• Stars
    star
    9,038
  • Rank 4,003 (Top 0.08 %)
  • Language
    Shell
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Docker Bench for Security

Docker Bench for Security running

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the CIS Docker Benchmark v1.5.0.

We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.

Release CIS
1.5.0 1.5.0
1.3.6 1.4.0
1.3.5 1.2.0
1.3.3 1.1.0
1.3.0 1.13.0

Running Docker Bench for Security

Run from your base host

You can simply run this script from your base host by running:

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

Note: jq is an optional but recommended dependency.

Run with Docker

Building Docker image

You have two options if you wish to build and run this container yourself:

  1. Use Docker Build:
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .

Followed by an appropriate docker run command as stated above.

  1. Use Docker Compose:
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security

Please note that the docker/docker-bench-security image is out-of-date and and a manual build is required. See #405 for more information.

Note that this container is being run with a lot of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.

Using the container

docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker-bench-security

Don't forget to adjust the shared volumes according to your operating system. Some examples are:

  1. On Ubuntu the docker.service and docker.secret files are located in /lib/systemd/system folder by default.
docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /lib/systemd/system:/lib/systemd/system:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker-bench-security
  1. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, Docker Desktop on macOS doesn't have /usr/lib/systemd or the above Docker binaries.
sudo touch /etc/hostname

docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker-bench-security

Note

Docker bench requires Docker 1.13.0 or later in order to run.

Note that when distributions don't contain auditctl, the audit tests will check /etc/audit/audit.rules to see if a rule is present instead.

Docker Bench for Security options

  -b           optional  Do not print colors
  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE, inside container if run using docker
  -u USERS     optional  Comma delimited list of trusted docker user(s)
  -c CHECK     optional  Comma delimited list of specific check(s) id
  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude
  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
  -t LABEL     optional  Comma delimited list of labels within a container or image to check
  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.

By default the Docker Bench for Security script will run all available CIS tests and produce logs in the log folder from current directory, named docker-bench-security.log.json and docker-bench-security.log.

If the docker container is used then the log files will be created inside the container in location /usr/local/bin/log/. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.

The CIS based checks are named check_<section>_<number>, e.g. check_2_6 and community contributed checks are named check_c_<number>.

sh docker-bench-security.sh -c check_2_2 will only run check 2.2 Ensure the logging level is set to 'info'.

sh docker-bench-security.sh -e check_2_2 will run all available checks except 2.2 Ensure the logging level is set to 'info'.

sh docker-bench-security.sh -e docker_enterprise_configuration will run all available checks except the docker_enterprise_configuration group

sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2 will run all available checks except the docker_enterprise_configuration group and 2.2 Ensure the logging level is set to 'info'

sh docker-bench-security.sh -c container_images,container_runtime will run just the container_images and container_runtime checks

sh docker-bench-security.sh -c container_images -e check_4_5 will run just the container_images checks except 4.5 Ensure Content trust for Docker is Enabled

Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.

More Repositories

1

awesome-compose

Awesome Docker Compose samples
HTML
34,762
star
2

compose

Define and run multi-container applications with Docker
Go
33,472
star
3

kitematic

Visual Docker Container Management on Mac & Windows
JavaScript
12,247
star
4

labs

This is a collection of tutorials for learning how to use Docker with various tools. Contributions welcome.
PHP
11,518
star
5

dockercraft

Docker + Minecraft = Dockercraft
Lua
7,185
star
6

docker-py

A Python library for the Docker Engine API
Python
6,800
star
7

machine

Machine management for a container-centric world
Go
6,628
star
8

cli

The Docker CLI
Go
4,850
star
9

build-push-action

GitHub Action to build and push Docker images with Buildx
TypeScript
4,242
star
10

docs

Source repo for Docker's Documentation
Markdown
4,163
star
11

genai-stack

Langchain + Docker + Neo4j + Ollama
Python
3,907
star
12

buildx

Docker CLI plugin for extended build capabilities with BuildKit
Go
3,513
star
13

getting-started

Getting started with Docker
JavaScript
2,911
star
14

libchan

Like Go channels over the network
Go
2,470
star
15

for-mac

Bug reports for Docker Desktop for Mac
2,426
star
16

docker-install

Docker installation script
Shell
2,281
star
17

for-win

Bug reports for Docker Desktop for Windows
1,849
star
18

roadmap

Welcome to the Public Roadmap for All Things Docker! We welcome your ideas.
1,734
star
19

app

Make your Docker Compose applications reusable, and share them on Docker Hub
Go
1,575
star
20

compose-on-kubernetes

Deploy applications described in Compose onto Kubernetes clusters
Go
1,419
star
21

docker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores
Go
1,060
star
22

login-action

GitHub Action to login against a Docker registry
TypeScript
1,029
star
23

setup-buildx-action

GitHub Action to set up Docker Buildx
TypeScript
933
star
24

metadata-action

GitHub Action to extract metadata (tags, labels) from Git reference and GitHub events for Docker
TypeScript
888
star
25

libkv

Distributed key/value store abstraction library
Go
854
star
26

for-linux

Docker Engine for Linux
751
star
27

libcompose

*Unmaintained/Deprecated* An experimental go library providing Compose-like functionality
Go
585
star
28

