slim
slim copied to clipboard
NASA-AMMOS
New guide on container security best practices
Purpose
- A best practice guide to help folks easily scan container (docker) related code repositories for vulnerabilities, automatically
Proposed Changes
- [ADD] New best practice guide and associated files
- [CHANGE] Yarn plugin added to help render code snippets
Issues
- #155
Testing
- Site rendered locally successfully and without build errors
- See example of guide: https://riverma.github.io/slim/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/
Minor "here" hyperlink issue but otherwise looks great, reads great. And I learned about
.mdxfiles!
Thanks for reviewing this @nutjob4life! Much appreciated! Yeah - MDX is allowing these guides to get all fancy, with embedded code and additional features. Some interesting possibilities down-the-line!
Curious if the hyperlink issue you were seeing was related to this block or somewhere else?
@riverma weird, my comment got dropped somehow.
Anyway, the issue is the hyperlinking of [here]. It's a pet peeve of mine. Hyperlinking the word "here" makes a tiny target (Section 508 issue) but also relatively free of context. Read more about it.
You can rework it by writing something like:
NOTE: you'll need a DockerHub account to run the `docker scout` tool.
Note that this command will compare a local scan's results with Docker's database.
[More information about Docker Scout is available](https://docs.docker.com/scout/quickstart/).
Minor "here" hyperlink issue but otherwise looks great, reads great. And I learned about
.mdxfiles!
@riverma weird, my comment got dropped somehow.
Anyway, the issue is the hyperlinking of
[here]. It's a pet peeve of mine. Hyperlinking the word "here" makes a tiny target (Section 508 issue) but also relatively free of context. Read more about it.You can rework it by writing something like:
NOTE: you'll need a DockerHub account to run the `docker scout` tool. Note that this command will compare a local scan's results with Docker's database. [More information about Docker Scout is available](https://docs.docker.com/scout/quickstart/).
Thanks for the clarification! Feedback incorporated 👍
I didn't engage a formal review, but added a number of comments. Hopefully they are helpful.
Also, I wanted to note there is no reason why we cannot have multiple container security guides, including a specific Docker container security guide.
One suggestion from @ddalton-swe is to look at this tool (which is being utilized for some current projects): https://github.com/anchore/grype
Thank you for the extensive review @jpl-jengelke . I’m going to try out an OCI complaint tool to support non-Docker containers, but if they are insufficient I’ll suggest with take @lewismc suggestion and make this a Docker specific guide for now and add in other scanning tools the community suggests for other container types later.
@NASA-AMMOS/slim-community - I've made some updates to this PR to take into account feedback from @nutjob4life @jpl-jengelke @lewismc. Let me know if you have other thoughts!
See live rendering here: https://riverma.github.io/slim/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/
This is a fabulous guide and I am looking forward to bringing Grype into my toolchain. Big time approval.
I did have some comments but they can largely be ignored.
Thanks for the guide!
Thanks @nutjob4life - appreciate you taking the time and glad the guide is useful!
One other comment: the image
static/img/continuous-testing-image.pngis included in the pull request but isn't referenced? Did I miss it?
Looks like main wasn't merged fully in this branch. I've updated and changes like the above are no longer in the PR. Thanks for catching this.