Docker Bench Security: What is it and what the Score actually means?

Docker Bench Security is a repository that contains a script which will check for loads of common best-practices surrounding the deployment of docker containers in production. Best of all, it’s not too difficult to automate. Let’s get started!

When to use?

You’ve got yourself a build process, you’re creating branches with updates to the repo, then merging those branches to the master branch. But you want to check this new branch’s updated code for CIS security issues. This is when we’d like to use the Docker Bench Security tool.

What’s the score?

I don’t know if it’s just me. But there seemed to be a lack of an explanation for what the score really means. So many assumptions for what it is. But no real breakdown. Well fear no more.
docker Bench Security

In the example above we are running 5 “Checks” against the container. We count 4 “PASS“ and 1 “NOTE”. The 4 “PASS“ will determine the “Score”. However the “NOTE” is a recommendation which wont affect your final “Score”.

Breakdown:

Checks: CIS based checks are named check

, e.g. check_2_6 and community contributed checks are named checkc. A complete list of checks is present in functions_lib.sh. For our example we chose to use specific checks for our needs instead of checking everything.
“Check_4_1,check_4_2,check_4_3,check_4_4,check_4_7”PASS: We’ve made it, you crossed the line, all is well.Score: We tally up the number of “PASS”’s which determines the final “Score”NOTE: This is a recommendation. I’d personally read them, make sure you’re good. But don’t fail your build for this.

Where to get it!

https://github.com/docker/docker-bench-security

Docker Bench Security is a fantastic tool that is made and maintained by the folks who created Docker. https://www.cisecurity.org/benchmark/docker/

WHO AM I?

My name is Keith. Over the years I have become a very experienced, passionate DevOps Engineer who has grown enormously in recent years, partly because DevOps has become increasingly important, but mainly because of my personal drive to further develop within this field.
I am a native English speaker from Canada (with an Irish passport) who has recently immigrated to the Netherlands.

LinkedIn
Twitter
WhatsApp
Facebook