hadolint VS trivy

Worth noting that Hadolint[1] raises warnings the issues mentioned in the article. Some examples of warnings:

- https://github.com/hadolint/hadolint/wiki/DL3007: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.

Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

Linters are an effective way to catch (security) bugs early on in your development process. For most programming languages using linters is pretty standard. Hadolint is a linter for your Dockerfiles and is found on github here.

Best practices for writing Dockerfiles are being followed more and more often according to this paper after mining more than 10 million Dockerfiles on Docker Hub and GitHub. However, there is still room for improvement. This is where linters come in as useful tools for static code analysis. Hadolint lists lots of rules for Dockerfiles and is available as a VS Code extension.

Hadolint

Switching to the root USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root. – Hadolint rule DL3002

Hadolint for more SAST like : https://github.com/hadolint/hadolint

Hadolint is another. It's built atop shellcheck.

https://github.com/hadolint/hadolint

I use Hadolint[1] as a CI job to check if my Dockerfiles follow the good "rules". But there is one rule that annoys me the most and which is also present in this article, is the pinned OS package version rule[2]. While I understand its interest, I struggle to handle this problem.

When I build new images and it failed because the pinned version is not available anymore, I have to dig into Debian or Ubuntu packages websites to find the new ones as they don't keep the old packages online.

I know I could ask Hadolint to ignore this rule but I don't like this and I think it's important to stick to a certain version of a package to avoid problems. I'm just trying to find any tip that could make me use pinned version and avoid this search every time. Does apt-get install allows wildcard for example?

1: https://github.com/hadolint/hadolint

2: https://github.com/hadolint/hadolint/wiki/DL3008

- Use trivy or grype with software installed without package manager (via tar) e.g. eclipse-temurin in the alpine version. The java executable gets unpacked into /opt but is not recognized.

https://github.com/aquasecurity/trivy/issues/2098

Yup, an Admission Controller is not the right tool to perform container image scans. That's where Trivy comes into play.

Kubernetes manifest needs to be secure and ValidKube helps us to achieve that with the help of the Aquasec team. The same YAML file mentioned above, we will run it through the "Secure" feature of ValidKube and let's see the results: It's Open source repository is named as trivy and it's repository is https://github.com/aquasecurity/trivy

It's an open-source project by Aqua Security and you might have already known them because of their other project trivy which is a scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.

Another one I would recommend looking at, if you want to do scanning of workload manifests (e.g. deployments) is Trivy (https://github.com/aquasecurity/trivy) which has some cool IaC scanning features.

- task: [email protected] displayName: Trivvy Scan for vunerabilties in both docker image and repository condition: succeeded() continueOnError: true inputs: targetType: inLine script: | set +x wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb sudo dpkg -i trivy_0.18.3_Linux-64bit.deb trivy fs --exit-code 1 --security-checks vuln,config $(System.DefaultWorkingDirectory) trivy image --exit-code 1 --timeout 15m $(imageRepo):$(imageTag)

have a look at the repo, Trivy is all open source but let us know if you have any questions :) https://github.com/aquasecurity/trivy

If you're looking for a good OS / library vulnerability scanner, I would recommend trivy.

The idea behind Validkube is to fuse together the capabilities of three other popular open-source projects (kubeval, kubectl-neat & trivy) and present them in a single view, providing users with a way to ensure YAML code hygiene and security, in one place, with just a few clicks of the button.