trivy
trivy copied to clipboard
aquasecurity
Need to scan image's misconfiguration information
Hi Team,
Recently, I want a security scanner to get the image's misconfiguration information, such as the Dockerfile which builds the image.
Now I try the command from the documentation:
trivy image --security-checks config IMAGE_NAME
, however, the result shows "Detected config files: 0".
I can't get any misconfiguration information, is this because of my incorrect command? What kinds of misconfiguration can trivy detect from an image? I know it can detect some information from file system.
When I look through this project and try to run it by myself, I found it seems that trivy can get the Dockerfile builds the image, maybe we can get misconfiguration from that?
+1 I really need it for my company (40k containers) The idea is to validate one image not when clients try to deploy their application stack at kubernetes level, but when clients try to push their images to the corporate repository.
the goal of that is to implement some compliance check at image level :
- is the docker image run as root ?
- is the port 22 exposed ?
- is COPY command used instead of ADD
this is some basics check, but after we can enrich that :
- Is the base image used for build this image match with those that we provide ?
piece of cake : we would like to implement those tests at harbor level, by this way, when a user try to push one image to the harbor repository, we have :
- CVE scan + compliance checks of the dockerfile used to build this one.
@itaysk hello, Have we already an idea on when approximately the feature will be developed ?
Could we hope this feature before the end of this year ?
thanks
