-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathdocker_sec_check.sh
75 lines (60 loc) · 3.13 KB
/
docker_sec_check.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash
#
# Make sure Docker is installed and current user is a member of docker group ($groups)
# sudo apt-get install docker.io && sudo usermod -a -G docker $(whoami)
#
echo "[+] Setting environment variables"
export DOCKERFILE="Dockerfile"
export DOCKERIMAGE="bkimminich/juice-shop"
export SHOWSTOPPER_PRIORITY="CRITICAL"
export TRIVYCACHE=".trivy_cache"
export ARTIFACT_FOLDER="json"
# installing all necessary stuff
echo "[+] Installing required packages"
sudo apt-get update
sudo apt-get install -y python3 python3-pip rpm git
# preparing directory structure
echo "[+] Preparing necessary directories"
mkdir docker_tools
cd docker_tools
mkdir $TRIVYCACHE
mkdir $ARTIFACT_FOLDER
# fetching sample Dockerfile and image
echo "[+] Fetching sample Dockerfile"
wget -O $DOCKERFILE https://raw.githubusercontent.com/Swordfish-Security/docker_cicd/master/mydockerfile.df
echo "[+] Pulling image to scan"
docker pull $DOCKERIMAGE
# Hadolint
echo "[+] Running Hadolint"
export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
wget -nv --no-cache /~https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 -O hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json
# show results
./hadolint-Linux-x86_64 $DOCKERFILE
# Dockle
echo "[+] Running Dockle"
export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
wget -nv --no-cache /~https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz -O dockle_Linux-64bit.tar.gz && tar zxf dockle_Linux-64bit.tar.gz
./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
# show results
./dockle $DOCKERIMAGE
# Trivy
echo "[+] Running Trivy"
export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
wget -nv --no-cache /~https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz -O trivy_Linux-64bit.tar.gz && tar zxf trivy_Linux-64bit.tar.gz
# writing finding into json file
./trivy --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 --quiet $DOCKERIMAGE
# just a neat output instead of pure json
./trivy --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# fail build if there is at least 1 vulnerability of the defined severity
./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
# cleaning up
echo "[+] Removing left-overs"
rm *.tar.gz LICENSE README.md
# HTML results from all tools outputs
echo "[+] Making the output look pretty"
pip3 install json2html
wget -nv --no-cache -O convert_json_results.py https://raw.githubusercontent.com/Swordfish-Security/docker_cicd/master/convert_json_results.py
python3 ./convert_json_results.py
# Collect the results in docker_tools/results.html
echo "[+] Everything is done. Find the resulting HTML report in results.html"