Coder Social home page Coder Social logo

leogoncha / docker-image-policy Goto Github PK

View Code? Open in Web Editor NEW

This project forked from bryanlatten/docker-image-policy

0.0 2.0 0.0 67 KB

Quick validation of an inspected Docker image according to a policy file

License: Apache License 2.0

JavaScript 100.00%

docker-image-policy's Introduction

Build Status Docker Pulls

docker-image-policy

Quick validation of an inspected Docker image according to a policy file

Usage

  • Uses pre-built containers on Docker Hub
  • Uses default policy

Pipe a target image's Docker-inspected output into container's stdin

docker inspect {target_image} | docker run -i bryanlatten/docker-image-policy

Failing Run, using default policy
docker inspect 359039b8c10c | docker run -i bryanlatten/docker-image-policy

Scanning <sha256:4612b98d0345171da30a0318faa9d1b05da7c8cb1440d5f5d2e5f032f49908c0>
Docker Build: 17.03.0-ce
Parent: sha256:905312a465bdd005beb8d6c319f1170e391d9c9f0da8d4da60d7eccc16b56661

Using policy <./default_policy.yaml>

[PASS] 4MB within 1500MB container size limit
[FAIL] disallowed labels present:
  - com.swipely.iam-docker.iam-profile
[FAIL] disallowed env keys present:
  - IAM_ROLE
[PASS] volumes not allowed, none defined
[FAIL] exposed port(s) required
[PASS] no healthcheck specified
[PASS] 3 filesystem layers, maximum: 100

Status [FAIL]
Passing Run, using default policy
docker inspect d183d547d7ab | docker run -i bryanlatten/docker-image-policy

Scanning <sha256:d183d547d7abcb0d68f9ed4598963120a4e82d4105bcdf4585f6ef553400f913>
Docker Build: 1.12.6-cs6
Parent:

Using policy <./default_policy.yaml>

[PASS] 370MB within 1500MB container size limit
[PASS] labels validated
[PASS] env keys validated
[PASS] volumes not allowed, none defined
[FAIL] exposed port(s) required
[PASS] no healthcheck specified
[PASS] 3 filesystem layers, maximum: 100

Status [PASS]

Policy

A YAML file to describe specific policies to validate for the given docker image

Supported rules:

  • Restrict LABEL usage by name
labels:
  disallow:
  -  com.swipely.iam-docker.iam-profile
  • Restrict ENV usage by name
env_keys:
  disallow:
  - IAM_ROLE
  • Restrict EXPOSE ports ranges, and/or require to comply to a range
ports:
  required: true
  range: '8080-99999'
  • Restrict VOLUME usage
volumes:
  disallowed: true
  • Restrict maximum container size
size:
  # In MB
  max: 1500
  warning: 1000
  • Restrict health check usage
healthcheck:
  # Causes contention between orchestrator and Docker engine health status
  disallowed: true;
  • Restrict maximum number of filesystem layers
layers:
  max: 100
  warning: 20

Local Development

  1. Pre-reqs: nodejs (8.0+), npm (5.0+), docker
  2. Clone repo
  3. npm i
  4. Pipe Docker's inspect output into app docker inspect {target_image} | node index.js

Testing

  • After local installation, running npm test in working directory

Local Development: Docker

  1. Clone repo
  2. docker build -t imagepolicy .
  3. docker inspect {target_image} | docker run -i imagepolicy

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.