New guide on container security best practices

[riverma]

Purpose

• A best practice guide to help folks easily scan container (docker) related code repositories for vulnerabilities, automatically

  Proposed Changes

• [ADD] New best practice guide and associated files
• [CHANGE] Yarn plugin added to help render code snippets

  Issues

• 155

  Testing

• Site rendered locally successfully and without build errors
• See example of guide: https://github.com/NASA-AMMOS/slim/tree/issue-155/docs/guides/software-lifecycle/security/container-security

[riverma]

Minor "here" hyperlink issue but otherwise looks great, reads great. And I learned about .mdx files!

Thanks for reviewing this @nutjob4life! Much appreciated! Yeah - MDX is allowing these guides to get all fancy, with embedded code and additional features. Some interesting possibilities down-the-line!

Curious if the hyperlink issue you were seeing was related to this block or somewhere else?

[nutjob4life]

@riverma weird, my comment got dropped somehow.

Anyway, the issue is the hyperlinking of [here]. It's a pet peeve of mine. Hyperlinking the word "here" makes a tiny target (Section 508 issue) but also relatively free of context. Read more about it.

You can rework it by writing something like:

NOTE: you'll need a DockerHub account to run the `docker scout` tool.
Note that this command will compare a local scan's results with Docker's database.
[More information about Docker Scout is available](https://docs.docker.com/scout/quickstart/).

[riverma]

Minor "here" hyperlink issue but otherwise looks great, reads great. And I learned about .mdx files!

@riverma weird, my comment got dropped somehow.

Anyway, the issue is the hyperlinking of [here]. It's a pet peeve of mine. Hyperlinking the word "here" makes a tiny target (Section 508 issue) but also relatively free of context. Read more about it.

You can rework it by writing something like:

NOTE: you'll need a DockerHub account to run the `docker scout` tool.
Note that this command will compare a local scan's results with Docker's database.
[More information about Docker Scout is available](https://docs.docker.com/scout/quickstart/).

Thanks for the clarification! Feedback incorporated 👍

[jpl-jengelke]

I didn't engage a formal review, but added a number of comments. Hopefully they are helpful.

Also, I wanted to note there is no reason why we cannot have multiple container security guides, including a specific Docker container security guide.

[riverma]

One suggestion from @ddalton-swe is to look at this tool (which is being utilized for some current projects): https://github.com/anchore/grype

[riverma]

Thank you for the extensive review @jpl-jengelke . I’m going to try out an OCI complaint tool to support non-Docker containers, but if they are insufficient I’ll suggest with take @lewismc suggestion and make this a Docker specific guide for now and add in other scanning tools the community suggests for other container types later.