Skip to content

add label filtering config #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 26, 2023
Merged

add label filtering config #531

merged 5 commits into from
Jul 26, 2023

Conversation

@lekpamartin
Copy link
Contributor

@lekpamartin lekpamartin commented Jul 1, 2023
edited
Loading

Add an option to filter checked container and image by settings coma separated labels.
For exemple to filter on two labels
--filter label=key1 --filter label=key2=value2
You have to define
-t key1,key2=value2
Thx

@lekpamartin lekpamartin mentioned this pull request Jul 1, 2023
Closed
@lekpamartin
Copy link
Contributor Author

@konstruktoid Have you had time to watch the PR?

konstruktoid
konstruktoid requested changes Jul 4, 2023
View reviewed changes
Copy link
Collaborator

@konstruktoid konstruktoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @lekpamartin but there's a couple of issues:

  • the code doesn't actually exclude any images or containers, it includes them
  • it filters on the label key, not the label value.
$ ./docker-bench-security.sh -h
Docker Bench for Security - Docker, Inc. (c) 2015-2023
[...]
Options:
  -b           optional  Do not print colors
  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE, inside container if run using docker
  -u USERS     optional  Comma delimited list of trusted docker user(s)
  -c CHECK     optional  Comma delimited list of specific check(s) id
  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude
  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
  -t LABEL     optional  Comma delimited list of labels within a container or image to exclude from check
  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
  -p PRINT     optional  Print remediation measures. Default: Don't print remediation measures.
[...]
$ docker image inspect --format='{{json .Config.Labels}}' $(docker images -qa)
{"org.label-schema.name":"docker-bench-security","org.label-schema.url":"https://dockerbench.com","org.label-schema.vcs-url":"https://github.com/docker/docker-bench-security.git"}
null
{"maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>"}
{"maintainer":"Thomas Sjögren <konstruktoid@users.noreply.github.com>","vcs-url":"git@github.com:konstruktoid/Nginx_Build.git"}
$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED          SIZE
dockerbench          latest    d3ab463d6b58   18 minutes ago   40.9MB
nolabel              latest    d7804d046a40   6 days ago       4.26MB
nginx                latest    eb4a57159180   2 weeks ago      187MB
konstruktoid/nginx   latest    d2695d0a229c   22 months ago    11.3MB
$ sudo bash ./docker-bench-security.sh -c check_4_1
[...]
Section A - Check results
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN]      * Running as root: nolabel
[WARN]      * Running as root: amazing_khayyam
[WARN]      * Running as root: nginx02
[WARN]      * Running as root: nginx01
[...]
$ sudo bash ./docker-bench-security.sh -t maintainer -c check_4_1
[...]
Section A - Check results
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN]      * Running as root: nginx02
[WARN]      * Running as root: nginx01

[...]
$ sudo bash ./docker-bench-security.sh -t NGINX -c check_4_1
[...]

Section A - Check results
[INFO] 4.1 - Ensure that a user for the container has been created (Automated)
[INFO]      * No containers running

@lekpamartin
Copy link
Contributor Author

Hi,

  • the code doesn't actually exclude any images or containers, it includes them
    It is a mistake in the help definition. The purpose is to include images/containers with defined label.

  • it filters on the label key, not the label value.
    The use can define :
    -t maintainer : all label with key "maintainer"
    -t maintainer=name : all label with key "maintainer" and value "name"

I will push and update of the documentation.

Before it I am looking for a bug when label value contain space. For example -t maintainer=My name

Thx

@konstruktoid
Copy link
Collaborator

konstruktoid commented Jul 9, 2023
edited
Loading 

  It is a mistake in the help definition. The purpose is to include images/containers with defined label.

But all containers and images are included by default, or is it to test only those with the defined label?

@lekpamartin
Copy link
Contributor Author

It test only images/containers with defined label

@konstruktoid
Copy link
Collaborator

@lekpamartin can you rewrite the help text? See the review.

@lekpamartin
Copy link
Contributor Author

@konstruktoid I updated the doc.

@konstruktoid
Copy link
Collaborator

Seems "include from" is still present in the documentation.

-t LABEL optional Comma delimited list of labels within a container or image to include from check

@lekpamartin
Copy link
Contributor Author

Sorry.

Updated

@konstruktoid
Copy link
Collaborator

Sorry.

Updated

The text should read Comma delimited list of labels within a container or image to check

konstruktoid
konstruktoid approved these changes Jul 26, 2023
View reviewed changes
docker-bench-security.sh Outdated
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to exclude from check
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It test only images/containers with defined label

Then you'll just need to remove exclude from and we're good to go I guess.

README.md Outdated
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to include from check
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lekpamartin remove "include from"

@konstruktoid konstruktoid merged commit 5555c37 into docker:master Jul 26, 2023
@konstruktoid
Copy link
Collaborator

Thanks @lekpamartin !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konstruktoid konstruktoid konstruktoid approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lekpamartin @konstruktoid