Automating Docker Security Checks
Hunting around for ways of validating Docker images from a security perspective, I’ve not seen much documentation on finding ways to do this.
Source available here.
- Creates a trivial custom check for our security policy (‘is this a CentOS machine?’), which is run using the standard oscap tooling, and passes
- Runs a RHEL7 container (‘our-rhel-container’)
- Runs oscap-docker with the same check, which fails (as this is a RHEL7 image)
- Performs a general CVE check against the container
- Downloads another policy and runs that against the running container
Using this as a template, you can see how easy it would be to script up a custom policy, run it regularly and perform actions based on the output.
Are you using this or similar tools to manage Docker images? Any tips on extending and improving this gratefully received.