Dockerfile Usage Cheatsheet

With Ghost you can leverage OPA policy to implement Dockerfile best practice checks.
Simply point the ghost binary at your docker file and pass in policy checks as a rego file.

General Scanning#

ghost df --rego-file df.rego Dockerfile

Example Policy#

Here is a sample policy. Don't forget to check out the patch for more examples.

package ghost_dockerfile
ghost_image_result["allowed"] = count(image_violations) == 0
ghost_image_result["reason"] = image_violations
ghost_image_result["package"] = "ghost_dockerfile"
ghost_image_result["policy"] = "ghost-dockerfile-policy"
bad_users = [
"root",
"ROOT",
"0"
]
suspicious_env_keys = [
"passwd",
"password",
"secret",
"key",
"access",
"api_key",
"apikey",
"token",
]
image_violations[reason] {
input.nodes[i].value == "add"
reason := sprintf("Use COPY instead of ADD, original command %s", [input.nodes[i].original])
}
image_violations[reason] {
contains(input.nodes[i].original, bad_users[_])
reason := sprintf("Do not use root as user, original command: %s", [input.nodes[i].original])
}
image_violations[reason] {
input.nodes[i].value == "env"
contains(lower(input.nodes[i].next), suspicious_env_keys[_])
reason := sprintf("Suspicious ENV key found: %s", [input.nodes[i].original])
}
Edit this page