https://github.com/docker/docker-bench-security
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
https://github.com/aquasecurity/trivy
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.
Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify an image name of the container.
It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine$ trivy --vuln-type os ruby:2.3.0$ trivy --vuln-type os ruby:2.3.0https://github.com/theupdateframework/notary
Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers.
With Notary anyone can provide trust over arbitrary collections of data. Using The Update Framework (TUF) as the underlying security framework, Notary takes care of the operations necessary to create, manage, and distribute the metadata necessary to ensure the integrity and freshness of your content.
https://sekurak.pl/wprowadzenie-do-narzedzia-zed-attack-proxy-zap/
https://owasp.org/www-project-zap/
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
$ grep SECCOMP /boot/config-$(uname -r)
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y$ docker container run -it --rm --security-opt seccomp=<profile>.json alpine sh ...-seccomp-profile=/etc/docker/seccomp.json
docker run --rm -it --security-opt seccomp=unconfined alpine shhttps://github.com/docker/labs/tree/master/security/seccomp
http://support.typora.io/Draw-Diagrams-With-Markdown/
https://blog.objectivity.co.uk/what-is-the-best-devops-topology-for-my-company/
https://hub.docker.com/r/anchore/anchore-engine/