docker-bench-security VS hadolint

# Clone Docker Bench git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security # Run the audit docker run -it --net host --pid host --userns host --cap-add audit_control \ -v /var/lib/docker:/var/lib/docker \ -v /etc/docker:/etc/docker \ docker/docker-bench-security

Docker Security GitHub Repository

Regular security audits are crucial for maintaining the security of your Docker environment. Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in production.

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security

So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .

git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh

when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.

Use Docker Bench for Security to audit your container images

What bugged me was the asymmetry. Kubernetes and Terraform have a deep bench of scanners: Checkov, Trivy, kube-bench, Kubescape. Compose is an afterthought in most of them. The Compose-specific tools I found solved adjacent problems instead. Hadolint lints Dockerfiles, not Compose files. dclint checks Compose structure and style, not security.

# .pre-commit-config.yaml repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] exclude: 'tests/.*|\.lock$' - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - id: check-added-large-files args: ['--maxkb=500'] - id: check-merge-conflict - id: detect-private-key - id: no-commit-to-branch args: ['--branch', 'main'] - repo: https://github.com/hadolint/hadolint rev: v2.12.0 hooks: - id: hadolint-docker name: Lint Dockerfiles

hadolint Description: Dockerfile linter, validate inline bash, written in Haskell. What we like: Well-maintained over the long term, active development, works very well. A true 12-factor application - can even be configured via environment vars! What we don't like: No JSON output. Extras: Lint Dockerfiles online

Hadolint Dockerfile Linter

Hadolint — Linter for your Dockerfile

[Source: Hadolint on GitHub]

One such linter is hadolint. It parses a Dockerfile and shows a warning for any errors that do not match its best practice rules.

Like hadolint: Dockerfile linter, validate inline bash, written in Haskell; Purescript, Unison, Idris languages implemented in Haskell. I recommend to check ideas behinds those projects. Especially Unison's mind-blowing something naive idea about infinite computational resources.

3. Hadolint: https://github.com/hadolint/hadolint Hadolint is a Dockerfile linter that helps you build best practice Docker images, reducing vulnerabilities in your container configurations.