Security bench

[deviantony]

A script has been created by Docker to check the best-practices/security around deploying containers in production: https://github.com/docker/docker-bench-security

We could integrate that in Portainer and give the user an easy way to bench the security of their host/cluster.

[ncresswell]

Love it. Anything we can do to improve security, we should. Rgds, Neil Cresswell On 23/03/2017, at 9:58 PM, Anthony Lapenna <[email protected]<mailto:[email protected]>> wrote: A script has been created by Docker to check the best-practices/security around deploying containers in production: https://github.com/docker/docker-bench-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_docker_docker-2Dbench-2Dsecurity&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=c0FUr6XOevi_6aTVu929wh42PB6aCQYLpXOuAcEhWCc&s=jA0XJXT_46bDExPbVXAgqkjbGtN7BE_UzJml_BF5njE&e=> We could integrate that in Portainer and give the user an easy way to bench the security of their host/cluster. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_713&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=c0FUr6XOevi_6aTVu929wh42PB6aCQYLpXOuAcEhWCc&s=sgeEoQpFuYgYAun8cEdcbGCcW3dFroFyyNqcP7h7xoA&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlesP37Egz1NpN9vE0j1KhujK0JAoks5rojQfgaJpZM4MmbTF&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=c0FUr6XOevi_6aTVu929wh42PB6aCQYLpXOuAcEhWCc&s=CUFVGPAnlBfwOOZegaCBPiJ-n5UAUnX7tIAVCca2AgI&e=>.

[WTFKr0]

Yeah I know this script, it take about 30 sec on our env (32 services swarm mode)
I think it must be run in background with a "pending" status, and then data store somewhere
We can't get live information of that

[deviantony]

A user reported that we could also integrate Clair: https://github.com/coreos/clair (refer #1246)

[WTFKr0]

Working on clair recently, and I think it can be easily coupled to the upcomming registry management feature
Idea is the ability to add a clair api url in portainer
Clair api only store and work with layer sha, not images or tags
So we have to link that to image history feature or registry browsing feature, which can list layers of images
If a report is available for a layer, we can then display it in the corresponding portainer view
Portainer can act as a reverse proxy to clair api
For information, Vmware Harbor integrates clair natively

[raesene]

Adding clair for container image scanning would be great :) If seeing other implementations would be helpful Harbor does this https://github.com/vmware/harbor but I'd prefer to see it in Portainer for my use case (which is doing security reviews of Docker images). there are also some other tools like Anchore that can be used. Sysdig have a good article on this https://sysdig.com/blog/container-security-docker-image-scanning/