loading...

Dockerfile Security Checks using OPA Rego Policies with Conftest

madhuakula profile image Madhu Akula Originally published at blog.madhuakula.com on ・3 min read

Photo by Glenn Carstens-Peters on Unsplash

Docker is everywhere! In modern day to day development and operations, we use Docker images and containers to run our applications ranging from developer laptop, raspberry pi, staging servers to including production environments.

As we use modern technologies and tools, we tend to forget securing them while building and serving customers. That is why we can write and codify our security into policies and validate them against the Dockerfiles (Infrastructure as a Code) to identify the potential security risks before deploying them into production.

What is Conftest?

Conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, Terraform code, Serverless configs or any other structured data. In our context, we will use it to write validation policies for deprecated Kubernetes API versions.

Conftest relies on the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

What is OPA (Open Policy Agent)?

The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software.

What is docker-security-cheker?

docker-security-checker uses open policy agent rego policies for Dockerfile security checks using Conftest.

Checkout more information at https://github.com/madhuakula/docker-security-checker

How to write a simple rego policy for Dockerfile?

The below is simplest example of a rego policy for identifying if the Dockerfile is using ADDinstead of COPY command in the Dockerfile.

deny[msg] {

   input[i].Cmd == "add"

   val := concat(" ", input[i].Value)

   msg = sprintf("Use COPY instead of ADD: %s", [val])

}

Here in the above example input contains the Dockerfile in a JSON format and we are looking for any command we find ADD and if we find in the Dockerfile we are returning the deny message.

This is much simplified by using Conftest, also it supports multiple different files, formats like Kubernetes manifests, terraform, ini, etc. to build your own policies with OPA checkout examples at https://www.conftest.dev/examples/

Running conftest docker security policies

You can run the conftest using the following command, which by default pickup the policies from policy directory.

conftest test Dockerfile

Now you can see similar output

WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try out yourself

I had built this scenario to try out your self to learn and practice rather reading it and forgetting ;)

You can practice this scenario at katacoda playground https://katacoda.com/madhuakula/scenarios/docker-security-checker

https://katacoda.com/madhuakula/scenarios/docker-security-checker

Some ideas to take this forward

  • Adding this checks in CI/CD pipeline as part of the DevSecOps
  • Also, integrating these checks at your Kubernetes clsuters as a DaemonSet to look for Kubernetes Objects for any security misconfigurations and issue in near real-time
  • Many more…
  • Please feel free to contribute and add more feedback/issues/PR at https://github.com/madhuakula/docker-security-checker

References to learn more

I just started learning more and more about Open Policy Agent and writing security policies using conftest. But you can explore more about them and write your own policies using below resources.

  1. Open Policy Agent
  2. Rego Policy Reference
  3. Rego Playground
  4. Conftest.Dev

Thanks for reading this article. If you enjoyed it please let me know by clicking that clap below :)


Posted on by:

madhuakula profile

Madhu Akula

@madhuakula

Author, Speaker & Trainer @ BlackHat & DEFCON | CKA & OSCP | Cloud, Containers, Kubernetes, Security, Automation | Never Ending Learner!

Discussion

markdown guide