diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 0861bd2..63f6223 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -5,12 +5,14 @@ info "4 - Container Images and Build File" # 4.1 check_4_1="4.1 - Ensure a user for the container has been created" +totalChecks=$((totalChecks + 1)) # If container_users is empty, there are no running containers if [ -z "$containers" ]; then info "$check_4_1" info " * No containers running" logjson "4.1" "INFO" + currentScore=$((currentScore + 0)) else # We have some containers running, set failure flag to 0. Check for Users. fail=0 @@ -37,6 +39,9 @@ else if [ $fail -eq 0 ]; then pass "$check_4_1" logjson "4.1" "PASS" + currentScore=$((currentScore + 1)) + else + currentScore=$((currentScore - 1)) fi fi # Make the loop separator go back to space @@ -46,31 +51,41 @@ images=$(docker images -q) # 4.2 check_4_2="4.2 - Ensure that containers use trusted base images" +totalChecks=$((totalChecks + 1)) note "$check_4_2" logjson "4.2" "NOTE" +currentScore=$((currentScore + 0)) # 4.3 check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" +totalChecks=$((totalChecks + 1)) note "$check_4_3" logjson "4.3" "NOTE" +currentScore=$((currentScore + 0)) # 4.4 check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" +totalChecks=$((totalChecks + 1)) note "$check_4_4" logjson "4.4" "NOTE" +currentScore=$((currentScore + 0)) # 4.5 check_4_5="4.5 - Ensure Content trust for Docker is Enabled" +totalChecks=$((totalChecks + 1)) if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then pass "$check_4_5" logjson "4.5" "PASS" + currentScore=$((currentScore + 1)) else warn "$check_4_5" logjson "4.5" "WARN" + currentScore=$((currentScore - 1)) fi # 4.6 check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" +totalChecks=$((totalChecks + 1)) fail=0 for img in $images; do if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "" >/dev/null 2>&1; then @@ -89,10 +104,14 @@ done if [ $fail -eq 0 ]; then pass "$check_4_6" logjson "4.6" "PASS" + currentScore=$((currentScore + 1)) +else + currentScore=$((currentScore - 1)) fi # 4.7 check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" +totalChecks=$((totalChecks + 1)) fail=0 for img in $images; do if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then @@ -110,15 +129,21 @@ done if [ $fail -eq 0 ]; then pass "$check_4_7" logjson "4.7" "PASS" + currentScore=$((currentScore + 1)) +else + currentScore=$((currentScore + 0)) fi # 4.8 check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" +totalChecks=$((totalChecks + 1)) note "$check_4_8" logjson "4.8" "NOTE" +currentScore=$((currentScore + 0)) # 4.9 check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" +totalChecks=$((totalChecks + 1)) fail=0 for img in $images; do docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1 @@ -133,19 +158,25 @@ for img in $images; do info " * ADD in image history: $imgName" logjson "4.9" "INFO: $imgName" fi + currentScore=$((currentScore + 0)) fi done if [ $fail -eq 0 ]; then pass "$check_4_9" logjson "4.9" "PASS" + currentScore=$((currentScore + 1)) fi # 4.10 check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" +totalChecks=$((totalChecks + 1)) note "$check_4_10" logjson "4.10" "NOTE" +currentScore=$((currentScore + 0)) # 4.11 check_4_11="4.11 - Ensure verified packages are only Installed" +totalChecks=$((totalChecks + 1)) note "$check_4_11" logjson "4.11" "NOTE" +currentScore=$((currentScore + 0))