A customizable Dockerfile Scanner for Potential Runtime Vulnerabilities
Mooring scans each Dockerfile statically and at runtime to detect potential vulnerabilities.
Mooring implements a deny policy that allows you to block certain packages from being included in the final container image
Append to the DENY.txt file:
bash
curl
git
ssh
Use #
or don't include them in the DENY.txt
to temporarily allow a package
bash
curl
git
#ssh
Check out the main.go
file for an example of how to call Mooring.
Mooring performs static analysis on a Dockerfile using string matching in conjunction with a policy document to determine whether a vulnerability is present.
Mooring preforms runtime analysis via docker scan on built container images
go get [...]
- Assess integration of static analysis with buildkit's Dockerfile parser
- Check for final container image user
J.Stone 2021