• Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    Shell
  • License
    Other
  • Created over 9 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Qualys sslabs-scan utility in a tiny docker image

SSL site scanner

Docker Registry  Circle CI

Source code: https://github.com/jumanjihouse/docker-ssllabs-scan/
Docker image: https://registry.hub.docker.com/u/jumanjiman/ssllabs-scan/

⚠️ You must use version 1.4.0 or later of this image for compatibility with the Qualys SSL Labs Service API.

About

Overview

This git repo downloads golang source code from https://github.com/ssllabs/ssllabs-scan and builds a tiny docker image that scans secure websites with the Qualys SSL Labs service.

The build takes about 30 seconds and results in a 5 MiB Docker image.
The runtime image contains only:

  • a static binary,
  • CA certificates,
  • /etc/nsswitch.conf so golang net resolver uses /etc/hosts, and
  • /etc/passwd to provide an unprivileged user.

The container runs as an unprivileged user via the technique described in this Medium post.

Before you use this tool please review the terms and conditions, which can be found here: https://www.ssllabs.com/about/terms.html

Build integrity

The repo is set up to compile the software in a "builder" container, then copy the statically-compiled binary into a "runtime" container free of development tools or other binaries that could be abused. An unattended test harness runs the build script and runs acceptance tests. If all tests pass on master branch in the unattended test harness, it pushes the built images to the Docker hub.

workflow

License

See LICENSE.md in this git repo.

How-to

Build and test

⚠️ Build requires Docker CE 17.06.1 (for multi-stage builds) or later as well as docker-compose.

ci/build
ci/test

Pull an already-built image

For user convenience, each published image is tagged with <upstream-version-number>-<date>T<time>-git-<git-short-hash> to correlate with both the upstream software release and the git commit of this repo. The "latest" tag always points to the most recent build.

docker pull jumanjiman/ssllabs-scan:latest

View image labels

Each built image has labels that generally follow http://label-schema.org/

We add a label, ci-build-url, that is not currently part of the schema. This extra label provides a permanent link to the CI build for the image.

View the ci-build-url label on a built image:

docker inspect \
  -f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
  jumanjiman/ssllabs-scan

Query all the labels inside a built image:

docker inspect jumanjiman/ssllabs-scan | jq -M '.[].Config.Labels'

Scan public sites

The following example uses --read-only and --cap-drop all as recommended by the CIS Docker Security Benchmarks:

Example:

$ docker_opts="--read-only --cap-drop all --rm -it"
$ image="jumanjiman/ssllabs-scan:latest"
$ scan_opts="-grade -usecache"
$ url_to_scan="https://github.com/"
$ docker run ${docker_opts} ${image} ${scan_opts} ${url_to_scan}
2015/06/14 23:01:01 [INFO] SSL Labs v1.18.1 (criteria version 2009j)
2015/06/14 23:01:01 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2015/06/14 23:01:03 [INFO] Assessment starting: https://github.com
2015/06/14 23:01:04 [INFO] Assessment complete: https://github.com (1 host in 96 seconds)
    192.30.252.129: A+
"https://github.com": "A+"

2015/06/14 23:01:04 [INFO] All assessments complete; shutting down

You can also use the -hostfile option if you inject a local file into the container:

# Create a hostfile in local filesystem.
$ ls -la /tmp/sites.txt
-rw-r--r--    1 user     user            48 Mar 12 15:39 /tmp/sites.txt

# Use docker `-v` option to inject a file into the container to use -hostfile option.
$ docker run -v /tmp:/tmp:ro ${docker_opts} ${image} -hostfile /tmp/sites.txt ${scan_opts}
2016/03/12 15:45:01 [INFO] SSL Labs v1.22.37 (criteria version 2009l)
2016/03/12 15:45:01 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2016/03/12 15:45:03 [INFO] Assessment starting: https://www.github.com/
2016/03/12 15:45:04 [INFO] Assessment starting: https://www.google.com/
2016/03/12 15:45:04 [INFO] Assessment complete: https://www.github.com/ (1 host in 83 seconds)
    192.30.252.129: A
2016/03/12 15:45:05 [INFO] Assessment complete: https://www.google.com/ (2 hosts in 109 seconds)
    2607:f8b0:4005:802:0:0:0:2004: B
    172.217.2.36: B
"https://www.github.com/": "A"
"https://www.google.com/": "B"

