Docker
Docker Concepts
- Dockerfile ENTRYPOINT: Everything You Need To Know (kinsta.com)
- Docker image vs container: What are the differences? | CircleCI
- Running a Docker container as a non-root user | by Lucas Wilson-Richter | Redbubble | Medium
- Docker ENTRYPOINT and CMD : Differences & Examples (spacelift.io)
- dockerfile - denied: requested access to the resource is denied: docker - Stack Overflow
- Static vulnerability scanning | Docker Docs
- Docker Scout | Docker Docs
- Set up Automated Builds | Docker Docs
Docker Fundamentals
- Lesson 1: Understand Docker from a security perspective - Practical DevSecOps (practical-devsecops.com)
- Lesson 2: Docker Images, Docker Layers, and Registry - Practical DevSecOps (practical-devsecops.com)
- Lesson #3: Container reconnaissance techniques for beginners - Practical DevSecOps (practical-devsecops.com)
Docker Hacking
- Lesson 4: Hacking Containers Like A Boss - Practical DevSecOps (practical-devsecops.com)
- Lesson 5: Hacking Containers Like A Boss - Part 2 - Practical DevSecOps (practical-devsecops.com)
Docker Hardening
Build Image locally
# Build the image
docker build -t <image_name>:<tag> .
# Build image from file path
docker build -t <image_name>:<tag> -f .\docker\Dockerfile .
Run images in a docker network
# Create docker network
docker network create -d bridge my-nat
# Run the image in a custom NAT with port mapping and volume mapping
docker run --name=server -p 80:8000 -v $(pwd):/app --network=my-nat -itd build
# Get a shell on container
docker run -it --network=my-nat test /bin/bash
Push image to Docker Registry
# Generate your PAT from https://hub.docker.com/settings/security
docker login -u <username>
# tag image to dockerhub
# docker tag mylocalimage:latest darlin/dockerhub:myfirstimagepush
docker tag sslyze:1.0 akenofu/sslyze:1.0
# Push image
# user/image:tag
docker push akenofu/sslyze:1.0
Fix Docker Security issues
Once a list of vulnerabilities have been identified, there are a couple of actions you can take to remediate the vulnerabilities. For example, you can:
- Specify an updated base image in the Dockerfile, check your application-level dependencies, rebuild the Docker image, and then push the new image to Docker Hub.
- Rebuild the Docker image, run an update command on the OS packages, and push a newer version of image to Docker Hub.
- Edit the Dockerfile to manually remove or update specific libraries that contain vulnerabilities, rebuild the image, and push the new image to Docker Hub
Docker Scout can provide you with concrete and contextual remediation steps for improving image security. For more information, see Docker Scout.
# Display Recommendations
docker scout recommendations
# Find only high issues in a nice format
docker scout cves --only-severity high --format only-packages --only-vuln-packages akenofu/sslyze:1.0