search

goharbor / harbor-scanner-clair

Use Clair as a plug-in vulnerability scanner in the Harbor registry
https://goharbor.io/
Apache License 2.0
35 stars 26 forks source link

Create a user for the Docker container #10

Open danielpacak opened 5 years ago

danielpacak commented 5 years ago

There's no reason to run scanner adapter service as root in the Docker container. We should update the Dockerfile respectively.

$ dockle docker.io/goharbor/harbor-scanner-clair:1.0.1-rc1
WARN    - CIS-DI-0001: Create a user for the container
    * Last user should not be root
INFO    - CIS-DI-0005: Enable Content trust for Docker
    * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
    * not found HEALTHCHECK statement
PASS    - CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS    - CIS-DI-0008: Confirm safety of setuid/setgid files
PASS    - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
PASS    - CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS    - CIS-DI-0010: Do not store secret files
PASS    - DKL-DI-0001: Avoid sudo command
PASS    - DKL-DI-0002: Avoid sensitive directory mounting
PASS    - DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS    - DKL-DI-0004: Use apk add with --no-cache
PASS    - DKL-DI-0005: Clear apt-get caches
PASS    - DKL-DI-0006: Avoid latest tag
SKIP    - DKL-LI-0001: Avoid empty password
SKIP    - DKL-LI-0002: Be unique UID
SKIP    - DKL-LI-0002: Be unique GROUP
PASS    - DKL-LI-0003: Only put necessary files
mohamedawnallah commented 4 months ago

Hey @danielpacak, I've submitted PR for this issue I would love to receive any feedback! 🙏

danielpacak commented 4 months ago

Hey @danielpacak, I've submitted PR for this issue I would love to receive any feedback! 🙏

:wave: @mohamedawnallah I no longer actively maintain this repository and I'm not sure whether it's actively maintained by the Harbor community either.

Anyway, having look at your changes they makes perfect sense. I was only wondering why you use the USER instruction twice. I suppose that your intention was to created the actual user in the first step, but in order to do that you'd rather use the RUN instruction. This in turn, may require a multistage build as explained at https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341. See also https://www.docker.com/blog/understanding-the-docker-user-instruction/.