2016/03/12 15:45:05 [INFO] All assessments complete; shutting down

You can use docker-compose with the docker-compose.yaml file in this git repo:

$ docker-compose run --rm scanner -grade -usecache https://github.com
2017/05/13 15:35:37 [INFO] SSL Labs v1.28.5 (criteria version 2009o)
2017/05/13 15:35:37 [NOTICE] Server message: This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
2017/05/13 15:35:39 [INFO] Assessment starting: https://github.com
2017/05/13 15:35:40 [INFO] Assessment complete: https://github.com (2 hosts in 108 seconds)
    192.30.255.112: A+
    192.30.255.113: A+
"https://github.com": "A+"

2017/05/13 15:35:40 [INFO] All assessments complete; shutting down

Scan private sites

You can add entries to /etc/hosts via docker run --add-host or via the docker-compose extra_hosts option. However, this scanner is only a client to the Qualys SSL Labs service. If the hosted service cannot resolve your hostname, it cannot scan your server. If the hosted service cannot reach your server, it cannot perform the scan.

Consider to use https://github.com/jumanjihouse/docker-testssl if you need to scan internal sites that are not reachable from the public Internet.

More Repositories

1

pre-commit-hooks

git pre-commit hooks that work with http://pre-commit.com/
Shell
112
star
2

docker-rsyslog

rsyslog in a tiny docker image
Shell
94
star
3

pre-commit-hook-yamlfmt

YAML formatter for http://pre-commit.com
Python
55
star
4

docker-duoauthproxy

Duo Authentication Proxy in a docker container
Shell
37
star
5

wormhole

hardened ssh jump host and dev docker container
Ruby
32
star
6

docker-radius

freeradius server and client docker images
Shell
31
star
7

docker-tftp-hpa

tftp-hpa (tftpd) server in a container
Shell
29
star
8

docker-testssl

http://testssl.sh/ in a tiny docker container
Shell
21
star
9

docker-caddy

https://github.com/mholt/caddy web server in a tiny docker container based on alpine linux
Shell
20
star
10

puppet-on-coreos

Use Puppet to configure a CoreOS host
Shell
19
star
11

docker-aws

awscli in a docker container
Shell
18
star
12

docker-cloudsploit

AWS security scanning checks in a container
Shell
12
star
13

docker-dotnet

dotnet development tools in a docker container
Shell
9
star
14

devenv

container-based development environment
Shell
8
star
15

docker-puppet

puppet autostager, master, puppetdb, and puppetboard
Shell
7
star
16

docker-opensm

OpenSM infiniband subnet manager in a container
Shell
6
star
17

docker-infiniband

Infiniband base image based on Centos
Shell
5
star
18

docker-rancid-git

rancid-git on alpine linux
Shell
5
star
19

autostager

Stage a directory based on Github pull request (e.g., dynamic puppet environments)
Ruby
4
star
20

oval

Scripts and resources to help build secure docker images
Shell
4
star
21

docker-ssh-scan

a smaller version of mozilla/ssh_scan
Shell
4
star
22

dropbox

Docker-based container provides ftp dropbox with vsftpd
Ruby
4
star
23

octool

Ruby
3
star
24

docker-rancid-git-centos6

rancid-git on CentOS 6.5
Shell
2
star
25

docker-gocd

go continuous delivery agent and server in docker containers
Shell
2
star
26

cci

Docker image to build other images on CircleCI 2.0
Shell
1
star
27

foal

Python
1
star
28

docker-dhcpd

test
Shell
1
star
29

docker-tsflags

demo how to use "tsflags" with yum in docker images
Shell
1
star
30

docker-hooktftp

Build, test, and deploy a container to run the hooktftp server
Shell
1
star