docker-testssl
docker-testssl copied to clipboard
http://testssl.sh/ in a tiny docker container
Test TLS/SSL of arbitrary services and ports
- Overview
-
How-To
- Pull an already-built image
- Run the image
- Build and test images locally
- View labels
- Contribute
- About the build
- Stale tags
- Operational status of SaaS providers
- License
Overview
This repo provides docker images for testssl.sh
,
a free command line tool to check a service
on any port for the support of TLS/SSL ciphers,
protocols, recent cryptographic flaws, and more.
Each image provides everything needed to run
testssl.sh
the way upstream intends it to be run.
Build status for master branch:
Docker image: https://quay.io/repository/jumanjiman/testssl
Docker source: https://github.com/jumanjihouse/docker-testssl
Upstream source: https://github.com/drwetter/testssl.sh
:warning: The latest tag at quay refers to the stable version.
How-To
Pull an already-built image
docker pull quay.io/jumanjiman/testssl
Run the image
You can run the image using the docker-compose.yaml
file in this git repo:
# Show help.
docker-compose run testssl --help
# Do a limited scan with a subset of options against one host.
docker-compose run testssl --heartbleed --ip one https://www.google.com/
You can also run the image with the docker
command directly:
run_opts="
-i
-t
--rm
--read-only
--cap-drop all
--memory 100M
--pids-limit 1000
--cpu-shares 512
"
docker run ${run_opts} quay.io/jumanjiman/testssl --help
The above examples use --read-only
and --cap-drop all
as recommended by the
CIS Docker Security Benchmarks:
- CIS Security Benchmark for Docker 1.6
- CIS Security Benchmark for Docker 1.11
- CIS Security Benchmark for Docker 1.12
- CIS Security Benchmark for Docker 1.13
Build and test images locally
:warning: All build configuration variables are in ci/build
.
On a host, such as devenv:
# Optional. Your URL may vary.
export DOCKER_HOST=tcp://192.168.254.162:2375
# Build images.
ci/build
# Run the tests.
ci/test
Note: The test harness requires Python and the pip
command.
View labels
Each built image has labels that generally follow http://label-schema.org/
We add a label, ci-build-url
, that is not currently part of the schema.
This extra label provides a permanent link to the CI build for the image.
View the ci-build-url label on a built image:
docker inspect \
-f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
quay.io/jumanjiman/testssl
Query all the labels inside a built image:
docker inspect quay.io/jumanjiman/testssl | jq -M '.[].Config.Labels'
Contribute
Fork this repo and see CONTRIBUTING.md.
:warning: All build configuration variables are in ci/build
.
About the build
ci/build
uses docker-compose
to create a "base" image
that contains the statically-linked version of openssl from
https://testssl.sh/.
From the common base, ci/build
creates two runtime images:
-
stable version of the
testssl.sh
script -
dev version of the
testssl.sh
script
When the build happens against the master branch on CircleCI,
the ci/publish
script pushes both the stable and dev images to
Quay.io.
It also pushes a "latest" tag, which refers to the stable version.
Stale tags
Old images tend to have vulnerabilities.
Quay has a feature to use a special label, quay.expires-after
, to expire tags.
This repo applies the label to images so that old images get deleted automatically.
See https://support.coreos.com/hc/en-us/articles/115001384693-Tag-Expiration
for more information about the Quay feature.
See src/Dockerfile for the current value of the label.
:warning: This is a Quay feature, not a docker feature.
Operational status of SaaS providers
CircleCI: http://status.circleci.com/
Quay registry: http://status.quay.io/
License
This repo, testssl, and openssl are licensed under the GPLv2. See LICENSE.