Dockerfile Security Checks using OPA Rego Policies with Conftest
Docker is everywhere! In modern day to day development and operations, we use Docker images and containers to run our applications ranging from developer laptop, raspberry pi, staging servers to including production environments.
As we use modern technologies and tools, we tend to forget securing them while building and serving customers. That is why we can write and codify our security into policies and validate them against the Dockerfiles (Infrastructure as a Code) to identify the potential security risks before deploying them into production.
What is Conftest?
Conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, Terraform code, Serverless configs or any other structured data. In our context, we will use it to write validation policies for deprecated Kubernetes API versions. Conftest relies on the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.
What is OPA (Open Policy Agent)?
The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software.
Example Rego Playground: https://play.openpolicyagent.org/p/hSVfocnUgg
What is docker-security-checker?
docker-security-checker uses open policy agent rego policies for Dockerfile security checks using Conftest.
Checkout more information at https://github.com/madhuakula/docker-security-checker