-
Notifications
You must be signed in to change notification settings - Fork 215
58 lines (53 loc) · 1.82 KB
/
docker-bench-security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Docker Bench for Security
on:
pull_request:
branches: [ develop ]
types: [opened, synchronize, reopened, ready_for_review]
permissions:
contents: read
jobs:
build:
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v3
- name: Set up Python 3
uses: actions/setup-python@v3
with:
python-version: "3.10"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install .
- name: Clean Docker System
run: |
docker image prune -a -f
docker system prune -a -f
- name: Clone Docker Bench Security Repo
run: git clone https://github.com/docker/docker-bench-security.git
- name: Build Docker Bench Security Image
run: |
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
- name: Create results directory
run: mkdir -p results
- name: Run Docker Bench for Security
run: |
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=0 \
-v /etc:/etc:ro \
-v /lib/systemd/system:/lib/systemd/system:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v "$(pwd)/results:/results" \
--label docker_bench_security \
docker-bench-security | tee results/docker_bench_security_report.txt
- name: Upload Security Bench Report
uses: actions/upload-artifact@v3
with:
name: docker_bench_security-report
path: results/docker_bench_security_report.txt