Audit your DockerFile with ConfTest

Hi!

In this article, I will show you how you can audit your DockerFile with ConfTest.

This tool will help you to write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Terraform code, Serverless configs or any other config files.

For this blog post, we will create a ConfTest policies in rego to audit a DockerFile. In this DockerFile, I have included few bad practices and security weakness:

  • Hardcoded tokens
  • Looking for ADD command instead using COPY command
  • Usage of sudo
FROM ubuntu:latest
LABEL MAINTAINER "Maxime"

ENV SECRET AAAAAAAAAAAAAAAAAAA
ENV GITLAB_API_ID aaaaaaaaaaaaaaaaaaaaaaaaaaaaa 

WORKDIR /app

ADD app /app
COPY README.md /app/README.md
ADD code /tmp/code
RUN sudo apt-get udpate

RUN apt-get update && apt-get install -y htop

CMD ["/bin/bash", "/app/entrypoint.sh"]

Now, we will create a security policy to detect the previous security weakness:

package main

suspicious_env_keys = [
    "passwd",
    "password",
    "secret",
    "key",
    "access",
    "api_key",
    "apikey",
    "token",
]


# Looking for suspicious environemnt variables
deny[msg] {    
    input[i].Cmd == "env"
    val := input[i].Value
    contains(lower(val[_]), suspicious_env_keys[_])
    msg = sprintf("Suspicious ENV key found: %s", [val])
}

# Looking for ADD command instead using COPY command
deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

# sudo usage
deny[msg] {
    input[i].Cmd == "run"
    val := concat(" ", input[i].Value)
    contains(lower(val), "sudo")
    msg = sprintf("Avoid using 'sudo' command: %s", [val])
}

Install ConfTest: https://www.conftest.dev/install/ and run the analyze with the following command:

conftest test Dockerfile

Maxime.

Démarrez une conversation

Votre adresse e-mail ne sera pas publiée.