DEV Community: Tomoya Amachi The latest articles on DEV Community by Tomoya Amachi (@tomoyamachi). https://dev.to/tomoyamachi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F45446%2F7b8201a7-0309-4b3d-994e-5e3d70282bdb.jpg DEV Community: Tomoya Amachi https://dev.to/tomoyamachi en The One Thing You Should Do After Building Best-Practice Docker Image (in 3 minutes) Tomoya Amachi Wed, 19 Jun 2019 14:48:22 +0000 https://dev.to/tomoyamachi/the-one-thing-you-should-do-after-building-best-practice-docker-image-in-3-minutes-3mi4 https://dev.to/tomoyamachi/the-one-thing-you-should-do-after-building-best-practice-docker-image-in-3-minutes-3mi4 <h1> Overview </h1> <p>Today, many companies tried to use Docker. This article is for wrote/writing <a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/">best-practice Dockerfiles</a>.</p> <p>I created a tool analyzes your Dockerfile via the built image in 3 minutes.<br> <a href="https://github.com/goodwithtech/dockle"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--8HcfHVsN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/goodwithtech/dockle/raw/master/imgs/logo.png" width="450"></a></p> <blockquote> <p><a href="https://github.com/goodwithtech/dockle">Dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start</a></p> </blockquote> <p>Dockle is able to check deeply. (file permissions, credential files...) So, Dockle the best tool to check important rules, especially for security.</p> <p>(I'm also the main committer of <a href="https://github.com/future-architect/vuls">Vuls</a> and <a href="https://github.com/knqyf263/trivy">Trivy</a>. These are famous vulnerability scanners.)</p> <p>It's <strong>NOT</strong> a Dockerfile Linter (like a hadolint).<br><br> It's able to check security risks on a container base image too. Dockerfile Linter never does it.</p> <p>I hope you <a href="https://github.com/goodwithtech/dockle">star it</a>!</p> <h1> How to use </h1> <h2> Homebrew (<a href="https://brew.sh/">Mac</a> / <a href="https://docs.brew.sh/Homebrew-on-Linux">Linux</a>) </h2> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ </span>brew <span class="nb">install </span>goodwithtech/dockle/dockle <span class="nv">$ </span>dockle test-image:v1 </code></pre></div> <h2> Linux </h2> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ VERSION</span><span class="o">=</span><span class="si">$(</span> curl <span class="nt">--silent</span> <span class="s2">"https://api.github.com/repos/goodwithtech/dockle/releases/latest"</span> | <span class="se">\</span> <span class="nb">grep</span> <span class="s1">'"tag_name":'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/.*"v([^"]+)".*/\1/'</span> <span class="se">\</span> <span class="si">)</span> <span class="o">&amp;&amp;</span> curl <span class="nt">-L</span> <span class="nt">-o</span> dockle.tar.gz https://github.com/goodwithtech/dockle/releases/download/v<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>/dockle_<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>_Linux-64bit.tar.gz <span class="nv">$ </span><span class="nb">tar </span>zxvf dockle.tar.gz <span class="nv">$ </span>./dockle test-image:v1 </code></pre></div> <h2> Windows </h2> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ VERSION</span><span class="o">=</span><span class="si">$(</span> curl <span class="nt">--silent</span> <span class="s2">"https://api.github.com/repos/goodwithtech/dockle/releases/latest"</span> | <span class="se">\</span> <span class="nb">grep</span> <span class="s1">'"tag_name":'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/.*"v([^"]+)".*/\1/'</span> <span class="se">\</span> <span class="si">)</span> <span class="o">&amp;&amp;</span> curl <span class="nt">-L</span> <span class="nt">-o</span> dockle.zip https://github.com/goodwithtech/dockle/releases/download/v<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>/dockle_<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>_Windows-64bit.zip <span class="nv">$ </span>unzip dockle.zip <span class="o">&amp;&amp;</span> <span class="nb">rm </span>dockle.zip <span class="nv">$ </span>./dockle.exe test-image:v1 </code></pre></div> <h2> via Docker </h2> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ VERSION</span><span class="o">=</span><span class="si">$(</span> curl <span class="nt">--silent</span> <span class="s2">"https://api.github.com/repos/goodwithtech/dockle/releases/latest"</span> | <span class="se">\</span> <span class="nb">grep</span> <span class="s1">'"tag_name":'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/.