diff --git a/README.md b/README.md index a212808..004b3c8 100644 --- a/README.md +++ b/README.md @@ -50,11 +50,11 @@ version 1.13.0 or later. ```sh -h optional Print this help message -l FILE optional Log output in FILE - -c CHECK optional Run specific check + -c CHECK optional Run specific check or group of checks ``` -By default the Docker Bench for Security script will run all available tests and -produce logs in the current directory named `docker-bench-security.sh.log.json` +By default the Docker Bench for Security script will run all available CIS tests +and produce logs in the current directory named `docker-bench-security.sh.log.json` and `docker-bench-security.sh.log`. The CIS based checks are named `check_
_`, e.g. `check_2_6` and community contributed checks are named `check_c_`. @@ -62,6 +62,10 @@ A complete list of checks are present in [functions_lib.sh](functions_lib.sh). `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2` +Note that when submitting checks, provide information why it is a +reasonable test to add and please include some kind of official documentation +verifying that information. + ## Building Docker Bench for Security If you wish to build and run this container yourself, you can follow the diff --git a/docker-bench-security.sh b/docker-bench-security.sh index e84cec5..5700c55 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -112,7 +112,12 @@ main () { if [ -z "$check" ]; then cis else - "$check" + if command -v "$check" 2>/dev/null 1>&2; then + "$check" + else + echo "Check \"$check\" doesn't seem to exist." + exit 1 + fi fi printf "\n" diff --git a/tests/99_community_checks.sh b/tests/99_community_checks.sh index a800b09..953ed5c 100644 --- a/tests/99_community_checks.sh +++ b/tests/99_community_checks.sh @@ -8,7 +8,7 @@ check_c() { check_c_1() { check_c_1="C.1 - This is a example check" totalChecks=$((totalChecks + 1)) - if docker info --format='{{ .Architecture }}' | grep 'x86_64'; then + if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then pass "$check_c_1" logjson "c.1" "PASS" else