github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/docker-cis.yaml

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/docker-cis.yaml (about)

     1  ---
     2  spec:
     3    id: docker-cis
     4    title: CIS Docker Community Edition Benchmark v1.1.0
     5    description: CIS Docker Community Edition Benchmark
     6    relatedResources : 
     7      - https://www.cisecurity.org/benchmark/docker
     8    version: "1.1.0"
     9    controls:
    10      - id: '4.1'
    11        name: Ensure a user for the container has been created
    12        description: 'Create a non-root user for the container in the Dockerfile for the container image.'
    13        checks:
    14          - id: AVD-DS-0002
    15        severity: 'HIGH'
    16      - id: '4.2'
    17        name: Ensure that containers use trusted base images (Manual)
    18        description: 'Ensure that the container image is written either from scratch or is based on another established and trusted base image downloaded over a secure channel.'
    19        checks:
    20        severity: 'HIGH'
    21      - id: '4.3'
    22        name: Ensure unnecessary packages are not installed in the container (Manual)
    23        description: 'Containers tend to be minimal and slim down versions of the Operating System. Do not install anything that does not justify the purpose of container.'
    24        checks:
    25        severity: 'HIGH'
    26      - id: '4.4'
    27        name: Ensure images are scanned and rebuilt to include security patches
    28        description: 'Images should be scanned "frequently" for any vulnerabilities. Rebuild the images to include patches and then instantiate new containers from it.'
    29        checks:
    30          - id: VULN-CRITICAL # special ID for filtering vulnerabilities
    31        severity: 'CRITICAL'
    32      - id: '4.5'
    33        name: Ensure Content trust for Docker is Enabled (Manual)
    34        description: 'Content trust is disabled by default. You should enable it.'
    35        checks:
    36        severity: 'LOW'
    37      - id: '4.6'
    38        name: Ensure HEALTHCHECK instructions have been added to the container image
    39        description: 'Add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.'
    40        checks:
    41          - id: AVD-DS-0026
    42        severity: 'LOW'
    43      - id: '4.7'
    44        name: Ensure update instructions are not use alone in the Dockerfile
    45        description: 'Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile.'
    46        checks:
    47          - id: AVD-DS-0017
    48        severity: 'HIGH'
    49      - id: '4.8'
    50        name: Ensure setuid and setgid permissions are removed in the images (Manual)
    51        description: 'Removing setuid and setgid permissions in the images would prevent privilege escalation attacks in the containers.'
    52        checks:
    53        severity: 'HIGH'
    54      - id: '4.9'
    55        name: Ensure COPY is used instead of ADD in Dockerfile
    56        description: 'Use COPY instruction instead of ADD instruction in the Dockerfile.'
    57        checks:
    58          - id: AVD-DS-0005
    59        severity: 'LOW'
    60      - id: '4.10'
    61        name: Ensure secrets are not stored in Dockerfiles
    62        description: 'Do not store any secrets in Dockerfiles.'
    63        checks:
    64          - id: SECRET-CRITICAL # special ID for filtering secrets
    65        severity: 'CRITICAL'
    66      - id: '4.11'
    67        name: Ensure verified packages are only Installed (Manual)
    68        description: 'Verify authenticity of the packages before installing them in the image.'
    69        checks: # TODO
    70        severity: 'MEDIUM'