*"v([^"]+)".*/\1/'</span> <span class="se">\</span> <span class="si">)</span> <span class="o">&amp;&amp;</span> docker run <span class="nt">--rm</span> <span class="nt">-v</span> /var/run/docker.sock:/var/run/docker.sock <span class="se">\</span> goodwithtech/dockle:v<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> test-image:v1 </code></pre></div> <p>You only need -v /var/run/docker.sock:/var/run/docker.sock when you'd like to scan the image on your host machine.</p> <h1> Results </h1> <div class="highlight"><pre class="highlight yaml"><code><span class="na">PASS - CIS-DI-0001</span><span class="pi">:</span> <span class="s">Create a user for the container</span> <span class="na">PASS - CIS-DI-0005</span><span class="pi">:</span> <span class="s">Enable Content trust for Docker</span> <span class="na">PASS - CIS-DI-0006</span><span class="pi">:</span> <span class="s">Add HEALTHCHECK instruction to the container image</span> <span class="na">PASS - CIS-DI-0007</span><span class="pi">:</span> <span class="s">Do not use update instructions alone in the Dockerfile</span> <span class="na">PASS - CIS-DI-0008</span><span class="pi">:</span> <span class="s">Remove setuid and setgid permissions in the images</span> <span class="na">PASS - CIS-DI-0009</span><span class="pi">:</span> <span class="s">Use COPY instead of ADD in Dockerfile</span> <span class="na">PASS - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secrets in ENVIRONMENT variables</span> <span class="na">PASS - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secret files</span> <span class="na">PASS - DKL-DI-0001</span><span class="pi">:</span> <span class="s">Avoid sudo command</span> <span class="na">PASS - DKL-DI-0002</span><span class="pi">:</span> <span class="s">Avoid sensitive directory mounting</span> <span class="na">PASS - DKL-DI-0003</span><span class="pi">:</span> <span class="s">Avoid apt-get/apk/dist-upgrade</span> <span class="na">PASS - DKL-DI-0004</span><span class="pi">:</span> <span class="s">Use apk add with --no-cache</span> <span class="na">PASS - DKL-DI-0005</span><span class="pi">:</span> <span class="s">Clear apt-get caches</span> <span class="na">PASS - DKL-DI-0006</span><span class="pi">:</span> <span class="s">Avoid latest tag</span> <span class="na">PASS - DKL-LI-0001</span><span class="pi">:</span> <span class="s">Avoid empty password</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique UID</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique GROUP</span> </code></pre></div> <p>This tool checks <a href="https://www.cisecurity.org/benchmark/docker/">CIS Benchmarks</a> and <a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/">Best practices for writing Dockerfiles<br> </a>.</p> <p>Dockle shows short messages suggestions for improvement when there are problems.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">WARN - CIS-DI-0001</span><span class="pi">:</span> <span class="s">Create a user for the container</span> <span class="s">* Last user should not be root</span> <span class="na">PASS - CIS-DI-0005</span><span class="pi">:</span> <span class="s">Enable Content trust for Docker</span> <span class="na">WARN - CIS-DI-0006</span><span class="pi">:</span> <span class="s">Add HEALTHCHECK instruction to the container image</span> <span class="s">* not found HEALTHCHECK statement</span> <span class="na">PASS - CIS-DI-0007</span><span class="pi">:</span> <span class="s">Do not use update instructions alone in the Dockerfile</span> <span class="na">INFO - CIS-DI-0008</span><span class="pi">:</span> <span class="s">Remove setuid and setgid permissions in the images</span> <span class="s">* Found setuid file</span><span class="pi">:</span> <span class="s">usr/lib/openssh/ssh-keysign urwxr-xr-x</span> <span class="na">FATAL - CIS-DI-0009</span><span