-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding docker security scanner? #6
Comments
I tried this in my fork and it works. We have vulnerabilities in our images though: modsecurity-crs-docker
I think a rebuild and push of the underlying owasp/modsecurity-docker image would already help, we have fewer vulnerabilities there: modsecurity-docker
Questions:
And do we want to extend the build and push with this security scan? |
Adding a scheduled scan makes certainly sense. We should then only trigger rebuilding the image when necessary, e.g. when vulnerabilities were found. |
This looks cool @franbuehler ! I think @bittner has a point in just creating a new one only when something is found. Do you need additional help with setting it up? |
Whatever you can do that brings us forward is super-welcome! We, at @vshn, would still need to invest time to verify the 4 main images (owasp/modsecurity:apache, owasp/modsecurity-crs:apache, and owasp/modsecurity:nginx, owasp/modsecurity-crs:nginx) in Production. We still maintain derivatives of our own image based on CRS 3.1, which is somewhat the "mother" of the changes we applied to the current images. I see some work ahead to align the last bits we might have overlooked when taking over our current features. |
Relates to coreruleset/modsecurity-docker#43. |
I also just ran a owasp/modsecurity-crs:v3.3.2-nginx (debian 10.10)
=================================================
Total: 323 (UNKNOWN: 0, LOW: 215, MEDIUM: 45, HIGH: 55, CRITICAL: 8) Now that NGINX maintain both Debian and Alpine images, so hopefully this is not a large increase in maintenance burden as we can still rely on default upstream images. |
@MitchellCash Can you run it again now that we have alpine images? We still need to run this in a pipeline. |
@fzipi Alpine based image looks good to me on the initial Debian based image
Alpine based image 🥳
|
Good, this matches my own tests. I don't think we can do too much in the debian image (I've checked a couple criticals, and they are still there :/ ). |
We may want to add an action for docker security scanning:
https://github.com/phonito/phonito-scanner-action
The text was updated successfully, but these errors were encountered: