hadolint
trivy
Our great sponsors
- InfluxDB - Collect and Analyze Billions of Data Points in Real Time
- Onboard AI - Learn any GitHub repo in 59 seconds
- SaaSHub - Software Alternatives and Reviews
hadolint | trivy | |
---|---|---|
21 | 78 | |
9,171 | 19,405 | |
2.1% | 3.6% | |
0.0 | 9.5 | |
6 days ago | 1 day ago | |
Haskell | Go | |
GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
hadolint
-
Checkmake: Experimental Linter/Analyzer for Makefiles
Some discussion on that here:
https://github.com/koalaman/shellcheck/issues/58
The hadolint project does shell checking for Dockerfiles and it uses shellcheck:
https://github.com/hadolint/hadolint
So the approach is definitely feasible, but you do need a new project and probably it needs to be written in Haskell.
-
Dokter: the doctor for your Dockerfiles
how does this compare to something like hadolint?
Also, have you run across Hadolint for linting? https://github.com/hadolint/hadolint
-
Are there tools that tell you if you can optimize your dockerfiles?
Wow that's a great tool and it has a ton of integrations https://github.com/hadolint/hadolint/blob/master/docs/INTEGRATION.md
- Dhall: A Gateway Drug to Haskell
- can you recommend active Haskell open source projects?
-
Just Say No To `:Latest`
Worth noting that Hadolint[1] raises warnings the issues mentioned in the article. Some examples of warnings:
- https://github.com/hadolint/hadolint/wiki/DL3007: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.
-
Kubernetes Security Checklist 2021
Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)
-
CONTAINER SECURITY
Linters are an effective way to catch (security) bugs early on in your development process. For most programming languages using linters is pretty standard. Hadolint is a linter for your Dockerfiles and is found on github here.
-
Best Practices for R with Docker
Best practices for writing Dockerfiles are being followed more and more often according to this paper after mining more than 10 million Dockerfiles on Docker Hub and GitHub. However, there is still room for improvement. This is where linters come in as useful tools for static code analysis. Hadolint lists lots of rules for Dockerfiles and is available as a VS Code extension.
trivy
- Friends - needs help choosing solution for SBOM vulnerability
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
Trivy is a mature and comprehensive open source tool from Aqua Security that supports scanning multiple sources, from file systems to containers and VMs. Trivy also looks beyond vulnerabilities, to scan licenses, secrets, infrastructure as code misconfiguration, and more.
- Best vulnerability scanner for DevOps
-
About Cloudflare Tunnels
I would suggest to think about the thread model that you are facing so you can have a better mental model of the weak points of your environment. The very very big majority of these attacks will be automated probing for publicly known vulnerabilities or default credentials. That means the maintainers of the software you are running and the channels on which their updates are shipped to you and deployed are very important factors. For software that is not installed from a trusted and well maintained source (e.g. Ubuntus main repository), you want to make extra sure that vulnerabilities are updated. E.g. your deployed docker containers might contain security issues, you can run checks on these with tools like trivy. The same is also true for appliances, in case your router or firewall contains a software vulnerability, how will you be notified and how will the required updates be deployed?
- Security docker app
-
Open source container scanning tool to find vulnerabilities and suggest best practice improvements?
https://github.com/aquasecurity/trivy 17k stars, updated 11 hours ago
-
How to scan and control the K8 objects are being created against security threats?
Trivy to scan your Container Image, for example as an Artefact finished building for your application in CI/CD.
-
Creating Safer Containerized PHP Runtimes with Wolfi
The combination of a smaller attack surface and up-to-date, patched packages in Wolfi results in less (always aiming for ZERO) CVEs. This can be demonstrated in the results obtained from Trivy when scanning the most popular PHP images on Docker Hub (with data from March 2, 2023) and comparing them with the Wolfi-based PHP image maintained by Chainguard:
-
nginx proxy manager, v3: is someone testing/using it? Experiences?
There was a discussion, https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/1812 , where docker container where analyzer by Trivy (a securitu scanner) https://github.com/aquasecurity/trivy and lot of library where old and exploitable.
What are some alternatives?
snyk - Snyk CLI scans and monitors your projects for security vulnerabilities. [Moved to: https://github.com/snyk/cli]
grype - A vulnerability scanner for container images and filesystems
clair - Vulnerability Static Analysis for Containers
checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems
falco - Cloud Native Runtime Security
dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
tfsec - Security scanner for your Terraform code
kics - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
gitleaks - Protect and discover secrets using Gitleaks 🔑