class="pi">:</span> <span class="s">Use COPY instead of ADD in Dockerfile</span> <span class="s">* Use COPY</span> <span class="pi">:</span> <span class="s">/bin/sh -c</span> <span class="c1">#(nop) ADD file:81c0a803075715d1a6b4f75a29f8a01b21cc170cfc1bff6702317d1be2fe71a3 in /app/credentials.json</span> <span class="na">FATAL - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secrets in ENVIRONMENT variables</span> <span class="s">* Suspicious ENV key found</span> <span class="pi">:</span> <span class="s">MYSQL_PASSWD</span> <span class="na">FATAL - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secret files</span> <span class="s">* Suspicious filename found</span> <span class="pi">:</span> <span class="s">app/credentials.json</span> <span class="na">PASS - DKL-DI-0001</span><span class="pi">:</span> <span class="s">Avoid sudo command</span> <span class="na">FATAL - DKL-DI-0002</span><span class="pi">:</span> <span class="s">Avoid sensitive directory mounting</span> <span class="s">* Avoid mounting sensitive dirs</span> <span class="pi">:</span> <span class="s">/usr</span> <span class="na">PASS - DKL-DI-0003</span><span class="pi">:</span> <span class="s">Avoid apt-get/apk/dist-upgrade</span> <span class="na">PASS - DKL-DI-0004</span><span class="pi">:</span> <span class="s">Use apk add with --no-cache</span> <span class="na">FATAL - DKL-DI-0005</span><span class="pi">:</span> <span class="s">Clear apt-get caches</span> <span class="s">* Use 'rm -rf /var/lib/apt/lists' after 'apt-get install'</span> <span class="pi">:</span> <span class="s">/bin/sh -c apt-get update &amp;&amp; apt-get install -y git</span> <span class="na">PASS - DKL-DI-0006</span><span class="pi">:</span> <span class="s">Avoid latest tag</span> <span class="na">FATAL - DKL-LI-0001</span><span class="pi">:</span> <span class="s">Avoid empty password</span> <span class="s">* No password user found! username</span> <span class="pi">:</span> <span class="s">nopasswd</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique UID</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique GROUP</span> </code></pre></div> <p>You can check details to searching analysys codes(<code>CIS-DI-0001</code>...) on <a href="https://github.com/goodwithtech/dockle#checkpoint-detail">README</a>. </p> <p>You don't mind if your image doesn't pass checkpoints.<br> It's one of an indicator.</p> <p>Sometimes you have to run as <code>root</code>.<br><br> Sometimes CLI tool doesn't need <code>HEALTHCHECK</code>.<br><br> Sometimes use <code>ADD</code> statement when you'd like to add tar files.</p> <p>I hope this is reminder that really you'd like to do so.</p> <p>You can be specified to ignore rules to give <code>--ignore, -i</code> option or create <code>.dockleignore</code>.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ dockle -i CIS-DI-0001 -i CIS-DI-0006 [IMAGE_NAME] </code></pre></div> <div class="highlight"><pre class="highlight plaintext"><code># run as root CIS-DI-0001 # don't use HEALTHCHECK CIS-DI-0006 # use latest tag DKL-DI-0006 </code></pre></div> <p>Let's do it again.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">IGNORE - CIS-DI-0001</span><span class="pi">:</span> <span class="s">Create a user for the container</span> <span class="na">INFO - CIS-DI-0005</span><span class="pi">:</span> <span class="s">Enable Content trust for Docker</span> <span class="s">* export DOCKER_CONTENT_TRUST=1 before docker pull/build</span> <span class="na">IGNORE - CIS-DI-0006</span><span class="pi">:</span> <span class="s">Add HEALTHCHECK instruction to the container image</span> <span class="na">PASS - CIS-DI-0007</span><span class="pi">:</span> <span class="s">Do not use update instructions alone in the Dockerfile</span> <span class="na">INFO - CIS-DI-0008</span><span class="pi">:</span> <span class="s">Remove setuid and setgid permissions in the images</span> <span class="s">* Found setuid file</span><span class="pi">:</span> <span class="s">usr/lib/openssh/ssh-keysign urwxr-xr-x</span> <span class="na">IGNORE - CIS-DI-0009</span><span class="pi">:</span> <span class="s">Use COPY instead of ADD in Dockerfile</span> <span class="na">FATAL - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secrets in ENVIRONMENT variables</span> <span class="s">* Suspicious ENV key found</span> <span class="pi">:</span> <span class="s">MYSQL_PASSWD</span> <span class="na">FATAL - CIS-DI-0010</span><span class="pi">:</span> <span class="s">Do not store secret files</span> <span class="s">* Suspicious filename found</span> <span class="pi">:</span> <span class="s">app/credentials.json</span> <span class="na">PASS - DKL-DI-0001</span><span class="pi">:</span> <span class="s">Avoid sudo command</span> <span class="na">FATAL - DKL-DI-0002</span><span class="pi">:</span> <span class="s">Avoid sensitive directory mounting</span> <span class="s">* Avoid mounting sensitive dirs</span> <span class="pi">:</span> <span class="s">/usr</span> <span class="na">PASS - DKL-DI-0003</span><span class="pi">:</span> <span class="s">Avoid apt-get/apk/dist-upgrade</span> <span class="na">PASS - DKL-DI-0004</span><span class="pi">:</span> <span class="s">Use apk add with --no-cache</span> <span class="na">FATAL - DKL-DI-0005</span><span class="pi">:</span> <span class="s">Clear apt-get caches</span> <span class="s">* Use 'rm -rf /var/lib/apt/lists' after 'apt-get install'</span> <span class="pi">:</span> <span class="s">/bin/sh -c apt-get update &amp;&amp; apt-get install -y git</span> <span class="na">PASS - DKL-DI-0006</span><span class="pi">:</span> <span class="s">Avoid latest tag</span> <span class="na">FATAL - DKL-LI-0001</span><span class="pi">:</span> <span class="s">Avoid empty password</span> <span class="s">* No password user found! username</span> <span class="pi">:</span> <span class="s">nopasswd</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique UID</span> <span class="na">PASS - DKL-LI-0002</span><span class="pi">:</span> <span class="s">Be unique GROUP</span> </code></pre></div> <h1> Closing </h1> <p>Dockle is <strong>NOT</strong> a Dockerfile Linter, but a Docker Image Linter.</p> <p>Dockle can check deeply. (file permissions, credential files...) So, Dockle is able to check important rules than others, especially for security.</p> <p>And Dockle is able to analyze an image created by stdin, too. You could use it in many places.<br> </p> <div class="highlight"><pre class="highlight shell"><code>docker build -<span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> FROM busybox RUN echo "hello world" </span><span class="no">EOF </span></code></pre></div> <p>I hope you <a href="https://github.com/goodwithtech/dockle">like it</a>!</p> <p>Thanks!!</p> docker security development How to keep secure your Docker Image Tomoya Amachi Fri, 14 Jun 2019 15:17:09 +0000 https://dev.to/tomoyamachi/how-to-keep-secure-your-docker-image-2hj2 https://dev.to/tomoyamachi/how-to-keep-secure-your-docker-image-2hj2 <h1> Overviews </h1> <p>Containers are one of the best tools in recent years.<br> But it hasn't been established for DevSecOps for containers. Many organizations are unable to keep secure containers' ecosystem.</p> <p>This article aims to what is the security best practices Docker Images.</p> <p>Do you know <a href="https://github.com/coreos/clair" rel="noopener noreferrer">Clair</a> and <a href="https://github.com/docker/docker-bench-security" rel="noopener noreferrer">Docker Bench for Security</a>? but It's insufficient.</p> <h1> TL;DL </h1> <ul> <li><strong>CIS Benchmarks published Docker security checkpoints</strong></li> <li><strong>Check your images by Dockle and Trivy</strong></li> <li><strong>Easy to check in CI before docker push</strong></li> </ul> <h1> CIS Benchmarks </h1> <p>One of the best security best practice provided by The Center for Internet Security(CIS).<br> Their <code>Container Images and Build File</code> has 11 checkpoints.</p> <ol> <li>Create a user for the container </li> <li>Use trusted base images for containers</li> <li>Do not install unnecessary packages in the container</li> <li>Scan and rebuild the images to include security patches</li> <li>Enable Content trust for Docker</li> <li>Add HEALTHCHECK instruction to the container image</li> <li>Do not use update instructions alone in the Dockerfile</li> <li>Remove setuid and setgid permissions in the images</li> <li>Use COPY instead of ADD in Dockerfile</li> <li>Do not store secrets in Dockerfiles</li> <li>Install verified packages only</li> </ol> <p>Clair only supports <code>Scan and rebuild the images to include security patches</code>.