How to integrate cis-docker-benchmark into a CI/CD pipeline?

Run the InSpec profile as part of your build process using commands like 'inspec exec' with SSH or local targets; use attributes files to tailor checks for your environment, enabling automated security testing in DevOps workflows.

CIS Docker Benchmark InSpec profile vs OpenSCAP for container security?

The InSpec profile is specialized for Docker using the CIS benchmark and InSpec's DevOps-friendly approach, while OpenSCAP is a broader compliance tool for various systems; InSpec integrates better with CI/CD, but OpenSCAP might offer more comprehensive scanning options.

How to customize which Docker security checks are run?

Create a YAML attribute file with settings like log_driver or trusted_user, and use the --attrs flag when executing, or run specific controls with the --controls flag (e.g., 'cis-docker-benchmark-1.4') for targeted testing.

Does this tool work with Docker Swarm mode?

Yes, it has attributes for swarm_mode and related settings like swarm_port, but it's primarily designed for Docker daemon and container security, not full swarm orchestration security, so additional tools might be needed for cluster-wide compliance.

What if my Docker version is newer than 1.13?

The tool is based on CIS Docker 1.13.0 Benchmark, so some checks might not apply or be outdated; you can use the benchmark_version attribute to include older controls, but for latest recommendations, consider supplementing with other tools or updated profiles.

How to handle false positives in the benchmark tests?

Adjust the attribute configurations in the YAML file to match your environment's security policies, or skip specific controls using the --controls flag to exclude them, ensuring the tests align with your operational needs.

Open-Awesome

CIS Docker Benchmark

Apache-2.0Ruby2.1.3

An InSpec compliance profile that automates security testing for Docker daemon and containers against CIS benchmarks.

Visit Website GitHub

523 stars118 forks0 contributors

What is CIS Docker Benchmark?

CIS Docker Benchmark - InSpec Profile is an open-source compliance tool that automates security testing for Docker environments. It implements the CIS Docker Benchmark as executable InSpec code to validate that Docker daemon and container configurations adhere to security best practices. The tool helps organizations maintain secure Docker deployments by providing automated, repeatable checks.

Target Audience

DevOps engineers, security teams, and system administrators responsible for securing Docker containers in production environments. It's particularly useful for organizations that need to comply with security standards or perform regular security audits.

Value Proposition

Developers choose this tool because it automates manual CIS benchmark checks, saving time and reducing human error. Its integration with InSpec allows for easy incorporation into existing CI/CD pipelines and infrastructure testing workflows.

Overview

CIS Docker Benchmark - InSpec Profile

Use Cases

Best For

Automating CIS Docker Benchmark compliance checks in CI/CD pipelines
Performing security audits on Docker daemon configurations
Hardening Docker container security in production environments
Integrating security testing into DevOps workflows
Validating Docker security settings across multiple hosts
Running targeted security checks for specific CIS controls

Not Ideal For

Teams using container runtimes other than Docker (e.g., Podman, containerd)
Organizations with Docker deployments on unsupported operating systems like Windows or newer Linux distributions
Projects that require automated remediation of security issues, as this tool only provides testing

Pros & Cons

Pros

Automated Compliance Testing

Implements the CIS Docker 1.13.0 Benchmark as executable InSpec code, enabling automated and repeatable security checks that save time and reduce human error.

Flexible Configuration Options

Supports YAML attribute files to customize Docker settings such as trusted users, logging drivers, and registry certificates, making it adaptable to specific environment needs.

Remote and Targeted Execution

Allows running tests on remote hosts via SSH and executing individual controls (e.g., specific benchmark checks), providing operational flexibility and focused audits.

Integration with DevOps Workflows

Built on InSpec, it can be easily incorporated into CI/CD pipelines for continuous security validation, as shown in the usage examples for local and remote execution.

Cons

Limited Platform Compatibility

Only supports older OS versions like Debian 8, Ubuntu 16.04, and CentOS 7, which may not align with current production environments using newer distributions.

Dependency on InSpec Ecosystem

Requires InSpec 2.3.23+ and familiarity with its framework, adding a learning curve and toolchain dependency that might not fit teams outside the Chef ecosystem.

Outdated Benchmark Version

Based on CIS Docker 1.13.0, which might not cover security recommendations for newer Docker versions, reducing its relevance over time despite the benchmark_version attribute for older controls.

Frequently Asked Questions

Related Projects

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Stars35,023

Forks376

Last commit2 days ago

Grype

A vulnerability scanner for container images and filesystems

Vulnerability Static Analysis for Containers

Stars10,980

Forks1,208

Last commit3 days ago

Docker bench security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Stars9,636

Forks1,038

Last commit1 year ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub