├── .dockerignore ├── .github └── CODEOWNERS ├── Dockerfile ├── README.md ├── app.Dockerfile ├── build.sh ├── n6-slim-fw.Dockerfile ├── n6-slim.Dockerfile ├── screenshots ├── base_image_remediation.png ├── base_image_vulnerability.png ├── binary_vulnerability.png └── user_introduced_vulnerability.png ├── slim.Dockerfile ├── test.sh └── wp.Dockerfile /.dockerignore: -------------------------------------------------------------------------------- 1 | ** 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @snyk/devrel 2 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:10.4.0 2 | 3 | RUN apt-get install -y imagemagick 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker Goof 2 | 3 | Open a terminal at the `docker-goof` directory. 4 | 5 | 1. Build the image 6 | 7 | ```console 8 | docker build -t docker-goof . 9 | ``` 10 | 11 | 2. Test the image 12 | 13 | ```console 14 | snyk test --docker docker-goof --file=Dockerfile 15 | ``` 16 | 17 | All-in-one to clone and run: 18 | 19 | ```console 20 | git clone git@github.com:snyk/docker-goof && \ 21 | cd docker-goof && \ 22 | docker build -t docker-goof . && \ 23 | snyk test --docker docker-goof --file=Dockerfile 24 | ``` 25 | 26 | ## Utility scripts 27 | 28 | To build all images: 29 | 30 | ```console 31 | ./build.sh 32 | ``` 33 | 34 | To test all images: 35 | 36 | ```console 37 | ./test.sh 38 | ``` 39 | 40 | ## Screenshots 41 | 42 | All of these screenshots demonstrate the extra value provided when a 43 | Dockerfile is supplied via the CLI `--file` argument. 44 | 45 | For example: 46 | 47 | ```console 48 | snyk test --docker docker-goof --file=Dockerfile 49 | ``` 50 | 51 | ### Base Image Remediation 52 | 53 | This screenshot shows alternative images that may be used in the Dockerfile's 54 | `FROM` line to reduce vulnerabilities. Minor upgrades are the most likely to 55 | be compatible, Major are potentially breaking depending on how the image is 56 | used, and Alternative architecture images are given for more technical users 57 | to investigate. 58 | 59 | ![Base Image Remediation Screenshot](screenshots/base_image_remediation.png "Base Image Remediation") 60 | 61 | ### Base Image Vulnerability 62 | 63 | This screenshot shows an image with a vulnerability introduced by the base 64 | image (the `FROM` line in a Dockerfile) with the "Introduced by your base 65 | image ..." line 66 | 67 | ![Base Image Vulnerability Screenshot](screenshots/base_image_vulnerability.png "Base Image Vulnerability") 68 | 69 | ### Binary Vulnerability 70 | 71 | This screenshot shows a binary vulnerability; something not managed by the 72 | package manager of the operating system inside the container. 73 | 74 | ![Binary Vulnerability Screenshot](screenshots/binary_vulnerability.png "Binary Vulnerability") 75 | 76 | ### User-introduced / Dockerfile Vulnerability 77 | 78 | This screenshot shows an image introduced by a user in their Dockerfile and 79 | highlights the exact command that introduced the vulnerability, with the 80 | "Introduced in your Dockerfile by ..." line 81 | 82 | ![User-introduced / Dockerfile vulnerability screenshot](screenshots/user_introduced_vulnerability.png "User-introduced / Dockerfile Vulnerability") 83 | -------------------------------------------------------------------------------- /app.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ghost:2.37.2 as ghost 2 | 3 | FROM node:10.4.0 as node 4 | 5 | # Copy manifest files 6 | COPY --from=ghost /var/lib/ghost /var/lib/ghost 7 | 8 | RUN apt-get update 9 | 10 | # Install package which its vulnerabilities would show up in the layers filter 11 | RUN apt-get -y install exiv2 12 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | pushd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" >/dev/null 4 | 5 | for f in $(ls *Dockerfile); do 6 | base=$(basename ${f}) 7 | flavour=${base%.Dockerfile} 8 | flavour=${flavour%Dockerfile} 9 | tag=docker-goof${flavour:+-$flavour} 10 | file=${flavour:+-f $base} 11 | echo Building ${tag}... 12 | docker build -q -t ${tag} . ${file} 13 | done 14 | 15 | popd >/dev/null 16 | -------------------------------------------------------------------------------- /n6-slim-fw.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:6.14.1-slim 2 | 3 | RUN apt-get update 4 | RUN apt-get install -y firewalld beep 5 | RUN apt-get install -y imagemagick 6 | -------------------------------------------------------------------------------- /n6-slim.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:6.14.2-slim 2 | 3 | RUN apt-get update -y 4 | RUN apt-get install -y imagemagick 5 | -------------------------------------------------------------------------------- /screenshots/base_image_remediation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/docker-goof/3f0c011af8b007e212051c7e2513f8c610bee0a0/screenshots/base_image_remediation.png -------------------------------------------------------------------------------- /screenshots/base_image_vulnerability.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/docker-goof/3f0c011af8b007e212051c7e2513f8c610bee0a0/screenshots/base_image_vulnerability.png -------------------------------------------------------------------------------- /screenshots/binary_vulnerability.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/docker-goof/3f0c011af8b007e212051c7e2513f8c610bee0a0/screenshots/binary_vulnerability.png -------------------------------------------------------------------------------- /screenshots/user_introduced_vulnerability.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/docker-goof/3f0c011af8b007e212051c7e2513f8c610bee0a0/screenshots/user_introduced_vulnerability.png -------------------------------------------------------------------------------- /slim.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:10.4.0-slim 2 | 3 | RUN apt-get update 4 | RUN apt-get install -y imagemagick 5 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | pushd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" >/dev/null 4 | 5 | for f in $(ls *Dockerfile); do 6 | base=$(basename ${f}) 7 | flavour=${base%.Dockerfile} 8 | flavour=${flavour%Dockerfile} 9 | tag=docker-goof${flavour:+-$flavour} 10 | echo Testing ${tag}... 11 | snyk test --docker ${tag} --file=${base} 12 | done 13 | 14 | popd >/dev/null 15 | -------------------------------------------------------------------------------- /wp.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM wordpress:5 2 | 3 | RUN apt-get update 4 | RUN apt-get install -y imagemagick 5 | --------------------------------------------------------------------------------