types

Documentation

Index

• Constants
• Variables
• type Assessment
• type AssessmentMap
  • func CreateAssessmentMap(as AssessmentSlice, ignoreMap map[string]struct{}, debug bool) AssessmentMap
• type AssessmentSlice
• type ByLevel
  • func (a ByLevel) Len() int
  • func (a ByLevel) Less(i, j int) bool
  • func (a ByLevel) Swap(i, j int)
• type CodeInfo
• type Config
• type HealthConfig
• type History
• type Image
• type V1Image

Constants

const (
	// CIS-DI
	AvoidRootDefault       = "CIS-DI-0001"
	UseContentTrust        = "CIS-DI-0005"
	AddHealthcheck         = "CIS-DI-0006"
	UseAptGetUpdateNoCache = "CIS-DI-0007"
	CheckSuidGuid          = "CIS-DI-0008"
	UseCOPY                = "CIS-DI-0009"
	AvoidCredential        = "CIS-DI-0010"

	// DG-DI
	AvoidSudo                       = "DKL-DI-0001"
	AvoidSensitiveDirectoryMounting = "DKL-DI-0002"
	AvoidDistUpgrade                = "DKL-DI-0003"
	UseApkAddNoCache                = "DKL-DI-0004"
	MinimizeAptGet                  = "DKL-DI-0005"
	AvoidLatestTag                  = "DKL-DI-0006"

	// DG-LI
	AvoidEmptyPassword      = "DKL-LI-0001"
	AvoidDuplicateUserGroup = "DKL-LI-0002"
	InfoDeletableFiles      = "DKL-LI-0003"
)

const (
	PassLevel int = iota + 1
	IgnoreLevel
	SkipLevel
	InfoLevel
	WarnLevel
	FatalLevel
)

Variables

var DefaultLevelMap = map[string]int{
	AvoidRootDefault:       WarnLevel,
	UseContentTrust:        InfoLevel,
	AddHealthcheck:         InfoLevel,
	UseAptGetUpdateNoCache: FatalLevel,
	CheckSuidGuid:          InfoLevel,
	UseCOPY:                FatalLevel,
	AvoidCredential:        FatalLevel,

	AvoidSudo:                       FatalLevel,
	AvoidSensitiveDirectoryMounting: FatalLevel,
	AvoidDistUpgrade:                WarnLevel,
	UseApkAddNoCache:                FatalLevel,
	MinimizeAptGet:                  FatalLevel,
	AvoidLatestTag:                  WarnLevel,

	AvoidEmptyPassword:      FatalLevel,
	AvoidDuplicateUserGroup: FatalLevel,
	InfoDeletableFiles:      InfoLevel,
}

DefaultLevelMap save risk level each checkpoints

var (
	ErrSetImageOrFile = errors.New("image name or image file must be specified")
)

var TitleMap = map[string]string{
	AvoidRootDefault:                "Create a user for the container",
	UseContentTrust:                 "Enable Content trust for Docker",
	AddHealthcheck:                  "Add HEALTHCHECK instruction to the container image",
	UseAptGetUpdateNoCache:          "Do not use update instructions alone in the Dockerfile",
	CheckSuidGuid:                   "Confirm safety of setuid/setgid files",
	UseCOPY:                         "Use COPY instead of ADD in Dockerfile",
	AvoidCredential:                 "Do not store credential in environment variables/files",
	AvoidSudo:                       "Avoid sudo command",
	AvoidSensitiveDirectoryMounting: "Avoid sensitive directory mounting",
	AvoidDistUpgrade:                `Avoid "apt-get dist-upgrade"`,
	UseApkAddNoCache:                `Use "apk add" with --no-cache`,
	MinimizeAptGet:                  `Clear apt-get caches`,
	AvoidLatestTag:                  "Avoid latest tag",
	AvoidEmptyPassword:              "Avoid empty password",
	AvoidDuplicateUserGroup:         "Be unique UID/GROUP",
	InfoDeletableFiles:              "Only put necessary files",
}

