trivy can scan dockerfile more than matching pattern Dockerfile* #2608

zdtsw · 2022-07-27T17:09:52Z

Current version of trivy only support dockerfile with name starting with "Dockerfile".
Same as using as target, it only looks for "Dockerfile*"
Since docker support using -f <dockerfile>, trivy should have a similar feature . This is very useful with multiple dockerfiles,
some suggestions:

to allow user specify their dockerfile's name. e.g trivy fs --security-checks config --file dockerfile1, dockerfile2, ...
create a new type for --security-checks e.g --security-checks dockerfile and use along with --skip-files e.g trivy fs --security-checks dockerfile --skip-files some.txt .

see test log:

docker$ trivy --version
Version: 0.30.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-27 12:07:07.855242681 +0000 UTC
  NextUpdate: 2022-07-27 18:07:07.855242281 +0000 UTC
  DownloadedAt: 2022-07-27 13:25:19.565918 +0000 UTC

docker$ trivy fs --security-checks config dockerfile 
2022-07-27T18:46:38.004+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:38.042+0200	INFO	Detected config files: 0

docker$ trivy fs --security-checks config .
2022-07-27T18:58:35.661+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:58:35.699+0200	INFO	Detected config files: 0

after rename dockerfile to Dockerfile, it works

docker$ mv dockerfile Dockerfile
docker$ trivy fs --security-checks config Dockerfile 
2022-07-27T18:46:51.456+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:51.557+0200	INFO	Detected config files: 1

Dockerfile (dockerfile)

Tests: 22 (SUCCESSES: 21, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


docker$ trivy fs --security-checks config .
2022-07-27T18:46:55.523+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:55.624+0200	INFO	Detected config files: 1

Dockerfile (dockerfile)

Tests: 22 (SUCCESSES: 21, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────

The text was updated successfully, but these errors were encountered:

knqyf263 · 2022-07-28T07:24:46Z

Doesn't --file-pattern satisfy your requirement?
https://aquasecurity.github.io/trivy/v0.30.4/docs/misconfiguration/options/others/
https://github.com/aquasecurity/trivy/tree/f9c17bd2d87b9c02da1eebd21dd45ce1ccf97995/examples/misconf/file-patterns

zdtsw · 2022-07-28T07:47:27Z

Doesn't --file-pattern satisfy your requirement? https://aquasecurity.github.io/trivy/v0.30.4/docs/misconfiguration/options/others/ https://github.com/aquasecurity/trivy/tree/f9c17bd2d87b9c02da1eebd21dd45ce1ccf97995/examples/misconf/file-patterns

Thanks for the tips!
I've tried with --file-patterns but did not manage to get what I want:

docker$ mv Dockerfile dockerf
dockerf

docker$ head dockerf 
FROM alpine:3.12.4
.....

docker$ trivy conf --file-patterns "dockerfile:dockerf" .
2022-07-28T09:42:44.508+0200	INFO	Misconfiguration scanning is enabled
2022-07-28T09:42:44.545+0200	INFO	Detected config files: 0

docker$ trivy conf --file-patterns "dockerfile:.*dockerf" .
2022-07-28T09:43:18.807+0200	INFO	Misconfiguration scanning is enabled
2022-07-28T09:43:18.844+0200	INFO	Detected config files: 0

zdtsw · 2022-07-28T07:57:26Z

one more thing to confirm, using trivy config should be equal to trivy fs --security-checks config, right?

knqyf263 · 2022-07-28T07:58:43Z

one more thing to confirm, using trivy config should be equal to trivy fs --security-checks config, right?

Yes.

@DmitriyLewen Could you take a look? --file-patterns should work.

zdtsw added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 27, 2022

liamg mentioned this issue Jul 29, 2022

fix: Fix --file-patterns flag #2625

Merged

zdtsw mentioned this issue Jul 29, 2022

feat(misconf): add function of using --file-patterns for terraform misconfiguration #2626

Closed

6 tasks

knqyf263 closed this as completed in #2625 Jul 29, 2022

knqyf263 added this to the v0.31.0 milestone Aug 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

trivy can scan dockerfile more than matching pattern Dockerfile* #2608

trivy can scan dockerfile more than matching pattern Dockerfile* #2608

zdtsw commented Jul 27, 2022

knqyf263 commented Jul 28, 2022 •

edited

Loading

zdtsw commented Jul 28, 2022

zdtsw commented Jul 28, 2022

knqyf263 commented Jul 28, 2022

trivy can scan dockerfile more than matching pattern Dockerfile* #2608

trivy can scan dockerfile more than matching pattern Dockerfile* #2608

Comments

zdtsw commented Jul 27, 2022

knqyf263 commented Jul 28, 2022 • edited Loading

zdtsw commented Jul 28, 2022

zdtsw commented Jul 28, 2022

knqyf263 commented Jul 28, 2022

knqyf263 commented Jul 28, 2022 •

edited

Loading