url=[RAW URL JSON])

Query format of dynamic badges

Sample Image

JSON @ Gist
Markdown

![](https://img.shields.io/endpoint.svg?url=https://gist.githubusercontent.com/KEINOS/69610d8f340496448eedb3d602972efa/raw/fb45e04276a037492039e2c4dcba8bb8b1fc559c/dockle-status.json)

Results

Ref

CIで簡単につかえるコンテナのセキュリティ診断｢Dockle｣ @ Qiita

Dockle does not support DOCKLE_USERNAME and DOCKLE_PASSWORD

Azure/container-scan action uses Dockle to scan images for best practice violations. However, while pulling images from Azure container registry, we get the following error.

Error: FATAL	unable to initialize a image struct: failed to initialize source: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
Error: An error occurred while scanning the container image for best practice violations

Is it possible to use Dockle with ACR images? From the README, it looks like it's not supported. But is there any workaround that can be suggested to the users of our action?

Runtime error with versions 0.2.4 and 0.2.3

Description

I wanted to work with container security and chose Dockle for it. But I am unable to make it work. I first tried 0.2.4 version .deb then I got the tar file used the precompiled version and I got the same error:-

2020-04-15T08:53:45.618Z DEBUG There is no .dockleignore file
2020-04-15T08:53:45.618Z DEBUG Fetch the latest version from GitHub
2020-04-15T08:53:45.954Z WARN A new version v0.2.4 is now available! You have v0.2.3.
2020-04-15T08:53:45.954Z DEBUG Start assessments...
fatal error: runtime: out of memory

I tried to run the docker version and got a different error:-

&{%!w(string=open) %!w(string=.tar) %!w(syscall.Errno=13)}

I issued the command:-

./dockle --input <image-file.tar> -d

What did you expect to happen?
I expected it to work and show some assessed details.

What happened instead?
Out of memory error.

Output of run with -debug:

2020-04-15T08:53:45.618Z	DEBUG	There is no .dockleignore file
2020-04-15T08:53:45.618Z	DEBUG	Fetch latest version from github
2020-04-15T08:53:45.954Z	WARN	A new version v0.2.4 is now available! You have v0.2.3.
2020-04-15T08:53:45.954Z	DEBUG	Start assessments...
fatal error: runtime: out of memory

runtime stack:
runtime.throw(0xc01fd7, 0x16)
	/usr/local/go/src/runtime/panic.go:774 +0x72
runtime.sysMap(0xc174000000, 0x100000000, 0x122a3f8)
	/usr/local/go/src/runtime/mem_linux.go:169 +0xc5
runtime.(*mheap).sysAlloc(0x12118a0, 0x100000000, 0xc0000e5e00, 0x436057)
	/usr/local/go/src/runtime/malloc.go:701 +0x1cd
runtime.(*mheap).grow(0x12118a0, 0x80000, 0xffffffff)
	/usr/local/go/src/runtime/mheap.go:1255 +0xa3
runtime.(*mheap).allocSpanLocked(0x12118a0, 0x80000, 0x122a408, 0x11bb8e0)
	/usr/local/go/src/runtime/mheap.go:1170 +0x266
runtime.(*mheap).alloc_m(0x12118a0, 0x80000, 0x101, 0x0)
	/usr/local/go/src/runtime/mheap.go:1022 +0xc2
runtime.(*mheap).alloc.func1()
	/usr/local/go/src/runtime/mheap.go:1093 +0x4c
runtime.(*mheap).alloc(0x12118a0, 0x80000, 0xc000010101, 0x437145)
	/usr/local/go/src/runtime/mheap.go:1092 +0x8a
runtime.largeAlloc(0xfffffe00, 0xc000030101, 0xc000000180)
	/usr/local/go/src/runtime/malloc.go:1138 +0x97
runtime.mallocgc.func1()
	/usr/local/go/src/runtime/malloc.go:1033 +0x46
runtime.systemstack(0xc00028fa40)
	/usr/local/go/src/runtime/asm_amd64.s:370 +0x66
runtime.mstart()
	/usr/local/go/src/runtime/proc.go:1146

