hadolint VS trivy

Some discussion on that here:

https://github.com/koalaman/shellcheck/issues/58

The hadolint project does shell checking for Dockerfiles and it uses shellcheck:

https://github.com/hadolint/hadolint

So the approach is definitely feasible, but you do need a new project and probably it needs to be written in Haskell.

how does this compare to something like hadolint?

Also, have you run across Hadolint for linting? https://github.com/hadolint/hadolint

Wow that's a great tool and it has a ton of integrations https://github.com/hadolint/hadolint/blob/master/docs/INTEGRATION.md

Worth noting that Hadolint[1] raises warnings the issues mentioned in the article. Some examples of warnings:

- https://github.com/hadolint/hadolint/wiki/DL3007: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.

Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

Linters are an effective way to catch (security) bugs early on in your development process. For most programming languages using linters is pretty standard. Hadolint is a linter for your Dockerfiles and is found on github here.

Best practices for writing Dockerfiles are being followed more and more often according to this paper after mining more than 10 million Dockerfiles on Docker Hub and GitHub. However, there is still room for improvement. This is where linters come in as useful tools for static code analysis. Hadolint lists lots of rules for Dockerfiles and is available as a VS Code extension.

Trivy is a mature and comprehensive open source tool from Aqua Security that supports scanning multiple sources, from file systems to containers and VMs. Trivy also looks beyond vulnerabilities, to scan licenses, secrets, infrastructure as code misconfiguration, and more.

I would suggest to think about the thread model that you are facing so you can have a better mental model of the weak points of your environment. The very very big majority of these attacks will be automated probing for publicly known vulnerabilities or default credentials. That means the maintainers of the software you are running and the channels on which their updates are shipped to you and deployed are very important factors. For software that is not installed from a trusted and well maintained source (e.g. Ubuntus main repository), you want to make extra sure that vulnerabilities are updated. E.g. your deployed docker containers might contain security issues, you can run checks on these with tools like trivy. The same is also true for appliances, in case your router or firewall contains a software vulnerability, how will you be notified and how will the required updates be deployed?

https://github.com/aquasecurity/trivy 17k stars, updated 11 hours ago

Trivy to scan your Container Image, for example as an Artefact finished building for your application in CI/CD.

The combination of a smaller attack surface and up-to-date, patched packages in Wolfi results in less (always aiming for ZERO) CVEs. This can be demonstrated in the results obtained from Trivy when scanning the most popular PHP images on Docker Hub (with data from March 2, 2023) and comparing them with the Wolfi-based PHP image maintained by Chainguard:

There was a discussion, https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/1812 , where docker container where analyzer by Trivy (a securitu scanner) https://github.com/aquasecurity/trivy and lot of library where old and exploitable.