</p> <h1> What is <code>Dockle</code> </h1> <p><code>Dockle</code> is <code>Simple Security Auditing and helping build the Best Docker Image</code> tool.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th><a href="https://github.com/goodwithtech/dockle" rel="noopener noreferrer">Dockle</a></th> <th><a href="https://github.com/docker/docker-bench-security" rel="noopener noreferrer">Docker Bench for Security</a></th> <th><a href="https://github.com/coreos/clair" rel="noopener noreferrer">Clair</a></th> <th><a href="https://github.com/knqyf263/trivy" rel="noopener noreferrer">Trivy</a></th> </tr> </thead> <tbody> <tr> <td>1. Create a user for the container</td> <td>✅</td> <td>✅</td> <td>-</td> <td>-</td> </tr> <tr> <td>2. Use trusted base images for containers</td> <td>-</td> <td>-</td> <td>- </td> <td>-</td> </tr> <tr> <td>3. Do not install unnecessary packages in the container</td> <td>-</td> <td>-</td> <td>- </td> <td>-</td> </tr> <tr> <td>4. Scan and rebuild the images to include security patches</td> <td>-</td> <td>-</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>5. Enable Content trust for Docker</td> <td>✅</td> <td>✅</td> <td>- </td> <td>-</td> </tr> <tr> <td>6. Add HEALTHCHECK instruction to the container image</td> <td>✅</td> <td>✅</td> <td>- </td> <td>-</td> </tr> <tr> <td>7. Do not use update instructions alone in the Dockerfile</td> <td>✅</td> <td>✅</td> <td>-</td> <td>-</td> </tr> <tr> <td>8. Remove setuid and setgid permissions in the images</td> <td>✅</td> <td>-</td> <td>- </td> <td>-</td> </tr> <tr> <td>9. Use COPY instead of ADD in Dockerfile</td> <td>✅</td> <td>✅</td> <td>-</td> <td>-</td> </tr> <tr> <td>10. Do not store secrets in Dockerfiles</td> <td>✅</td> <td>-</td> <td>- </td> <td>-</td> </tr> <tr> <td>11. Install verified packages only</td> <td>- </td> <td> -</td> <td>- </td> <td>-</td> </tr> </tbody> </table></div> <p>and <code>Dockle</code> can detect <a href="https://blog.aquasec.com/cve-2019-5021-alpine-docker-image-vulnerability" rel="noopener noreferrer">CVE-2019-5021</a> and some other securityholes.</p> <h1> Use Dockle </h1> <p>You can start easy!</p> <h2> Homebrew (<a href="https://brew.sh/" rel="noopener noreferrer">Mac</a> / <a href="https://docs.brew.sh/Homebrew-on-Linux" rel="noopener noreferrer">Linux</a>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ </span>brew <span class="nb">install </span>goodwithtech/dockle/dockle <span class="nv">$ </span>dockle test-image:v1 </code></pre> </div> <h2> Linux </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ VERSION</span><span class="o">=</span><span class="si">$(</span> curl <span class="nt">--silent</span> <span class="s2">"https://api.github.com/repos/goodwithtech/dockle/releases/latest"</span> | <span class="se">\</span> <span class="nb">grep</span> <span class="s1">'"tag_name":'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/.*"v([^"]+)".*/\1/'</span> <span class="se">\</span> <span class="si">)</span> <span class="o">&amp;&amp;</span> curl <span class="nt">-L</span> <span class="nt">-o</span> dockle.tar.gz https://github.com/goodwithtech/dockle/releases/download/v<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>/dockle_<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>_Linux-64bit.tar.gz <span class="nv">$ </span><span class="nb">tar </span>zxvf dockle.tar.gz <span class="nv">$ </span>./dockle test-image:v1 </code></pre> </div> <h2> Windows </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">export </span><span class="nv">DOCKER_CONTENT_TRUST</span><span class="o">=</span>1 <span class="nv">$ </span>docker build <span class="nt">-t</span> test-image:v1 <span class="nb">.</span> <span class="nv">$ VERSION</span><span class="o">=</span><span class="si">$(</span> curl <span class="nt">--silent</span> <span class="s2">"https://api.github.com/repos/goodwithtech/dockle/releases/latest"</span> | <span class="se">\</span> <span class="nb">grep</span> <span class="s1">'"tag_name":'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/.*"v([^"]+)".*/\1/'</span> <span class="se">\</span> <span class="si">)</span> <span class="o">&amp;&amp;</span> curl <span class="nt">-L</span> <span class="nt">-o</span> dockle.zip https://github.com/goodwithtech/dockle/releases/download/v<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>/dockle_<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>_Windows-64bit.zip <span class="nv">$ </span>unzip dockle.zip <span class="o">&amp;&amp;</span> <span class="nb">rm </span>dockle.zip <span class="nv">$ </span>./dockle.exe test-image:v1 </code></pre> </div> <p>You can check installation <a href="https://github.com/goodwithtech/dockle#installation" rel="noopener noreferrer">here</a>.</p> <p>Run Result is here.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta15xwyttwh1uv3n5ync.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta15xwyttwh1uv3n5ync.png" alt="passed"></a><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta15xwyttwh1uv3n5ync.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta15xwyttwh1uv3n5ync.png" alt="failed"></a></p> <h1> Check in CI </h1> <p>You can use <a href="https://github.com/knqyf263/trivy" rel="noopener noreferrer">Trivy</a> instead of <a href="https://github.com/coreos/clair" rel="noopener noreferrer">Clair</a>.<br> Trivy is easy to start and supports library packages and better accuracy than Clair.</p> <h2> CircleCI </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">jobs</span><span class="pi">:</span><br> <span class="na">build</span><span class="pi">:</span><br> <span class="na">docker</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:18.09-git</span><br> <span class="na">steps</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">checkout</span><br> <span class="pi">-</span> <span class="s">setup_remote_docker</span><br> <span class="pi">-</span> <span class="na">restore_cache</span><span class="pi">:</span><br> <span class="na">key</span><span class="pi">:</span> <span class="s">vulnerability-db</span><br> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span><br> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image</span><br> <span class="na">command</span><span class="pi">:</span> <span class="s">docker build -t ci-test:${CIRCLE_SHA1} .</span><br> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span><br> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dockle</span><br> <span class="na">command</span><span class="pi">:</span> <span class="pi">|</span><br> <span class="s">apk add --update curl</span><br> <span class="s">VERSION=$(</span><br> <span class="s">curl --silent "<a href="https://api.github.com/repos/goodwithtech/dockle/releases/latest" rel="noopener noreferrer">https://api.github.com/repos/goodwithtech/dockle/releases/latest</a>" | &lt;/span&gt;<br> <span class="s">grep '"tag_name":' | &lt;/span&gt;<br> <span class="s">sed -E 's/.<em>"v([^"]+)".</em>/\1/'</span><br> <span class="s">)</span></span></span></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt;span class="s"&gt;wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz&lt;/span&gt; &lt;span class="s"&gt;tar zxvf dockle_${VERSION}_Linux-64bit.tar.gz&lt;/span&gt; &lt;span class="s"&gt;mv dockle /usr/local/bin&lt;/span&gt; &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;run&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Scan the local image with dockle&lt;/span&gt; &lt;span class="na"&gt;command&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;dockle --exit-code 1 ci-test:${CIRCLE_SHA1}&lt;/span&gt; &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;run&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Install trivy&lt;/span&gt; &lt;span class="na"&gt;command&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;|&lt;/span&gt; &lt;span class="s"&gt;apk add --update curl&lt;/span&gt; &lt;span class="s"&gt;VERSION=$(&lt;/span&gt; &lt;span class="s"&gt;curl --silent "https://api.github.com/repos/knqyf263/trivy/releases/latest" | \&lt;/span&gt; &lt;span class="s"&gt;grep '"tag_name":' | \&lt;/span&gt; &lt;span class="s"&gt;sed -E 's/.*"v([^"]+)".