goroutine 1 [running]:
runtime.systemstack_switch()
	/usr/local/go/src/runtime/asm_amd64.s:330 fp=0xc000138600 sp=0xc0001385f8 pc=0x459200
runtime.mallocgc(0xfffffe00, 0xae7d00, 0x1, 0xc000138718)
	/usr/local/go/src/runtime/malloc.go:1032 +0x895 fp=0xc0001386a0 sp=0xc000138600 pc=0x40c2a5
runtime.makeslice(0xae7d00, 0xfffffe00, 0xfffffe00, 0x40000000)
	/usr/local/go/src/runtime/slice.go:49 +0x6c fp=0xc0001386d0 sp=0xc0001386a0 pc=0x443cbc
bytes.makeSlice(0xfffffe00, 0x0, 0x0, 0x0)
	/usr/local/go/src/bytes/buffer.go:229 +0x77 fp=0xc000138738 sp=0xc0001386d0 pc=0x4f65d7
bytes.(*Buffer).grow(0xc000138860, 0x200, 0x40000000)
	/usr/local/go/src/bytes/buffer.go:142 +0x15b fp=0xc000138788 sp=0xc000138738 pc=0x4f5f1b
bytes.(*Buffer).ReadFrom(0xc000138860, 0xd608c0, 0xc0000ae480, 0x0, 0xc000138858, 0x2)
	/usr/local/go/src/bytes/buffer.go:202 +0x4b fp=0xc0001387f8 sp=0xc000138788 pc=0x4f63cb
io/ioutil.readAll(0xd608c0, 0xc0000ae480, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
	/usr/local/go/src/io/ioutil/ioutil.go:36 +0x100 fp=0xc000138898 sp=0xc0001387f8 pc=0x4fd050
io/ioutil.ReadAll(...)
	/usr/local/go/src/io/ioutil/ioutil.go:45
github.com/goodwithtech/deckoder/extractor/docker.DockerExtractor.ExtractFromFile(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:307 +0x453 fp=0xc0001390f8 sp=0xc000138898 pc=0xa6ee53
github.com/goodwithtech/deckoder/analyzer.AnalyzeFromFile(0xd71380, 0xc000090010, 0xd69b40, 0xc00000e160, 0xc0003945f0, 0x2, 0xc0003945f0, 0xc0001393c8)
	/go/pkg/mod/github.com/goodwithtech/[email protected]/analyzer/analyzer.go:43 +0x225 fp=0xc000139368 sp=0xc0001390f8 pc=0xa71c25
github.com/goodwithtech/dockle/pkg/scanner.ScanImage(0xd71380, 0xc000090010, 0x0, 0x0, 0x7ffd0c26b89b, 0x1e, 0x0, 0x0, 0x0, 0x0, ...)
	/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:38 +0x1c8 fp=0xc000139480 sp=0xc000139368 pc=0xa72038
github.com/goodwithtech/dockle/pkg.Run(0xc0000bcc60, 0xc0000bcc60, 0xc0001b577f)
	/go/src/github.com/goodwithtech/dockle/pkg/run.go:83 +0x56d fp=0xc000139780 sp=0xc000139480 pc=0xa7305d
github.com/urfave/cli.HandleAction(0xaf9760, 0xc2f2a0, 0xc0000bcc60, 0xc0001eda40, 0x0)
	/go/pkg/mod/github.com/urfave/[email protected]/app.go:490 +0xc8 fp=0xc0001397a8 sp=0xc000139780 pc=0x74e078
github.com/urfave/cli.(*App).Run(0xc00032ab60, 0xc00006a080, 0x4, 0x4, 0x0, 0x0)
	/go/pkg/mod/github.com/urfave/[email protected]/app.go:264 +0x58c fp=0xc000139ae0 sp=0xc0001397a8 pc=0x74c27c
main.main()
	/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107 +0xa17 fp=0xc000139f60 sp=0xc000139ae0 pc=0xa743b7
runtime.main()
	/usr/local/go/src/runtime/proc.go:203 +0x21e fp=0xc000139fe0 sp=0xc000139f60 pc=0x42fbde
runtime.goexit()
	/usr/local/go/src/runtime/asm_amd64.s:1357 +0x1 fp=0xc000139fe8 sp=0xc000139fe0 pc=0x45b151

