Skip to content

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark

License

Notifications You must be signed in to change notification settings

aquasecurity/docker-bench

Repository files navigation

GitHub Release License Coverage Status GitHub Build Actions GitHub Release Actions

Docker-bench is a Go application that checks whether Docker is deployed securely by running the checks documented in the CIS Docker Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

CIS Docker Benchmark support

docker-bench currently supports tests as defined in the following CIS Docker Benchmarks:

CIS Benchmark docker-bench cfg directory Docker versions
CIS Docker Benchmark v1.6.0 cis-1.6.0 20.10
CIS Docker Benchmark v1.2.0 cis-1.2 18.09 and Docker Enterprise 2.1
CIS Docker Community Edition Benchmark v1.1.0 cis-1.1 17.06
CIS Docker 1.13.0 Benchmark v1.0.0 cis-1.0 1.13.0

docker-bench will determine the test set to run based on the Docker version running on the host machine. The version to run tests for can also be specified manually with the --version <Docker version> or --benchmark <CIS benchmark version> commandline flag.

Installation

Installing from sources

Install Go, then clone this repository and run as follows (assuming your $GOPATH is set):

go get github.com/aquasecurity/docker-bench
cd $GOPATH/src/github.com/aquasecurity/docker-bench
go build -o docker-bench .

# See all supported options
./docker-bench --help

# Run checks
./docker-bench

# Run checks for specified Docker version
./docker-bench --version 18.09

# Run checks for specified cis Benchmark 
./docker-bench --benchmark cis-1.2

Tests

Tests are specified in definition files cfg/<version>/definitions.yaml, where <version> is the version of CIS for which the test applies.

Contributing

We welcome PRs and issue reports. Your PR is more likely to be accepted if it focuses on just one change. Please include a comment with the results before and after your change. Your PR is more likely to be accepted if it includes tests. (We have not historically been very strict about tests, but we would like to improve this!). You're welcome to submit a draft PR if you would like early feedback on an idea or an approach. Happy coding!

About

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published