TitleMap save title each checkpoints

Types

type Assessment

type Assessment struct {
	Code     string
	Level    int
	Filename string
	Desc     string
}

type AssessmentMap

type AssessmentMap map[string]CodeInfo

func CreateAssessmentMap

func CreateAssessmentMap(as AssessmentSlice, ignoreMap map[string]struct{}, debug bool) AssessmentMap

type AssessmentSlice

type AssessmentSlice []*Assessment

type ByLevel

type ByLevel []Assessment

func (ByLevel) Len

func (a ByLevel) Len() int

func (ByLevel) Less

func (a ByLevel) Less(i, j int) bool

func (ByLevel) Swap

func (a ByLevel) Swap(i, j int)

type CodeInfo

type CodeInfo struct {
	Code        string
	Level       int
	Assessments AssessmentSlice
}

type Config

type Config struct {
	Hostname        string              // Hostname
	Domainname      string              // Domainname
	User            string              // User that will run the command(s) inside the container, also support user:group
	AttachStdin     bool                // Attach the standard input, makes possible user interaction
	AttachStdout    bool                // Attach the standard output
	AttachStderr    bool                // Attach the standard error
	ExposedPorts    nat.PortSet         `json:",omitempty"` // List of exposed ports
	Tty             bool                // Attach standard streams to a tty, including stdin if it is not closed.
	OpenStdin       bool                // Open stdin
	StdinOnce       bool                // If true, close stdin after the 1 attached client disconnects.
	Env             []string            // List of environment variable to set in the container
	Cmd             []string            // Command to run when starting the container
	Healthcheck     *HealthConfig       `json:",omitempty"` // Healthcheck describes how to check the container is healthy
	ArgsEscaped     bool                `json:",omitempty"` // True if command is already escaped (Windows specific)
	Image           string              // Name of the image as it was passed by the operator (e.g. could be symbolic)
	Volumes         map[string]struct{} // List of volumes (mounts) used for the container
	WorkingDir      string              // Current directory (PWD) in the command will be launched
	Entrypoint      []string            // Entrypoint to run when starting the container
	NetworkDisabled bool                `json:",omitempty"` // Is network disabled
	MacAddress      string              `json:",omitempty"` // Mac Address of the container
	OnBuild         []string            // ONBUILD metadata that were defined on the image Dockerfile
	Labels          map[string]string   // List of labels set to this container
	StopSignal      string              `json:",omitempty"` // Signal to stop a container
	StopTimeout     *int                `json:",omitempty"` // Timeout (in seconds) to stop a container
	Shell           []string            `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
}

type HealthConfig

type HealthConfig struct {
	Test        []string      `json:",omitempty"`
	Interval    time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
	Timeout     time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
	StartPeriod time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
	Retries     int           `json:",omitempty"`
}

HealthConfig holds configuration settings for the HEALTHCHECK feature.

type History

type History struct {
	Created    time.Time `json:"created"`
	Author     string    `json:"author,omitempty"`
	CreatedBy  string    `json:"created_by,omitempty"`
	Comment    string    `json:"comment,omitempty"`
	EmptyLayer bool      `json:"empty_layer,omitempty"`
}

History stores build commands that were used to create an image

type Image

type Image struct {
	V1Image
	History    []History `json:"history,omitempty"`
	OSVersion  string    `json:"os.version,omitempty"`
	OSFeatures []string  `json:"os.features,omitempty"`
}

Image stores the image configuration

type V1Image

type V1Image struct {
	ID              string    `json:"id,omitempty"`
	Parent          string    `json:"parent,omitempty"`
	Comment         string    `json:"comment,omitempty"`
	Created         time.Time `json:"created"`
	Container       string    `json:"container,omitempty"`
	ContainerConfig Config    `json:"container_config,omitempty"`
	DockerVersion   string    `json:"docker_version,omitempty"`
	Author          string    `json:"author,omitempty"`
	Config          Config    `json:"config,omitempty"`
	Architecture    string    `json:"architecture,omitempty"`
	OS              string    `json:"os,omitempty"`
	Size            int64     `json:",omitempty"`
}

V1Image stores the V1 image configuration.