goroutine 20 [syscall]:
os/signal.signal_recv(0x45b156)
	/usr/local/go/src/runtime/sigqueue.go:147 +0x9c
os/signal.loop()
	/usr/local/go/src/os/signal/signal_unix.go:23 +0x22
created by os/signal.init.0
	/usr/local/go/src/os/signal/signal_unix.go:29 +0x41

Output of dockle -v:

dockle version 0.2.3

Additional details (base image name, container registry info...):
The image size I am testing is 9.86 GB and the same size worked with Trivy and generated a report for me to analyze. I want to make this tool work as I am fascinated by the CIS benchmarks.

DKL-DI-0002 (Avoid sensitive directory mounting) seems too strict

https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#dkl-di-0002-avoid-sensitive-directory-mounting

/boot, /dev, /etc, /lib, /proc, /sys, /usr

I'm not sure there can be an attack vector with these volumes, though the runtime might
have some vulns around mounting /dev, /proc, and /sys, potentially .

Explicit error message if pulling a Docker image takes too long

JUnit style format output

Hey guys,

Is there any plans to implement JUnit like reports? Could be helpful for CI systems that can consume such reports and build adorable graphs :)

Thanks in advance.

"Failed to analyze image: failed to extract files" error

Description

On Ubuntu VM (fresh and clean Ubuntu Server 18.10) Dockle fails to scan images.

What did you expect to happen?
No errors during execution

What happened instead?
FATAL "Failed to analyze image: failed to extract files" error

Output of run with -debug:

$ ./dockle --exit-code 1 -f json --output ./dockle_results.json bkimminich/juice-shop --debug
2019-09-03T17:19:11.383Z        FATAL   failed to analyze image: failed to extract files: Could not extract the archive
osboxes@osboxes:~/docker/docker_tools$ ./dockle --debug --exit-code 1 -f json --output ./dockle_results.json bkimminich/juice-shop
2019-09-03T17:19:21.212Z        DEBUG   There is no .dockleignore file
2019-09-03T17:19:21.213Z        DEBUG   Fetch latest version from github
2019-09-03T17:19:22.282Z        DEBUG   Start assessments...
2019-09-03T17:20:22.284Z        FATAL   failed to analyze image:
    github.com/goodwithtech/dockle/pkg/scanner.ScanImage
        /go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:32
  - failed to extract files:
    github.com/knqyf263/fanal/analyzer.Analyze
        /go/pkg/mod/github.com/goodwithtech/[email protected]/analyzer/analyzer.go:137
  - Could not extract the archive
    github.com/knqyf263/fanal/extractor.init.ializers
        /go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/extractor.go:13
    runtime.main
        /usr/local/go/src/runtime/proc.go:188
    runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1337

Output of dockle -v:

dockle version 0.1.16

Additional details (base image name, container registry info...):
For some reason on another host dockle works fine, but on a fresh VM with Docker just installed Dockle fails.
Seems correlating to the Trivy issue - aquasecurity/trivy#139

Running as root in a container should not be "FATAL"

As a Docker container runs as one process on a host machine and it's separated from other processes, I do not think running as root is not "critical".

More like it won't do much even if you make it as a non-root user because it strongly depends on which user you're running Docker daemon on the host machine.

goodwithtech / dockle Goto Github PK

dockle's People

Contributors

Stargazers

Watchers

Forkers

dockle's Issues

Version

Description

goodwithtech/dockle:v0.3.1 (alpine 3.9.6)

Sample Usage

Sample Image

Ref

Recommend Projects

Recommend Topics

Recommend Org