Docker makes running containers incredibly simple, a big reason for its popularity. I can quickly and easily run an Nginx container on my workstation, whether Mac, Windows or Linux based.
docker container run --publish 80:80 --detach --name nginx nginx
And as if my magic…
The certified images from Docker are great, and if you use Docker Cloud you can push the images through a pipeline that executes security / vulnerability scanning on the image. However, there are plenty of images in the registry from community contributors - how can you verify them? What sit he image contains software that needs to be patched?
We can use InSpec, the compliance testing project from Chef, to verify the state of our Docker images against a security or compliance baseline. You can read more about the InSpec language and the resources available for writing tests on the homepage, or in my blog on the subject.
Please note, at the moment this will not work on Windows containers
You can install InSpec as part of the ChefDK or by grabbing the executable from the downloads page.
Once installed, reload your terminal session and you should have the inspec CLI in your path.
Using the inspec CLI, we can execute scans against local or remote machines. For example the following will execute a profile against the local machine.
… and this can be used for remote machines.
Note we’re not setting any additional options, so check the
inspec exec help for more information.
Both examples assume we have a profile on our local machine for scanning purposes. There are loads of open source profiles available on the Dev-Sec project’s GitHub page. You can clone a profile or just grab the archive. The key thing is that the profile follows the skeleton format so the InSpec CLI can interpret it correctly.
Scanning a container
I’m going to demonstrate a simple scan against the latest Windows Server Core image from the registry. First let’s run the container.
docker container run --detach -i --name ubuntu ubuntu
Check it’s running.
Now let’s grab an InSpec profile to run against this container.
Using the InSpec CLI I can now run the profile against the Docker container passing in the path to the Linux baseline I just cloned and setting the Docker container ID as a target.
inspec exec linux-baseline -t docker://6242a0d510c1
Here’s an example of an output against the official Ubuntu image.
In the example above I’m using a linux-baseline profile meant for complete Linux OS’, not an Ubuntu based container. Having said that the principle is still incredibly relevant in a container based workload environment.
InSpec allows us to test the output of a Docker container build, essentially define integration tests for containers… it’s just a matter of designing the tests!
Using the InSpec CLI this can simply for part of a CI/CD pipeline, with a build node calling the InSpec CLI against a dynamic Docker target (container ID).