conftest docker dockerfile infosec opa opa-rego-policies rego security

docker-security-checker

This repository contains OPA Rego policies for Dockerfile Security checks using Conftest

The rego policy rules can be found at policy/security.rego

Sample rego policy for using COPY instead of ADD in Dockerfile

deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

Running the conftest with security policies

Run the following command to test security policies against the Dockerfile

conftest test Dockerfile

Now you can see the below example output

WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try it out yourself

I have created this scenario in katacoda playground to learn and try out yourself

Read more about it at https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f

Contribution

You can add more policies at policy directory with more information by adding comments

About

Dockerfile Security Checker using OPA Rego policies with Conftest

https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f

conftest docker dockerfile infosec opa opa-rego-policies rego security

MIT License

Languages

Language:Open Policy Agent 89.7%Language:Dockerfile 10.3%