Closed9
Dockerのセキュリティ診断?ツール触る
ara_ta3docker composeでupされているimageに対して、brew installで入れたdockleを実行したらこうなっちゃった
dockle my-docker-image-built-with-compose
2025-05-10T16:42:08.046+0900 FATAL unable to initialize a image struct: failed to initialize source: reading manifest latest in docker.io/library/my-docker-image-built-with-compose: requested access to the resource is denied
zsh: exit 1 dockle my-docker-image-built-with-compose
VERSION=$(
curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/' \
) && docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
goodwithtech/dockle:v${VERSION} my-docker-image-built-with-compose
こっちでやったら動いた
ara_ta3つまりこう
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock goodwithtech/dockle:v0.4.15 my-docker-image-built-with-compose
dockleで失敗したのはsocketファイルが見えてないからかも
colimaで実行していて初期値の場所にdocker.sockがないんだ
ara_ta3socket周りでなんか上手く行かないのでdockerの方が楽だな
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy image my-docker-image-built-with-compose:latest
ubuntuに対して実行するとこう
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy image ubuntu
2025-05-10T07:59:41Z INFO [vuln] Vulnerability scanning is enabled
2025-05-10T07:59:41Z INFO [secret] Secret scanning is enabled
2025-05-10T07:59:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-10T07:59:41Z INFO [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-10T07:59:43Z INFO Detected OS family="ubuntu" version="24.04"
2025-05-10T07:59:43Z INFO [ubuntu] Detecting vulnerabilities... os_version="24.04" pkg_num=92
2025-05-10T07:59:43Z INFO Number of language-specific files num=0
Report Summary
┌───────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├───────────────────────┼────────┼─────────────────┼─────────┤
│ ubuntu (ubuntu 24.04) │ ubuntu │ 16 │ - │
└───────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
ubuntu (ubuntu 24.04)
=====================
Total: 16 (UNKNOWN: 0, LOW: 8, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
┌────────────────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ LOW │ affected │ 9.4-3ubuntu6 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├────────────────────┼────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ │ 2.4.4-2ubuntu17.2 │ │ gnupg: denial of service issue (resource consumption) using │
│ │ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├────────────────────┼────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2016-20013 │ │ │ 2.39-0ubuntu8.4 │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├────────────────────┤ │ │ │ ├───────────────┤ │
│ libc6 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────┼────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgcrypt20 │ CVE-2024-2236 │ │ │ 1.10.3-2build1 │ │ libgcrypt: vulnerable to Marvin Attack │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2236 │
├────────────────────┼────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libpam-modules │ CVE-2024-10041 │ MEDIUM │ │ 1.5.3-5ubuntu5.1 │ │ pam: libpam: Libpam vulnerable to read hashed password │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10041 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-10963 │ │ │ │ │ pam: Improper Hostname Interpretation in pam_access Leads to │
│ │ │ │ │ │ │ Access Control Bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10963 │
├────────────────────┼────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libpam-modules-bin │ CVE-2024-10041 │ │ │ │ │ pam: libpam: Libpam vulnerable to read hashed password │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10041 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-10963 │ │ │ │ │ pam: Improper Hostname Interpretation in pam_access Leads to │
│ │ │ │ │ │ │ Access Control Bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10963 │
├────────────────────┼────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libpam-runtime │ CVE-2024-10041 │ │ │ │ │ pam: libpam: Libpam vulnerable to read hashed password │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10041 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-10963 │ │ │ │ │ pam: Improper Hostname Interpretation in pam_access Leads to │
│ │ │ │ │ │ │ Access Control Bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10963 │
├────────────────────┼────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libpam0g │ CVE-2024-10041 │ │ │ │ │ pam: libpam: Libpam vulnerable to read hashed password │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10041 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-10963 │ │ │ │ │ pam: Improper Hostname Interpretation in pam_access Leads to │
│ │ │ │ │ │ │ Access Control Bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-10963 │
├────────────────────┼────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-41996 │ LOW │ │ 3.0.13-0ubuntu3.5 │ │ openssl: remote attackers (from the client side) to trigger │
│ │ │ │ │ │ │ unnecessarily expensive server-side... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-41996 │
├────────────────────┼────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ login │ CVE-2024-56433 │ │ │ 1:4.13+dfsg1-4ubuntu3.2 │ │ shadow-utils: Default subordinate ID configuration in │
│ │ │ │ │ │ │ /etc/login.defs could lead to compromise │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-56433 │
├────────────────────┤ │ │ │ ├───────────────┤ │
│ passwd │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
dockleも見ておこう
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock goodwithtech/dockle:v0.4.15 ubuntu
WARN - CIS-DI-0001: Create a user for the container
* Last user should not be root
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - CIS-DI-0008: Confirm safety of setuid/setgid files
* setuid file: urwxr-xr-x usr/bin/gpasswd
* setuid file: urwxr-xr-x usr/bin/su
* setuid file: urwxr-xr-x usr/bin/newgrp
* setgid file: grwxr-xr-x usr/sbin/unix_chkpwd
* setuid file: urwxr-xr-x usr/bin/chfn
* setuid file: urwxr-xr-x usr/bin/mount
* setgid file: grwxr-xr-x usr/bin/chage
* setuid file: urwxr-xr-x usr/bin/umount
* setuid file: urwxr-xr-x usr/bin/chsh
* setuid file: urwxr-xr-x usr/bin/passwd
* setgid file: grwxr-xr-x usr/bin/expiry
* setgid file: grwxr-xr-x usr/sbin/pam_extrausers_chkpwd
hadolint
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile
これはカジュアルに入れてしまうのが良さそうな感じあるな
このスクラップは3ヶ月前にクローズされました