madhuakula
Published in

madhuakula

Dockerfile Security Checks using OPA Rego Policies with Conftest

Photo by Glenn Carstens-Peters on Unsplash

Docker is everywhere! In modern day to day development and operations, we use Docker images and containers to run our applications ranging from developer laptop, raspberry pi, staging servers to including production environments.

As we use modern technologies and tools, we tend to forget securing them while building and serving customers. That is why we can write and codify our security into policies and validate them against the Dockerfiles (Infrastructure as a Code) to identify the potential security risks before deploying them into production.

What is Conftest?

Conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, Terraform code, Serverless configs or any other structured data. In our context, we will use it to write validation policies for deprecated Kubernetes API versions.

Conftest relies on the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

What is OPA (Open Policy Agent)?

The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software.

What is docker-security-checker?

docker-security-checker uses open policy agent rego policies for Dockerfile security checks using Conftest.

Checkout more information at https://github.com/madhuakula/docker-security-checker

How to write a simple rego policy for Dockerfile?

The below is simplest example of a rego policy for identifying if the Dockerfile is using ADDinstead of COPY command in the Dockerfile.

deny[msg] {   input[i].Cmd == "add"   val := concat(" ", input[i].Value)   msg = sprintf("Use COPY instead of ADD: %s", [val])}

Here in the above example input contains the Dockerfile in a JSON format and we are looking for any command we find ADD and if we find in the Dockerfile we are returning the deny message.

This is much simplified by using Conftest, also it supports multiple different files, formats like Kubernetes manifests, terraform, ini, etc. to build your own policies with OPA checkout examples at https://www.conftest.dev/examples/

Running conftest docker security policies

You can run the conftest using the following command, which by default pickup the policies from policy directory.

conftest test Dockerfile

Now you can see similar output

WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try out yourself

I had built this scenario to try out your self to learn and practice rather reading it and forgetting ;)

You can practice this scenario at katacoda playground https://katacoda.com/madhuakula/scenarios/docker-security-checker

https://katacoda.com/madhuakula/scenarios/docker-security-checker

Some ideas to take this forward

  • Adding this checks in CI/CD pipeline as part of the DevSecOps
  • Also, integrating these checks at your Kubernetes clusters as a DaemonSet to look for Kubernetes Objects for any security misconfigurations and issue in near real-time
  • Many more…
  • Please feel free to contribute and add more feedback/issues/PR at https://github.com/madhuakula/docker-security-checker

References to learn more

I just started learning more and more about Open Policy Agent and writing security policies using conftest. But you can explore more about them and write your own policies using below resources.

  1. Open Policy Agent
  2. Rego Policy Reference
  3. Rego Playground
  4. Conftest.Dev

Thanks for reading this article. If you enjoyed it please let me know by clicking that clap below :)

--

--

--

Thoughts, stories and ideas.

Recommended from Medium

Four Basic Ways to Automate Data Extraction

Using GraphQL .NET Client in .NET 5

Day 27 — Baseball Game

Backup And Restore EKS Kubernetes Using Velero.

Automate HTTPS Certificates with Ansible Roles ft. Let’s Encrypt & CloudFlare

What is Cloud Native, Anyway?

Start with Django

How to get Dark/Night Mode on Medium in your browser?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Madhu Akula

Madhu Akula

Leader, Advisor, Author, Speaker & Trainer | #Security #CloudNative, #Kubernetes, #DevSecOps, #DevOps | Tweets @madhuakula | Never ending learner!

More from Medium

Never experiment and use Google Cloud Platform

Automate GKE deployments using Cloud Build and Cloud Deploy

Deploying Kafka Cluster with Zookeeper on GCP — The hard way

Software Supply Chain Security with Binary Authorization and Cloud Build