docker-bench-security
all-in-one
docker-bench-security | all-in-one | |
---|---|---|
13 | 192 | |
8,916 | 4,142 | |
0.7% | 6.2% | |
5.9 | 9.9 | |
20 days ago | 4 days ago | |
Shell | PHP | |
Apache License 2.0 | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
docker-bench-security
-
Understanding Container Security
Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.
-
Security docker app
For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security
- What's your favourite Docker Image, and why?
-
Docker image scan against cis benchmark
So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .
-
How to enhance container security using Docker Bench
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh
-
Importing certificates into containers
when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.
-
How to Secure Your Kubernetes Clusters With Best Practices
Use Docker Bench for Security to audit your container images
-
Container security best practices: Comprehensive guide
Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.
- hardening my container: am i doing things right?
-
What do you have within your pipelines to ensure that containers deployed are secure?
I run https://github.com/docker/docker-bench-security against my environment. I would determine what was non-applicable/not scored and then start with scored. Then I would do not scored. My team had made their own Dockerfiles when I started and just grabbed whatever image/version and getting things baselined was not fun. I had to do this for docker-compose and stay on version 2 yml as otherwise I had to go to swarm.
all-in-one
-
15 open-source tools to elevate your software design workflow
Link | Demo | Github | License
-
Nextcloud install
If you aren't super technical please please go for the all-in-one. The manual docker image is super complicated for an unexperienced user. I'm super well at home in Linux and command lines and I wouldn't even CONSIDER doing it the manual way. The AIO is hard enough, and orders of magnitude simpler. Don't even think about docker compose or all that stuff - go to https://github.com/nextcloud/all-in-one/ and follow that...
-
Local-only instance and ACME challenge
Newbie to NC here, hosting at home. Reading through the local-only guide and have a couple of questions, if you don't mind:
-
Nextcloud AIO Behind NGINX Proxy Manager
I followed https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- PfSense HaProxy sample config
-
NextCloud Docker
Or this one? https://github.com/nextcloud/all-in-one
-
NC AIO - Local instance - OpenWrt
I can't figure out the steps to get things running locally. (https://github.com/nextcloud/all-in-one/blob/main/local-instance.md) I'm trying the docker AIO for Windows, and I think I'm on step 2. I've pasted the steps from the link over.. I hope for some guidance here :)
-
More AIO image troubles
version: "3.8" services: nextcloud: image: nextcloud/all-in-one:latest restart: always container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly volumes: - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'! ports: #- 38983:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md - 38984:8080 #- 38985:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md environment: # Is needed when using any of the options below - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md - APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md - NEXTCLOUD_DATADIR=/storage/nextcloud/data # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock' - SKIP_DOMAIN_VALIDATION=true volumes: nextcloud_aio_mastercontainer: name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
-
NextCloud AIO in Portainer on OpenMediaVault - Installation Issues
services:nextcloud:image: nextcloud/all-in-one:latestrestart: alwayscontainer_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctlyvolumes:- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!ports:- 81:81 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md- 8080:8080- 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.mdenvironment: # Is needed when using any of the options below# - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section- APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md- APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md# - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy# - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature# - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir# - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host- NEXTCLOUD_UPLOAD_LIMIT=500G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud- NEXTCLOUD_MAX_TIME=10800 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud- NEXTCLOUD_MEMORY_LIMIT=1536M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud# - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca# - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup# - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container# - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container# - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud# - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port# - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'- SKIP_DOMAIN_VALIDATION=true# networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file# - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file# # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md# # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588# caddy:# image: caddy:alpine# restart: always# container_name: caddy# volumes:# - ./Caddyfile:/etc/caddy/Caddyfile# - ./certs:/certs# - ./config:/config# - ./data:/data# - ./sites:/srv# network_mode: "host"volumes:nextcloud_aio_mastercontainer:name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose# networks:# nextcloud-aio:# name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO# driver: bridge# enable_ipv6: true# ipam:# driver: default# config:# - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use
-
Help with local server setup
It is basically all images and services pre-configured to host a single Nextcloud instance. Check this page https://github.com/nextcloud/all-in-one
What are some alternatives?
hadolint - Dockerfile linter, validate inline bash, written in Haskell
docker - ⛴ Docker image of Nextcloud
kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
NextCloudPi - 📦 Build code for NextcloudPi: Raspberry Pi, Odroid, Rock64, curl installer...
checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
portainer_templates - Portainer Version 2 Template and Self-Hosting Cookbook. A Series of Tools, Tutorials/Instructions, and Links to help you create your very own Self-Hosting System and Lab Sandbox!
gosec - Go security checker
nextcloud-snap - ☁️📦 Nextcloud packaged as a snap
SonarQube - Continuous Inspection
docker-swag - Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
tfsec - Security scanner for your Terraform code
Nextcloud - ☁️ Nextcloud server, a safe home for all your data