Documentation
¶
Index ¶
Constants ¶
View Source
const ( // CIS-DI AvoidRootDefault = "CIS-DI-0001" UseContentTrust = "CIS-DI-0005" AddHealthcheck = "CIS-DI-0006" UseAptGetUpdateNoCache = "CIS-DI-0007" CheckSuidGuid = "CIS-DI-0008" UseCOPY = "CIS-DI-0009" AvoidCredential = "CIS-DI-0010" // DG-DI AvoidSudo = "DKL-DI-0001" AvoidSensitiveDirectoryMounting = "DKL-DI-0002" AvoidDistUpgrade = "DKL-DI-0003" UseApkAddNoCache = "DKL-DI-0004" MinimizeAptGet = "DKL-DI-0005" AvoidLatestTag = "DKL-DI-0006" // DG-LI AvoidEmptyPassword = "DKL-LI-0001" AvoidDuplicateUserGroup = "DKL-LI-0002" InfoDeletableFiles = "DKL-LI-0003" )
View Source
const ( PassLevel int = iota + 1 IgnoreLevel SkipLevel InfoLevel WarnLevel FatalLevel )
Variables ¶
View Source
var DefaultLevelMap = map[string]int{ AvoidRootDefault: WarnLevel, UseContentTrust: InfoLevel, AddHealthcheck: InfoLevel, UseAptGetUpdateNoCache: FatalLevel, CheckSuidGuid: InfoLevel, UseCOPY: FatalLevel, AvoidCredential: FatalLevel, AvoidSudo: FatalLevel, AvoidSensitiveDirectoryMounting: FatalLevel, AvoidDistUpgrade: FatalLevel, UseApkAddNoCache: FatalLevel, MinimizeAptGet: FatalLevel, AvoidLatestTag: WarnLevel, AvoidEmptyPassword: FatalLevel, AvoidDuplicateUserGroup: FatalLevel, InfoDeletableFiles: InfoLevel, }
DefaultLevelMap save risk level each checkpoints
View Source
var (
ErrSetImageOrFile = errors.New("image name or image file must be specified")
)
View Source
var TitleMap = map[string]string{ AvoidRootDefault: "Create a user for the container", UseContentTrust: "Enable Content trust for Docker", AddHealthcheck: "Add HEALTHCHECK instruction to the container image", UseAptGetUpdateNoCache: "Do not use update instructions alone in the Dockerfile", CheckSuidGuid: "Confirm safety of setuid/setgid files", UseCOPY: "Use COPY instead of ADD in Dockerfile", AvoidCredential: "Do not store credential in ENVIRONMENT vars/files", AvoidSudo: "Avoid sudo command", AvoidSensitiveDirectoryMounting: "Avoid sensitive directory mounting", AvoidDistUpgrade: "Avoid apt-get/apk/dist-upgrade", UseApkAddNoCache: "Use apk add with --no-cache", MinimizeAptGet: "Clear apt-get caches", AvoidLatestTag: "Avoid latest tag", AvoidEmptyPassword: "Avoid empty password", AvoidDuplicateUserGroup: "Be unique UID/GROUP", InfoDeletableFiles: "Only put necessary files", }
TitleMap save title each checkpoints
Functions ¶
This section is empty.
Types ¶
type AssessmentMap ¶
func CreateAssessmentMap ¶
func CreateAssessmentMap(as AssessmentSlice, ignoreMap map[string]struct{}) AssessmentMap
type AssessmentSlice ¶
type AssessmentSlice []*Assessment
type ByLevel ¶
type ByLevel []Assessment
type CodeInfo ¶
type CodeInfo struct {
Code string
Level int
Assessments AssessmentSlice
}
type Config ¶
type Config struct {
Hostname string // Hostname
Domainname string // Domainname
User string // User that will run the command(s) inside the container, also support user:group
AttachStdin bool // Attach the standard input, makes possible user interaction
AttachStdout bool // Attach the standard output
AttachStderr bool // Attach the standard error
ExposedPorts nat.PortSet `json:",omitempty"` // List of exposed ports
Tty bool // Attach standard streams to a tty, including stdin if it is not closed.
OpenStdin bool // Open stdin
StdinOnce bool // If true, close stdin after the 1 attached client disconnects.
Env []string // List of environment variable to set in the container
Cmd []string // Command to run when starting the container
Healthcheck *HealthConfig `json:",omitempty"` // Healthcheck describes how to check the container is healthy
ArgsEscaped bool `json:",omitempty"` // True if command is already escaped (Windows specific)
Image string // Name of the image as it was passed by the operator (e.g. could be symbolic)
Volumes map[string]struct{} // List of volumes (mounts) used for the container
WorkingDir string // Current directory (PWD) in the command will be launched
Entrypoint []string // Entrypoint to run when starting the container
NetworkDisabled bool `json:",omitempty"` // Is network disabled
MacAddress string `json:",omitempty"` // Mac Address of the container
OnBuild []string // ONBUILD metadata that were defined on the image Dockerfile
Labels map[string]string // List of labels set to this container
StopSignal string `json:",omitempty"` // Signal to stop a container
StopTimeout *int `json:",omitempty"` // Timeout (in seconds) to stop a container
Shell []string `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
}
type HealthConfig ¶
type HealthConfig struct {
Test []string `json:",omitempty"`
Interval time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
Timeout time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
StartPeriod time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
Retries int `json:",omitempty"`
}
HealthConfig holds configuration settings for the HEALTHCHECK feature.
type History ¶
type History struct {
Created time.Time `json:"created"`
Author string `json:"author,omitempty"`
CreatedBy string `json:"created_by,omitempty"`
Comment string `json:"comment,omitempty"`
EmptyLayer bool `json:"empty_layer,omitempty"`
}
History stores build commands that were used to create an image
type Image ¶
type Image struct {
V1Image
History []History `json:"history,omitempty"`
OSVersion string `json:"os.version,omitempty"`
OSFeatures []string `json:"os.features,omitempty"`
}
Image stores the image configuration
type ImageAssessment ¶
type ImageAssessment struct {
Assessment AssessmentMap `json:"assessment"`
Image string `json:"image"`
Success bool `json:"success"`
ScanUUID string `json:"scanuuid"`
ScanErrMsg string `json:"scanErrMsg"`
}
type V1Image ¶
type V1Image struct {
ID string `json:"id,omitempty"`
Parent string `json:"parent,omitempty"`
Comment string `json:"comment,omitempty"`
Created time.Time `json:"created"`
Container string `json:"container,omitempty"`
ContainerConfig Config `json:"container_config,omitempty"`
DockerVersion string `json:"docker_version,omitempty"`
Author string `json:"author,omitempty"`
Config Config `json:"config,omitempty"`
Architecture string `json:"architecture,omitempty"`
OS string `json:"os,omitempty"`
Size int64 `json:",omitempty"`
}
V1Image stores the V1 image configuration.
Source Files
Click to show internal directories.
Click to hide internal directories.