Public Repository

Last pushed: 2 years ago
Short Description
An image for scanning other docker containers for security compliance
Full Description

OpenSCAP Container Compliance

Container Built From:

Usage

To scan docker images on the host, you need to run Docker in Docker. To start a shell inside this container in this way, you need to pass in your docker.sock unix socket and docker binary from the docker host.

To Start Interactive Bash Shell Inside container:

# NOTE: If you are using docker-machine on OS X, you need to pass the path of docker binary that lives INSIDE the docker-machine VM
# On OS X with docker-machine:
docker run -v /var/run/docker.sock:/var/run/docker.sock \
                  -v $(docker-machine ssh docker-machine-name-here which docker):/bin/docker \
                  -ti --entrypoint=/bin/bash \
            trinitronx/openscap-container-compliance
# On *nix Docker Host:
docker run -v /var/run/docker.sock:/var/run/docker.sock \
                  -v $(which docker):/bin/docker \
                  -ti --entrypoint=/bin/bash
            trinitronx/openscap-container-compliance

To Start a Scan & Save Results Outside Container:

# OS X w/ docker-machine:
docker run -v /tmp/:/data \
                  -v /var/run/docker.sock:/var/run/docker.sock \
                  -v $(docker-machine ssh docker-machine-name-here which docker):/bin/docker \
            trinitronx/openscap-container-compliance \
            image-cve trinitronx/ansible-base:devel-centos7  --results oval.xml --report out.html

# *nix Docker Host:
docker run -v /tmp/:/data \
                  -v /var/run/docker.sock:/var/run/docker.sock \
                  -v $(which docker):/bin/docker \
            trinitronx/openscap-container-compliance \
            image-cve trinitronx/ansible-base:devel-centos7  --results oval.xml --report out.html

View the report with your browser of choice:

# OS X:
docker-machine scp docker-machine-name-here:/tmp/out.html /tmp/
open /tmp/out.html
# *nix:
xdg-open /tmp/out.html

For latest full usage details, see:

Docker Pull Command
Owner
trinitronx