This repo provides docker images for testssl.sh
,
a free command line tool to check a service
on any port for the support of TLS/SSL ciphers,
protocols, recent cryptographic flaws, and more.
Each image provides everything needed to run
testssl.sh
the way upstream intends it to be run.
Build status for master branch:
Docker image: https://quay.io/repository/jumanjiman/testssl
Docker source: https://github.com/jumanjihouse/docker-testssl
Upstream source: https://github.com/drwetter/testssl.sh
docker pull quay.io/jumanjiman/testssl
You can run the image using the docker-compose.yaml
file in this git repo:
# Show help.
docker-compose run testssl --help
# Do a limited scan with a subset of options against one host.
docker-compose run testssl --heartbleed --ip one https://www.google.com/
You can also run the image with the docker
command directly:
run_opts="
-i
-t
--rm
--read-only
--cap-drop all
--memory 100M
--pids-limit 1000
--cpu-shares 512
"
docker run ${run_opts} quay.io/jumanjiman/testssl --help
The above examples use --read-only
and --cap-drop all
as recommended by the
CIS Docker Security Benchmarks:
- CIS Security Benchmark for Docker 1.6
- CIS Security Benchmark for Docker 1.11
- CIS Security Benchmark for Docker 1.12
- CIS Security Benchmark for Docker 1.13
ci/build
.
On a host, such as devenv:
# Optional. Your URL may vary.
export DOCKER_HOST=tcp://192.168.254.162:2375
# Build images.
ci/build
# Run the tests.
ci/test
Note: The test harness requires Python and the pip
command.
Each built image has labels that generally follow http://label-schema.org/
We add a label, ci-build-url
, that is not currently part of the schema.
This extra label provides a permanent link to the CI build for the image.
View the ci-build-url label on a built image:
docker inspect \
-f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
quay.io/jumanjiman/testssl
Query all the labels inside a built image:
docker inspect quay.io/jumanjiman/testssl | jq -M '.[].Config.Labels'
Fork this repo and see CONTRIBUTING.md.
ci/build
.
ci/build
uses docker-compose
to create a "base" image
that contains the statically-linked version of openssl from
https://testssl.sh/.
From the common base, ci/build
creates two runtime images:
- stable version of the
testssl.sh
script - dev version of the
testssl.sh
script
When the build happens against the master branch on CircleCI,
the ci/publish
script pushes both the stable and dev images to
Quay.io.
It also pushes a "latest" tag, which refers to the stable version.
Old images tend to have vulnerabilities.
Quay has a feature to use a special label, quay.expires-after
, to expire tags.
This repo applies the label to images so that old images get deleted automatically.
See https://support.coreos.com/hc/en-us/articles/115001384693-Tag-Expiration
for more information about the Quay feature.
See src/Dockerfile for the current value of the label.
CircleCI: http://status.circleci.com/
Quay registry: http://status.quay.io/
This repo, testssl, and openssl are licensed under the GPLv2. See LICENSE.