DevSecOps series No. 2 — Automatic checking Dockerfiles for security
--
A lot of was written about Docker security and how to create secure Dockefiles. You can reach on Google about security tips and best practices.
This is nice but still there’s a big problem to solve: how to automate the security checking.
Steps for building a Docker image
Create a docker image have two steps:
- Write the Dockerfile.
- Build the Docker image from this Dockerfile.
In this case we’ll be focus on the first part of the problem: the content of the Dockerfile (In next posts I’ll cover security checks for built images).
Automating security checking for Dockefiles
Usually security teams have limited resources. So the only way to include security in the development pipeline is automating the process.
It doesn’t matter the pipeline system you’re using (Jenkins, Bamboo, Github actions, Gitlab pipelines, Bitbucket pipelines…) the concept must be the same: stop building process when a critical issues was found in the Dockerfile.
At this point probably you’re going to Github for finding some automatic tool to check security issues on Dockerfiles. Don’t worry. I did for you.
The most interesting tool that I found were two:
- Hadolint: https://github.com/hadolint/hadolint
- Dockerfile-security: https://github.com/cr0hn/dockerfile-security (spoiler, I’m the author of it)
Let’s analyse both.
Hadolint
Hadolint is really nice tool. It’s rule based and have a lot of builtin rules, and not only for security.
It’s a single binary tool. Very fast and written in Haskell. Furthermore has a lot of options to customise the analysis.
The project has an online version of the tool that you can use without install anything in your computer:
Dockerfile-security
Dockerfile-security it less ambitious tool than Hadolint. It’s more simple and was designed to be used in a C.I. (Continuous Integration) system.
This tool is focused in security. It’s rule based, like Hadolint. It’s fast too and was written in Python and can installed with Python package manager pip.
It provides some builtin generic rules (called core rules) and some others for specific scenarios (Java specific rules, for example).
Hadolint vs Dockerfile-security
Both have their own strengths and weakness.
Hadolint Pros
- A wide number of builtin rules, not only for security.
- Independent binary.
- Very fast.
- Friendly feedback for found issues.
- Online version
Hadolint Cons
- Hadolint is written in Haskell os if you need to include a new rule you must write your rule in Haskell and compile the tool again.
- Hadolint doesn’t has any option to export results in a parseable format, like JSON o XML.
Dockerfile-security Pros
- Security focussed.
- DevSecOps focussed.
- Very fast.
- Friendly feedback for found issues.
- Add new rules is very simple. Rules are plain YAML text based.
- Rules can be got from remote sites, providing the full URL.
- Results could be exported as a JSON file.
Dockerfile-security Cons
- Rules are simpler than Hadolint.
- It’s not an independent binary.
Which use, Hadolint or Dockefile-security
There’s not a correct answer. It depends of your needs:
- If you not only need security rules, Hadolint could be a good option.
- If you need your own custom rules, Dockerfile-security is best choice.
There’re a third option: Why limit to use only one? why not use both? Both are very fast and easy to integrate. So… Why not?
More posts about DevSecOps series
Previous post: DevSecOps series No 1 — Breaking the CI/CD by using evil Git repositories
Next post: DevSecOps series No 3 — Old-fashion issues in DevOps: Zip Bombs
