Merge pull request #390 from jammasterj89/master

Issue #383 ability to exclude images Closes #383, #369
2024-11-01 08:31:44 +01:00 · 2019-08-29 15:10:53 +02:00 · 2019-08-29 15:10:53 +02:00 · d1934b614e
commit d1934b614e
parent 495a8674c4 3d02432bc8
3 changed files with 16 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -54,9 +54,8 @@ version 1.13.0 or later.
  -l FILE      optional  Log output in FILE
  -c CHECK     optional  Comma delimited list of specific check(s)
  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
-  -i INCLUDE   optional  Comma delimited list of patterns within a container name to check
-  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
-  -t TARGET    optional  Comma delimited list of images name to check
+  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
 ```

 By default the Docker Bench for Security script will run all available CIS tests
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@ -44,9 +44,8 @@ usage () {
  -l FILE      optional  Log output in FILE
  -c CHECK     optional  Comma delimited list of specific check(s)
  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
-  -i INCLUDE   optional  Comma delimited list of patterns within a container name to check
-  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
-  -t TARGET    optional  Comma delimited list of images name to check
+  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
 EOF
 }

@ -63,7 +62,6 @@ do
  e) checkexclude="$OPTARG" ;;
  i) include="$OPTARG" ;;
  x) exclude="$OPTARG" ;;
-  t) imgList="$OPTARG" ;;
  *) usage; exit 1 ;;
  esac
 done
@ -103,15 +101,27 @@ main () {
      benchcont="$c"
    fi
  done
+ 
+  # get the image id of the docker_bench_security_image, memorize it:
+  benchimagecont="nil"
+  for c in $(docker images | sed '1d' | awk '{print $3}'); do
+    if docker inspect --format '{{ .Config.Labels }}' "$c" | \
+     grep -e 'docker.bench.security' >/dev/null 2>&1; then
+      benchimagecont="$c"
+    fi
+  done

  if [ -n "$include" ]; then
    pattern=$(echo "$include" | sed 's/,/|/g')
    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
+    images=$(docker images | grep -E "$pattern" | sed '1d' | awk '{print $3}' | grep -v "$benchimagecont")
  elif [ -n "$exclude" ]; then
    pattern=$(echo "$exclude" | sed 's/,/|/g')
    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
+    images=$(docker images | grep -Ev "$pattern" | sed '1d' | awk '{print $3}' | grep -v "$benchimagecont")
  else
    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
+    images=$(docker images -q | grep -v "$benchcont")
  fi

  if [ -z "$containers" ]; then
--- a/tests/4_container_images.sh
+++ b/tests/4_container_images.sh
@ -1,20 +1,5 @@
 #!/bin/sh

-if [ -n "$imgList" ]; then
-    pattern=$(echo "$imgList" | sed 's/,/ /g')
-    for img in $pattern; do
-      echo "Looking for image $img"
-      sha256=$(docker image ls "$img" -q)
-      if [ -z "$sha256" ]; then
-        echo "Image $img not found. Exiting."
-        exit 1
-      fi
-      images="$images $sha256 "
-    done 
-else
-  images=$(docker images -q)  
-fi
-
 check_4() {
  logit "\n"
  id_4="4"