setup-qemu-action

GitHub Action to install QEMU static binaries
TypeScript
431
star
29

welcome-to-docker

JavaScript
422
star
30

go-plugins-helpers

Go helper packages to extend the Docker Engine
Go
331
star
31

hub-tool

🧪 Docker Hub experimental CLI tool
Go
330
star
32

community

326
star
33

scout-cli

Docker Scout CLI
Shell
290
star
34

engine-api

DEPRECATED: Please see https://github.com/docker/docker/tree/master/client
Go
265
star
35

hub-feedback

Feedback and bug reports for the Docker Hub
233
star
36

doodle

A Home for Docker Doodles
Go
221
star
37

go-units

Parse and print size and time units in human-readable format
Go
215
star
38

go-connections

Utility package to work with network connections
Go
212
star
39

compose-switch

Go
199
star
40

go-docker

(Still WIP) Official Go SDK for Docker
Go
189
star
41

scan-cli-plugin

Docker Scan is a Command Line Interface to run vulnerability detection on your Dockerfiles and Docker images
Go
181
star
42

bake-action

GitHub Action to use Docker Buildx Bake as a high-level build command
TypeScript
176
star
43

gordon

Cli application to manage github pull requests
Go
176
star
44

docker-ce-packaging

Packaging scripts for Docker CE
Makefile
174
star
45

github-actions

⚠️ This repository is deprecated and has been replaced by docker/build-push-action@v2
Go
163
star
46

sbom-cli-plugin

Plugin for Docker CLI to support SBOM creation using Syft
Go
153
star
47

extensions-sdk

Desktop Extensions SDK
142
star
48

hacktoberfest-2022

Docker Hacktoberfest 2022
140
star
49

go-events

Composable event distribution for Go
Go
131
star
50

node-sdk

Docker CLI gRPC JavaScript SDK
JavaScript
110
star
51

libtrust

Primitives for identity and authorization
Go
107
star
52

compose-ecs

Deploy compose application on ECS
Go
100
star
53

golang-cross

Dockerfile
97
star
54

getting-started-app

A simple application for the getting started guide in Docker's documentation
JavaScript
93
star
55

multi-container-app

EJS
88
star
56

volumes-backup-extension

Back up, clone, restore, and share Docker volumes effortlessly.
PLpgSQL
87
star
57

go-metrics

Package for metrics collection in Docker projects
Go
87
star
58

scout-action

Docker Scout GitHub Action
JavaScript
78
star
59

desktop-linux

Bug reports for Docker Desktop for Linux
76
star
60

containerd-packaging

Linux distro packaging for containerd
Shell
68
star
61

opensource

Contains documentation and scripts related to the management of Open Source at Docker
Go
63
star
62

dev-environments

63
star
63

actions-toolkit

Toolkit for Docker (GitHub) Actions
TypeScript
58
star
64

extension-ideas

A place to suggest new ideas for Docker Extensions and get new ideas of what to build for the larger Docker community
48
star
65

binfmt

Please use https://github.com/linuxkit/linuxkit/tree/master/pkg/binfmt instead of this repo
Go
44
star
66

dev-envs-extension

TypeScript
40
star
67

code-of-conduct

40
star
68

index-cli-plugin

Go
40
star
69

whalesay

A repository in support of the Docker's official whalesay image
Perl
39
star
70

labs-make-runbook

TypeScript
38
star
71

HttpOverStream

.NET library for using HTTP 1.1 over streams, especially Windows Named Pipes
C#
33
star
72

scout-demo-service

Dockerfile
33
star
73

buildkit-syft-scanner

BuildKit Syft scanner
Go
23
star
74

get-involved

Get Involved with Docker
CSS
23
star
75

getting-started-todo-app

Sample application to get started with Docker
JavaScript
23
star
76

babashka-pod-docker

Go
20
star
77

packaging

Docker Packaging (apk, deb, rpm, static)
Dockerfile
20
star
78

buildx-desktop

19
star
79

cli-docs-tool

Utilities to generate (reference) documentation for the docker CLI
Go
19
star
80

docker-nodejs-sample

A simple Node.js application for the guide in Docker's documentation
JavaScript
18
star
81

go

Go packages with small patches autogenerated (used for canonical/json)
Go
18
star
82

base-cli-plugin

Experimental Docker CLI plugin to detect base images
Go
16
star
83

notary-official-images

Shell
16
star
84

python-docker

A simple Python app for the Python Language Guide in Docker's Docs
Python
16
star
85

go-imageinspect

Go
15
star
86

docker-dotnet-sample

A simple .NET web application
HTML
14
star
87

github-actions-runner

Docker's containerized github-actions runner
Shell
13
star
88

labs-ai-tools-for-devs

Project AI For Devs (chat-sdlc) - AI agents running containerized tools
Clojure
13
star
89

dc23-secure-workshop

DockerCon 2023 Secure Development with Docker hands-on exercises code
Dockerfile
11
star
90

extensions-submissions

Submit your Docker Extension here
Shell
11
star
91

docker-php-sample

A simple PHP application
PHP
10
star
92

docker-vscode

The Docker VSCode EAP is an extension for VSCode which provides an early preview into new features by Docker.
10
star
93

python-docker-dev

A simple Python app for the Python Language Guide in Docker's Docs
Python
10
star
94

import-restrictions

Restrict imports in your go project
Go
9
star
95

desktop-action

Docker Desktop action
9
star
96

labs-tape

Tape is for packaging applications
Go
8
star
97

engine-sync

Sync moby/moby with docker/engine
Shell
8
star
98

database-extension

TypeScript
7
star
99

bindmount-apps

EJS
7
star
100

compose-desktop

5
star