New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running checks for a specific container or image #286

Open
1605200517 opened this Issue Feb 5, 2018 · 9 comments

Comments

Projects
None yet
5 participants
@1605200517

1605200517 commented Feb 5, 2018

Is it possible to scan only a given container, or image?

@konstruktoid

This comment has been minimized.

Member

konstruktoid commented Feb 6, 2018

Hi @1605200517, no not at the moment.

@isuftin

This comment has been minimized.

isuftin commented Jun 29, 2018

This would be such a great addition. This would allow us to perform checks during CI for only the 4 and 5 series of testing for a container we build during CI.

@jamesrgregg

This comment has been minimized.

jamesrgregg commented Oct 14, 2018

I was looking at this same problem a while ago and figured out how to isolate the scan using the filter options. I'm testing using minikube so I needed to exclude the K8s containers.

I'm trying to figure out the same CI/CD problem everyone else is asking about in Issue #270
My specific use case was to identify containers running as root.

Docker Bench Security Scan - NGINX running as root
Docker Bench Security Scan - NGINX running as non-root

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Oct 15, 2018

add include option docker#286
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid

This comment has been minimized.

Member

konstruktoid commented Oct 15, 2018

Please test #328.

konstruktoid added a commit that referenced this issue Oct 25, 2018

@konstruktoid

This comment has been minimized.

Member

konstruktoid commented Oct 25, 2018

#328 has been merged.

@yikaus

This comment has been minimized.

yikaus commented Nov 22, 2018

@konstruktoid

This comment has been minimized.

Member

konstruktoid commented Nov 22, 2018

Hi @yikaus, how does this break the behavior? It has been replaced with https://github.com/docker/docker-bench-security/blob/master/docker-bench-security.sh#L112
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")

@yikaus

This comment has been minimized.

yikaus commented Nov 22, 2018

Hi @konstruktoid

$benchcont is depend on $containers ,the change make value of $benchcont forever nil ,thus it won’t filter out the scanner itself.
https://github.com/docker/docker-bench-security/blob/master/docker-bench-security.sh#L98

You should able to test it by running test locally and scanner instance will always shows in test result

Kevin

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Nov 23, 2018

exclude docker-bench-security container docker#286
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

konstruktoid added a commit that referenced this issue Nov 23, 2018

Merge pull request #349 from konstruktoid/ISSUE286
exclude docker-bench-security container #286
@konstruktoid

This comment has been minimized.

Member

konstruktoid commented Nov 23, 2018

You were absolutely correct @yikaus. Thanks for reporting this and I'm sorry for the lack of testing regarding this.

Should be fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment