hadolint
trivy
Our great sponsors
hadolint | trivy | |
---|---|---|
12 | 46 | |
6,917 | 12,029 | |
3.7% | 7.1% | |
8.7 | 9.6 | |
17 days ago | 6 days ago | |
Haskell | Go | |
GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
hadolint
- can you recommend active Haskell open source projects?
-
Just Say No To `:Latest`
Worth noting that Hadolint[1] raises warnings the issues mentioned in the article. Some examples of warnings:
- https://github.com/hadolint/hadolint/wiki/DL3007: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.
-
Kubernetes Security Checklist 2021
Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)
-
CONTAINER SECURITY
Linters are an effective way to catch (security) bugs early on in your development process. For most programming languages using linters is pretty standard. Hadolint is a linter for your Dockerfiles and is found on github here.
-
Best Practices for R with Docker
Best practices for writing Dockerfiles are being followed more and more often according to this paper after mining more than 10 million Dockerfiles on Docker Hub and GitHub. However, there is still room for improvement. This is where linters come in as useful tools for static code analysis. Hadolint lists lots of rules for Dockerfiles and is available as a VS Code extension.
-
21 Best Practises in 2021 for Dockerfile
Hadolint
-
Dockerizing Shiny Applications
Switching to the root USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root. – Hadolint rule DL3002
-
What do you use for container security, and where do you think there is room for improvement?
Hadolint for more SAST like : https://github.com/hadolint/hadolint
-
ShellCheck: A static analysis tool for shell scripts
Hadolint is another. It's built atop shellcheck.
-
Docker Security Cheat Sheet
I use Hadolint[1] as a CI job to check if my Dockerfiles follow the good "rules". But there is one rule that annoys me the most and which is also present in this article, is the pinned OS package version rule[2]. While I understand its interest, I struggle to handle this problem.
When I build new images and it failed because the pinned version is not available anymore, I have to dig into Debian or Ubuntu packages websites to find the new ones as they don't keep the old packages online.
I know I could ask Hadolint to ignore this rule but I don't like this and I think it's important to stick to a certain version of a package to avoid problems. I'm just trying to find any tip that could make me use pinned version and avoid this search every time. Does apt-get install allows wildcard for example?
trivy
-
Container scanners not scan software not added by package manager
- Use trivy or grype with software installed without package manager (via tar) e.g. eclipse-temurin in the alpine version. The java executable gets unpacked into /opt but is not recognized.
https://github.com/aquasecurity/trivy/issues/2098
-
Image Scanning admission controllers
Yup, an Admission Controller is not the right tool to perform container image scans. That's where Trivy comes into play.
-
All about Komodor :- A Kubernetes Troubleshooting Platform and more
Kubernetes manifest needs to be secure and ValidKube helps us to achieve that with the help of the Aquasec team. The same YAML file mentioned above, we will run it through the "Secure" feature of ValidKube and let's see the results: It's Open source repository is named as trivy and it's repository is https://github.com/aquasecurity/trivy
-
Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing
It's an open-source project by Aqua Security and you might have already known them because of their other project trivy which is a scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
-
Kube-bench vs kubescape
Another one I would recommend looking at, if you want to do scanning of workload manifests (e.g. deployments) is Trivy (https://github.com/aquasecurity/trivy) which has some cool IaC scanning features.
-
Migrating azure repository to github, but keep Azure pipelines and workflow
- task: [email protected] displayName: Trivvy Scan for vunerabilties in both docker image and repository condition: succeeded() continueOnError: true inputs: targetType: inLine script: | set +x wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb sudo dpkg -i trivy_0.18.3_Linux-64bit.deb trivy fs --exit-code 1 --security-checks vuln,config $(System.DefaultWorkingDirectory) trivy image --exit-code 1 --timeout 15m $(imageRepo):$(imageTag)
-
Cloud Security: Container image and IaC scanning with Trivy
have a look at the repo, Trivy is all open source but let us know if you have any questions :) https://github.com/aquasecurity/trivy
-
A simple tool to audit Linux system libraries to find public security vulnerabilities.
If you're looking for a good OS / library vulnerability scanner, I would recommend trivy.
-
[open-source] Validkube - Validate, Clean and Secure your K8s YAML
The idea behind Validkube is to fuse together the capabilities of three other popular open-source projects (kubeval, kubectl-neat & trivy) and present them in a single view, providing users with a way to ensure YAML code hygiene and security, in one place, with just a few clicks of the button.
- Custom dashboard with real-time service data
What are some alternatives?
clair - Vulnerability Static Analysis for Containers
grype - A vulnerability scanner for container images and filesystems
snyk - Snyk CLI scans and monitors your projects for security vulnerabilities.
syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems
checkov - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
falco - Cloud Native Runtime Security
starboard - Kubernetes-native security toolkit
tfsec - Security scanner for your Terraform code
dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
gitleaks - Scan git repos (or files) for secrets using regex and entropy 🔑
Grafana - The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.