
The Docker Bench for Security - cfontes
https://github.com/docker/docker-bench-security
======
politelemon
I'm looking to run such a scanner as part of my docker build pipelines and
hopefully this should do the trick. If anyone's aware of similar or
alternatives please post them as well

~~~
nwatson
Perhaps Pravin Goyal, currently at Cavirin, has had a large part in organizing
and authoring the "CIS 1.xx.xx Security Benchmarks", at least per
[https://www.linkedin.com/pulse/docker-1110-security-
benchmar...](https://www.linkedin.com/pulse/docker-1110-security-benchmark-
released-pravin-goyal/). The OP git repo claims to be based on these CIS
(Center for Internet Security) benchmarks a.k.a. "best pratices", so Pravin
might be someone you want to ping.

If you choose to engage Cavirin or use its solution, be sure to do a full POC
and make sure your use case and scale are fully covered and the product is
reliable, I know there were many quality issues in the past (full disclosure,
I worked there for a while). I'm sure there are other vendors or open source
projects that can do a much better job in a Docker-specific environment. The
CIS content itself probably is golden, the implementation I'd be skeptical
about.

The CIS website (look under the "Docker" category) at
[https://www.cisecurity.org/cis-benchmarks](https://www.cisecurity.org/cis-
benchmarks) seems to list a few vendor solutions.

~~~
616c
Not far behind is the open documentation for the military, DISA STIGs, for
Linux and Unix environments. Not sure they have anything for Docker yet unless
you count treating each container like a vanilla Linux or Unix box, and many
here know that only gets you so far if you don't understand container system
hardening; even CIS controls specific to Docker here are a surprise to me as
someone who deployed them for traditional platforms in years past. From
experience there is a lot of overlap between both for OS management. The
templates and documentation for DoD stuff does not require email signups for
PDFs or an expensive org membership for GPO templates for Windows and other
nonsense, unlike SANS-affiliated CIS.

[https://iase.disa.mil/stigs/Pages/index.aspx](https://iase.disa.mil/stigs/Pages/index.aspx)

[https://www.open-
scap.org/resources/documentation/security-c...](https://www.open-
scap.org/resources/documentation/security-compliance-of-rhel7-docker-
containers/)

Either way, blindly taking these policies, or from a vendor like Calvirin, who
I'm sure are good, is a recipe for disaster when you and/or fellow admins do
not review all hundreds of controls and know your environment very well, if
previous life experience taught me anything.

