Automating Docker Security Validation

Automating Docker Security Checks

Hunting around for ways of validating Docker images from a security perspective, I’ve not seen much documentation on finding ways to do this.

As a result, I put together this video of the best means I’ve found yet: using openscap tooling. You might want to skip to 1:55 when the Vagrant setup is complete and the software is installed.

Source available here.

Briefly, it:

  • Creates a trivial custom check for our security policy (‘is this a CentOS machine?’), which is run using the standard oscap tooling, and passes
  • Runs a RHEL7 container (‘our-rhel-container’)
  • Runs oscap-docker with the same check, which fails (as this is a RHEL7 image)
  • Performs a general CVE check against the container
  • Downloads another policy and runs that against the running container

Using this as a template, you can see how easy it would be to script up a custom policy, run it regularly and perform actions based on the output.

Are you using this or similar tools to manage Docker images? Any tips on extending and improving this gratefully received.


Currently co-authoring a book on Docker:

Get 39% off with the code 39miell


One thought on “Automating Docker Security Validation

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.