mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
#182 remove legacy code
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
eb2e81ae17
commit
07dbba6400
2 changed files with 9 additions and 9 deletions
|
@ -52,13 +52,13 @@ fi
|
||||||
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
||||||
fail=0
|
fail=0
|
||||||
for img in $images; do
|
for img in $images; do
|
||||||
docker inspect --format='{{.Config.Healthcheck}}' $img 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
|
docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
fail=1
|
fail=1
|
||||||
warn "$check_4_6"
|
warn "$check_4_6"
|
||||||
fi
|
fi
|
||||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||||
warn " * No Healthcheck found : $imgName"
|
warn " * No Healthcheck found : $imgName"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -70,13 +70,13 @@ fi
|
||||||
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
||||||
fail=0
|
fail=0
|
||||||
for img in $images; do
|
for img in $images; do
|
||||||
docker history $img 2>/dev/null | grep -e "update" >/dev/null 2>&1
|
docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
fail=1
|
fail=1
|
||||||
info "$check_4_7"
|
info "$check_4_7"
|
||||||
fi
|
fi
|
||||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||||
info " * Update instruction found in history of $imgName"
|
info " * Update instruction found in history of $imgName"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -88,13 +88,13 @@ fi
|
||||||
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
||||||
fail=0
|
fail=0
|
||||||
for img in $images; do
|
for img in $images; do
|
||||||
docker history $img 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
fail=1
|
fail=1
|
||||||
info "$check_4_9"
|
info "$check_4_9"
|
||||||
fi
|
fi
|
||||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||||
info " * Found ADD in docker history of $imgName"
|
info " * Found ADD in docker history of $imgName"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
@ -591,7 +591,7 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
pidslimit=`docker inspect --format '{{.HostConfig.PidsLimit }}' "$c"`
|
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
|
||||||
|
|
||||||
if [ $pidslimit -le 0 ]; then
|
if [ $pidslimit -le 0 ]; then
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
|
@ -613,12 +613,12 @@ else
|
||||||
check_5_29="5.29 - Do not use Docker's default bridge docker0"
|
check_5_29="5.29 - Do not use Docker's default bridge docker0"
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
networks=`docker network ls -q 2>/dev/null`
|
networks=$(docker network ls -q 2>/dev/null)
|
||||||
for net in $networks; do
|
for net in $networks; do
|
||||||
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
|
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
docker0Containers=`docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null`
|
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
|
||||||
if [ -n "$docker0Containers" ]; then
|
if [ -n "$docker0Containers" ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_29"
|
warn "$check_5_29"
|
||||||
|
|
Loading…
Reference in a new issue