标签：prisma checkov 静态扫描 -- policy docker Dockerfile

我们的产物都是基于同一Dockerfile生成，因此我们需要保证这个底层Dockerfile的安全性

Dockerfile的写法有很多，我一般会采用最简单的方式，即Dockerfile什么都不处理直接RUN

# 主要是时区跟源的问题，我们需要重封一次
[root@jenkins-bj-ali-ql1 conf.d]# cat Dockerfile
FROM alpine:latest
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories \
    && apk add --no-cache tzdata tini \
    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime  \
    && echo Asia/Shanghai > /etc/timezone \
    && apk del tzdata
[root@jenkins-bj-ali-ql1 conf.d]# docker build -t golang:base .
[root@jenkins-bj-ali-ql1 conf.d]# cat goDockerfile
FROM golang:base

WORKDIR /app
COPY main .
COPY configs/ configs/
COPY templates/ templates/
ENTRYPOINT ["/sbin/tini", "--"]
CMD /app/main ${GO_OPTIONS}

alpine与distroless是推荐的两个最底层镜像，他们很精简，distroless2M，alpine5.57M，不过distroless是不包含任何bash的，没放处理意外情况

为了职业生涯，建议用alpine
为了技术研究，建议用distroless

Checkov安装

heckov 不仅可以扫描dockfile，也可以扫描 Cloudformation、AWS SAM、Kubernetes、Helm charts、Kustomize 、镜像checkov 不仅可以扫描dockfile，也可以扫描 Cloudformation、AWS SAM、Kubernetes、Helm charts、Kustomize 、镜像
https://www.checkov.io/1.Welcome/Quick Start.html
https://github.com/bridgecrewio/checkov

需要先安装python3.7以上版本

curl -O https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz
tar -zxvf Python-3.9.0.tgz
cd Python-3.9.0 && ./configure prefix=/usr/local/python3
make && make install
ln -s /usr/local/python3/bin/python3 /usr/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3
python3 --version

使用pip3直接安装checkov，大概需要半小时...

pip3 install --upgrade pip
pip3 install checkov -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
checkov -h

真的是支持巨多的扫描，这也是我们选用它的原因，后续的安全扫描我们直接复用checkov即可

还支持cyclonedx_json的输出，那看来在sbom扫描处我们也可以用他替换syft生成清单

扫描一下刚才的Dockerfile跟goDockerfile，只列出问题内容

[root@jenkins-bj-ali-ql1 conf.d]# checkov -f Dockerfile --framework dockerfile --quiet --compact --skip-results-upload
dockerfile scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 0

Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
	FAILED for resource: Dockerfile.FROM
	File: Dockerfile:1-1
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: Dockerfile.
	File: Dockerfile:1-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: Dockerfile.
	File: Dockerfile:1-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html

[root@jenkins-bj-ali-ql1 cmd]# checkov -f Dockerfile --quiet --compact --skip-results-upload --framework dockerfile
dockerfile scan results:

Passed checks: 3, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: Dockerfile.
	File: Dockerfile:1-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: Dockerfile.
	File: Dockerfile:1-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html

不让用tag为latest的镜像作为基础镜像
需要设定一个运行用户
需要设定健康检查

修改goDockerfile内容，毕竟我们真实打包制品用的是它

[root@jenkins-bj-ali-ql1 cmd]# cat Dockerfile
FROM golang:base

WORKDIR /app
COPY main .
COPY configs/ configs/
COPY templates/ templates/
USER work 								# 加了这里
HEALTHCHECK NONE						# 加了这里
ENTRYPOINT ["/sbin/tini", "--"]
CMD /app/main ${GO_OPTIONS}
[root@jenkins-bj-ali-ql1 cmd]# checkov -f Dockerfile --quiet --compact --skip-results-upload --framework dockerfile
dockerfile scan results:

Passed checks: 6, Failed checks: 0, Skipped checks: 0

集成jenkins pipeline

本次Checkov用来扫描Dockerfile，而Dockerfile是固定的，因此实际情况中应当在编写好用于后续封装制品Dockerfile后扫描后根据报告修改问题即可，理论上不需要在pipeline中每次都再次扫描，不过为了整体完整性，依然会加入到pipeline Package中作为前置条件

		stage('Package') {
            steps {
                script {
                    sh "/bin/cp -rpf /var/lib/jenkins/workspace/conf.d/goDockerfile Dockerfile"
                    def dcfstatus = sh(script: "checkov -f Dockerfile --quiet --compact --skip-results-upload --framework dockerfile", returnStatus: true)
                    if (dcfstatus != 0) {
                        error "Dockerfile insecure"
                    }
                    sh "docker build -t ${JOB_NAME}:${BUILD_NUMBER} ."
                }
            }
        }

其他Dockerfile扫描工具
Checkov
docker scan

标签：prisma,checkov,静态,扫描,--,policy,docker,Dockerfile
From： https://www.cnblogs.com/bfmq/p/17547524.html

Dockerfile静态扫描