From 4cb50d9380f79565e5dc684ea4a583072ad8a7da Mon Sep 17 00:00:00 2001 From: rajith Date: Mon, 30 Sep 2024 16:56:52 +0530 Subject: [PATCH 1/5] adding docker bench security tool --- .github/workflows/docker-bench-security.yml | 50 +++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/docker-bench-security.yml diff --git a/.github/workflows/docker-bench-security.yml b/.github/workflows/docker-bench-security.yml new file mode 100644 index 0000000000..7429f9202a --- /dev/null +++ b/.github/workflows/docker-bench-security.yml @@ -0,0 +1,50 @@ +name: Docker Bench for Security + +on: + pull_request: + branches: [ develop ] + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.8 + uses: actions/setup-python@v3 + with: + python-version: "3.8" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install . + - name: Clean Docker System + run: | + docker image prune -a -f + docker system prune -a -f + - name: Create results directory + run: mkdir -p results + - name: Run Docker Bench for Security + run: | + docker run --rm --net host --pid host --userns host --cap-add audit_control \ + -e DOCKER_CONTENT_TRUST=0 \ + -v /etc:/etc:ro \ + -v /lib/systemd/system:/lib/systemd/system:ro \ + -v /usr/bin/containerd:/usr/bin/containerd:ro \ + -v /usr/bin/runc:/usr/bin/runc:ro \ + -v /usr/lib/systemd:/usr/lib/systemd:ro \ + -v /var/lib:/var/lib:ro \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + -v "$(pwd)/results:/results" \ + --label docker_bench_security \ + docker/docker-bench-security | tee results/security_bench_report.txt + + - name: Upload Security Bench Report + uses: actions/upload-artifact@v3 + with: + name: security-bench-report + path: results/security_bench_report.txt \ No newline at end of file From b55e6f93219d54f31f882fbabbcafef5209f7e47 Mon Sep 17 00:00:00 2001 From: rajith Date: Mon, 30 Sep 2024 17:06:00 +0530 Subject: [PATCH 2/5] changing to valid names --- .github/workflows/docker-bench-security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-bench-security.yml b/.github/workflows/docker-bench-security.yml index 7429f9202a..a0ca71b001 100644 --- a/.github/workflows/docker-bench-security.yml +++ b/.github/workflows/docker-bench-security.yml @@ -41,10 +41,10 @@ jobs: -v /var/run/docker.sock:/var/run/docker.sock:ro \ -v "$(pwd)/results:/results" \ --label docker_bench_security \ - docker/docker-bench-security | tee results/security_bench_report.txt + docker/docker-bench-security | tee results/docker_bench_security_report.txt - name: Upload Security Bench Report uses: actions/upload-artifact@v3 with: - name: security-bench-report - path: results/security_bench_report.txt \ No newline at end of file + name: docker_bench_security-report + path: results/docker_bench_security.txt \ No newline at end of file From 39af38aac9850eb12b09be445363bf4bf73e1e47 Mon Sep 17 00:00:00 2001 From: rajith Date: Mon, 30 Sep 2024 17:14:36 +0530 Subject: [PATCH 3/5] fix name --- .github/workflows/docker-bench-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-bench-security.yml b/.github/workflows/docker-bench-security.yml index a0ca71b001..af7e07de81 100644 --- a/.github/workflows/docker-bench-security.yml +++ b/.github/workflows/docker-bench-security.yml @@ -47,4 +47,4 @@ jobs: uses: actions/upload-artifact@v3 with: name: docker_bench_security-report - path: results/docker_bench_security.txt \ No newline at end of file + path: results/docker_bench_security_report.txt \ No newline at end of file From 7b7f640f7f62e7a02e4bc6789e3dd4e3305661d7 Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 1 Oct 2024 12:25:44 +0530 Subject: [PATCH 4/5] adding Build Docker Bench Security Image --- .github/workflows/docker-bench-security.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/docker-bench-security.yml b/.github/workflows/docker-bench-security.yml index af7e07de81..d480a66a25 100644 --- a/.github/workflows/docker-bench-security.yml +++ b/.github/workflows/docker-bench-security.yml @@ -26,6 +26,12 @@ jobs: run: | docker image prune -a -f docker system prune -a -f + - name: Clone Docker Bench Security Repo + run: git clone https://github.com/docker/docker-bench-security.git + - name: Build Docker Bench Security Image + run: | + cd docker-bench-security + docker build --no-cache -t docker-bench-security . - name: Create results directory run: mkdir -p results - name: Run Docker Bench for Security From 9efbc4d03a922bac3a0c82df4a08082644270e07 Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 1 Oct 2024 12:36:54 +0530 Subject: [PATCH 5/5] remove pulling image --- .github/workflows/docker-bench-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-bench-security.yml b/.github/workflows/docker-bench-security.yml index d480a66a25..3b5211f668 100644 --- a/.github/workflows/docker-bench-security.yml +++ b/.github/workflows/docker-bench-security.yml @@ -47,7 +47,7 @@ jobs: -v /var/run/docker.sock:/var/run/docker.sock:ro \ -v "$(pwd)/results:/results" \ --label docker_bench_security \ - docker/docker-bench-security | tee results/docker_bench_security_report.txt + docker-bench-security | tee results/docker_bench_security_report.txt - name: Upload Security Bench Report uses: actions/upload-artifact@v3