Docker scanner - program that can give STIG recommendations based on data parsed from found files with Docker images. The main features are:
- Extracting images from Dockerfile, Docker compose, k8s, Helm, Terraform files;
- Dynamic detection of base image based on SHA256 hashes without running the actual image;
- Automatic STIG scan using oscap command.
This directory contain parsed files with base docker hashes: compressed + initial versions. Moreover, it contains script and description of how to get this artifacts by yourself.
Contains executables that are used in project
The most important is oscap - binary for running oscap commands
Contains examples of program outputs and oscap reports
Contains examples of files that can be parsed for with docker images
- Docker compose
- Dockerfile
- k8s
- Helm
- Terraform
Contains docker image to stig mapping and stig profiles
Contains source code of the program, oscap_docker_python library and experiment script with experiment description file
Create virtual env:
python3 -m venv .venvActivate venv:
source ./.venv/bin/activateRun main script with sudo:
cd src/
sudo RECURSE=true BASE_IMAGE=true INSPECT_INFO=true STIGS_SCAN=true ../.venv/bin/python3 main.py "path_to_scan_dir"The docker version currently can not run oscap scan due to permission setup. This option should be further developed.
docker build -t quiner/docker_scanner:1.0.0 .Run without RUNTIME_INFO and STIGS_SCAN
docker run -v ./:/scan_dir:ro -v /var/run/docker.sock:/var/run/docker.sock -e RECURSE=true \
-e BASE_IMAGE=true -e INSPECT_INFO=true quiner/docker_scanner:1.0.0