Skip to content
/ container-security-testing Public

A list of security testing tools for containerized applications

License

MIT license
7 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

omerlh/container-security-testing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
anchore-engine
anchore-engine
 
 
artifacts
artifacts
 
 
kubernetes
kubernetes
 
 
scripts
scripts
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poland.sln
poland.sln
 
 
test.md
test.md
 
 

Repository files navigation

Container Security Testing

This repo demo various security tools that can be used to scan containerized applications for security issues. All the tools in this repo are free and open source, and you can start using them today. To learn more about the tools mentioned here, checkout this blog post -

Sample App

All the tools are running on a sample app that I created. The app is a simple dotnet core webapi, with one controller that return all the open positions at Soluto, where I'm working. To run the sample app, run (in src folder):

dotnet run

And open http://localhost:5000/api/openpositions/ in your browser.

Tools

You can see the output of the tools under artifacts folder, or run them manually as explained below.

Static Analysis

I'm using DevSkim, a static analyzer with IDE integration. To view the results, install one of the extensions (for example, the one for VS Code). Open OpenPositionsController, you should see warnings from the static analysis.

Dynamic Analysis

I'm using OWASP Zaproxy, a security tool by OWASP. To run it:

 ./scripts/run_tests.sh

When the test execution completed, you can find the report under glue/report.html.

Dependency Scanning

I'm using Retire.Net, a dependency scanner for dotnet. After installing it, run (in src folder):

dotnet retire

Docker Image Scanning

I'm using Anchore Engine, a service that scan docker images. To scan the sample app using Anchore:

  • Launch anchore by running docker-compose up -d in anchore-engine folder.
  • Scan an image by executing the following POST request:
POST /v1/images HTTP/1.1
Host: localhost:8228
Content-Type: application/json
Authorization: Basic YWRtaW46Zm9vYmFy
Cache-Control: no-cache
{
	"tag": "omerlh/open-positions-api:1"
}
  • Extract the imageDigest from the response JSON and use it to get the image vulnerabilities:
GET /v1/images/<imageDigest> HTTP/1.1
Host: localhost:8228
Content-Type: application/json
Authorization: Basic YWRtaW46Zm9vYmFy
Cache-Control: no-cache

The analyze process might take a while, but when it complete the response will contain all the known vulnerabilities for this image.

Kubernetes Files Scanning

I'm using https://kubesec.io/. Run it using (in kubernetes folder):

./kubesec deployment.yaml

About

A list of security testing tools for containerized applications

Topics

docker kubernetes containers cicd appsec devsecops security-testing

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages