Merge pull request #40 from theredguild/tool-dockle

Adding new tool: Dockle
theredguild · Oct 15, 2024 · a8af24c · a8af24c
2 parents 33cd38f + 960218d
commit a8af24c
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -192,6 +192,13 @@ RUN DEPCHECK_VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/curr
     && chmod +x dependency-check/bin/dependency-check.sh \
     && sudo ln -s /src/dependency-check/bin/dependency-check.sh /usr/local/bin/dependency-check
 
+# Install dockle
+RUN VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
+    grep '"tag_name":' | \
+    sed -E 's/.*"v([^"]+)".*/\1/') \
+    && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
+    && sudo dpkg -i dockle.deb && rm dockle.deb
+
 # Install 2ms
 RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-$(dpkg --print-architecture).zip | \
     funzip - | sudo tee /usr/local/bin/2ms > /dev/null \

diff --git a/HOWTO.md b/HOWTO.md
@@ -45,6 +45,7 @@ nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security,
   - [ScoutSuite | Multi-cloud security-auditing tool](#scoutsuite--multi-cloud-security-auditing-tool)
   - [Cloudsplaining | AWS IAM assessment tool](#cloudsplaining--aws-iam-assessment-tool)
   - [Hadolint | Scans Dockerfiles for good linting practices](#hadolint--scans-dockerfiles-for-good-linting-practices)
+  - [Dockle | Container image linter for security](#dockle--container-image-linter-for-security)
   - [DependencyCheck | Checks for public vulns on dependencies](#dependencycheck--checks-for-public-vulns-on-dependencies)
   - [nodejsscan | NodeJS application code scanner](#nodejsscan--nodejs-application-code-scanner)
   - [Lavamoat | JS framework to prevent supply-chain attacks](#lavamoat--js-framework-to-prevent-supply-chain-attacks)
@@ -68,6 +69,7 @@ nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security,
     - [2ms Action | Apply too many secrets to your workflow](#2ms-action--apply-too-many-secrets-to-your-workflow)
     - [GitLeaks Action | Add gitleaks as a github action](#gitleaks-action--add-gitleaks-as-a-github-action)
     - [Trufflehog Action | Continuously scan for secrets](#trufflehog-action--continuously-scan-for-secrets)
+  - [Dockle action | Cointinuously scan for security issues in Docker files](#dockle-action--cointinuously-scan-for-security-issues-in-docker-files)
   - [Online version of some tools](#online-version-of-some-tools)
 
 ## GitXray | Harvest public information from GitHub APIs 
@@ -701,6 +703,26 @@ Dockerfile:8 DL3008 warning: Pin versions in apt get install. Instead of `apt-ge
 Dockerfile:8 DL3059 info: Multiple consecutive `RUN` instructions. Consider consolidation.
 ```
 
+## Dockle | Container image linter for security
+
+[GitHub](https://github.com/goodwithtech/dockle) | [Website](https://containers.goodwith.tech/) | [Action](https://github.com/goodwithtech/dockle-action)
+Docker | Linter
+
+1. Build [Best Practice](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) Docker images
+2. Build secure Docker images
+Checkpoints includes [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
+
+```bash
+# Scan an image name (and a tag)
+dockle goodwithtech/test-image:v1
+
+# Scan an image file
+docker save alpine:latest -o alpine.tar
+dockle --input alpine.tar
+```
+
+For more examples go to their [docs](https://github.com/goodwithtech/dockle?tab=readme-ov-file#common-examples).
+
 ## DependencyCheck | Checks for public vulns on dependencies
 
 [GitHub](https://github.com/jeremylong/DependencyCheck)
@@ -1082,6 +1104,10 @@ Runs Trivy as GitHub action to scan your Docker container image for vulnerabilit
 
 **Scan | Secrets**
 
+## Dockle action | Cointinuously scan for security issues in Docker files
+
+[Action](https://github.com/marketplace/actions/dockle-container-image-linter)
+
 ## Online version of some tools
 
 [Scan a repo with **KICS**](https://kics.checkmarx.net/) - upt to 4mb

diff --git a/README.md b/README.md
@@ -96,6 +96,7 @@ Examples:
   - [x] scoutsuite: Multi-Cloud Security Auditing Tool. (<https://github.com/nccgroup/ScoutSuite>)
   - [x] Cloudsplaining: AWS IAM assessment tool (<https://github.com/salesforce/cloudsplaining>)
   - [x] hadolint: Dockerfile linter. (<https://github.com/hadolint/hadolint>)
+  - [x] dockle: Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start. (<https://github.com/goodwithtech/dockle>)
 
 - [x] Dependency & lib checkers:
   - [x] DependencyCheck: OWASP dependency-check is a software composition analysis utility that