Docker / Containers- Security Analysis and Vulnerability Assessment Tools

DockerScan: 

            A Docker analysis tools to detect vulnerabilities in Docker images and Docker registries.

Very quick install

> python3.5 -m pip install -U pip
> python3.5 -m pip install dockerscan

Show options:

> dockerscan -h

Docker Demo

Available actions

Currently Docker Scan support these actions:

• Scan: Scan a network trying to locate Docker Registries.
• 
  
• Registry
  • Delete: Delete remote image / tag
  • Info: Show info from remote registry
  • Push: Push an image (like Docker client)
  • Upload: Upload a random file
    
    
• Image
  • Analyze: Looking for sensitive information in a Docker image.
    • Looking for passwords in environment vars.
    • Try to find any URL / IP in the environment vars.
    • Try to deduce the user used internally to run the software. This is not trivial. If the entry point is a .sh file. Read the file and try to find call to sudo-like: “sudo”, “gosu”, “sh -u”… And report the user found.
      
      
    • Extract: extract a docker image
      
      
    • Info: Get a image meta information
      
      
  • Modify:
  • entrypoint: change the entrypoint in a docker
  • trojanize: inject a reverser shell into a docker image
  • user: change running user in a docker image

Download Link : https://github.com/cr0hn/dockerscan

DevSecOps Static Code Analysis Tool - Checkov

Checkov:

              It help to scans cloud infrastructure provisioned using Terraform, Cloudformation or kubernetes and detects security and compliance misconfigurations.

Simple and open-source

Checkov is written in Python and provides a simple method to write and manage codified, version-controlled policies.

Features

• 100+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
• Scans Terraform and AWS CloudFormation configurations.
• Scans for AWS credentials in EC2 Userdata, Lambda environment variables and Terrafrom providers
• Policies support evaluation of variables to their optional default value.
• Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
• Output currently available as CLI, JSON or JUnit XML.

                                         Image Source : https://www.checkov.io/

Download Link : https://github.com/bridgecrewio/checkov/

Documentation : https://www.checkov.io/documentation