*/\1/'&lt;/span&gt; &lt;span class="s"&gt;)&lt;/span&gt; &lt;span class="s"&gt;wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz&lt;/span&gt; &lt;span class="s"&gt;tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz&lt;/span&gt; &lt;span class="s"&gt;mv trivy /usr/local/bin&lt;/span&gt; &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;run&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Scan the local image with trivy&lt;/span&gt; &lt;span class="na"&gt;command&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;trivy --exit-code 1 --quiet --auto-refresh trivy-ci-test:${CIRCLE_SHA1}&lt;/span&gt; &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;save_cache&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="na"&gt;key&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;vulnerability-db&lt;/span&gt; &lt;span class="na"&gt;paths&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;$HOME/.cache/trivy&lt;/span&gt; </code></pre> </div> <p><span class="na">workflows</span><span class="pi">:</span><br> <span class="na">version</span><span class="pi">:</span> <span class="m">2</span><br> <span class="na">release</span><span class="pi">:</span><br> <span class="na">jobs</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">build</span></p> </code></pre> </div> <h2> <br> <br> <br> TravisCI<br> </h2> <br> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">services</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">docker</span></p> <p><span class="na">env</span><span class="pi">:</span><br> <span class="na">global</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">COMMIT=${TRAVIS_COMMIT::8}</span></p> <p><span class="na">before_install</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">docker build -t ci-test:${COMMIT} .</span><br> <span class="pi">-</span> <span class="s">export DOCKLE_VERSION=$(curl --silent "<a href="https://api.github.com/repos/goodwithtech/dockle/releases/latest" rel="noopener noreferrer">https://api.github.com/repos/goodwithtech/dockle/releases/latest</a>" | grep '"tag_name":' | sed -E 's/.<em>"v([^"]+)".</em>/\1/')</span><br> <span class="pi">-</span> <span class="s">wget <a href="https://github.com/goodwithtech/dockle/releases/download/v$%7BDOCKLE_VERSION%7D/dockle_$%7BDOCKLE_VERSION%7D_Linux-64bit.tar.gz" rel="noopener noreferrer">https://github.com/goodwithtech/dockle/releases/download/v${DOCKLE_VERSION}/dockle_${DOCKLE_VERSION}_Linux-64bit.tar.gz</a></span><br> <span class="pi">-</span> <span class="s">tar zxvf dockle_${DOCKLE_VERSION}<em>Linux-64bit.tar.gz</em></span><br> <span class="pi">-</span> <span class="s">export TRIVY_VERSION=$(curl --silent "<a href="https://api.github.com/repos/knqyf263/trivy/releases/latest" rel="noopener noreferrer">https://api.github.com/repos/knqyf263/trivy/releases/latest</a>" | grep '"tag_name":' | sed -E 's/.<em>"v([^"]+)".</em>/\1/')</span><br> <span class="pi">-</span> <span class="s">wget <a href="https://github.com/knqyf263/trivy/releases/download/v$%7BTRIVY_VERSION%7D/trivy" rel="noopener noreferrer">https://github.com/knqyf263/trivy/releases/download/v${TRIVY_VERSION}/trivy</a>${TRIVY_VERSION}<em>Linux-64bit.tar.gz</em></span><br> <span class="pi">-</span> <span class="s">tar zxvf trivy${TRIVY_VERSION}_Linux-64bit.tar.gz</span><br> <span class="na">script</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">./dockle --exit-code 1 ci-test:${COMMIT}</span><br> <span class="pi">-</span> <span class="s">./trivy --exit-code 1 --quiet --auto-refresh ci-test:${COMMIT}</span><br> <span class="na">cache</span><span class="pi">:</span><br> <span class="na">directories</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">$HOME/.cache/trivy</span></p> </code></pre> </div> <h1> <br> <br> <br> Conclusion<br> </h1> <p>You can check your Docker Container Images to use <code>Dockle</code> and <code>Trivy</code>!<br> These are OSS tools.</p> <p>If you feel like I missed something, got some details wrong, or just want to say hi, please feel free to leave a comment below or reach out to me on <a href="https://github.com/tomoyamachi" rel="noopener noreferrer">GitHub</a> or <a href="https://twitter.com/tomoyamachi" rel="noopener noreferrer">Twitter</a>.</p> docker security container