renatomefi

$ chmod +x ./test.sh
$ ./test.sh ./test.sh alpine-app        
Starting a container for 'alpine-app'
=============== test session starts =======================================================
platform linux2 -- Python 2.7.15, pytest-4.3.0, py-1.8.0, pluggy-0.9.0 -- /usr/bin/python2
rootdir: /tests, inifile:
plugins: testinfra-1.19.0
collected 1 item                                                                                                                                                                            

renatomefi

#!/bin/bash
#
# A simple script to start a Docker container
# and run Testinfra in it
# Original script: https://gist.github.com/renatomefi/bbf44d4e8a2614b1390416c6189fbb8e
# Author: @renatomefi https://twitter.com/renatomefi
#

set -eEuo pipefail

renatomefi

Let's update from 3.8 to 3.9

FROM alpine:3.9

RUN addgroup -g 1000 app \
    && adduser -u 1000 -D -G app app

Build it again

renatomefi

Let's first build and run our newly image with a sleep time, thus pytest will have time to execute the test in it, no worries, this won't be the final solution

$ docker build -t alpine-app .
$ docker run --rm -d alpine-app sleep 60
7ecbe3205a3e9e871d4bc73237ee374d75e1e8508b008d578f2538ce937b2aa5

We want now to copy the running container ID, and let's put it in the Testinfra command so it knows what container we want to test

renatomefi

./test/test_user.py

def test_user_is_present(host):
    user_name = 'app'
    group_name = 'app'
    home_dir = '/home/app'
    shell = '/sbin/halt'

renatomefi

$ docker build -t alpine-app -f - . <<Dockerfile 
FROM alpine:3.8
RUN addgroup -g 1000 app \
    && adduser -u 1000 -D -G app app
Dockerfile
Sending build context to Docker daemon  69.68kB
Step 1/2 : FROM alpine:3.8
 ---> 491e0ff7a8d5
Step 2/2 : RUN addgroup -g 1000 app &amp;&amp; adduser -u 1000 -D -G app app

renatomefi

./Dockerfile

FROM alpine:3.8

RUN addgroup -g 1000 app \
    && adduser -u 1000 -D -G app app

renatomefi

FROM mongo:4.0
# Works with Mongo 3.2 till 4.0

WORKDIR /etc/ssl
# If you want to validate the certifacate you should have it somewhere else an copy here, otherwise you won't be able to
RUN set -xe \
    && openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=Me/OU=Somewhere/CN=mongo" \
    && cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

ENTRYPOINT ["mongod", "--sslMode", "requireSSL", "--sslPEMKeyFile", "/etc/ssl/mongodb.pem"]

renatomefi

Global whitelist

This will allow this CVEs to be ignored in any image, format is: CVE:Package name

generalwhitelist:
  CVE-2016-9843: zlib
  CVE-2017-1000158: python

renatomefi

$ clair-scanner --ip 172.17.0.1 quay.io/coreos/clair:v2.0.0
2018/09/17 20:15:31 [INFO] ▶ Start clair-scanner
2018/09/17 20:15:35 [INFO] ▶ Server listening on port 9279
2018/09/17 20:15:35 [INFO] ▶ Analyzing 30784cae2b30e82860239f7de81fc755f69bc58a77d52c2d8318ac1162247f66
2018/09/17 20:15:35 [INFO] ▶ Analyzing 858cb12d7179e8919fe9eb4d9235f3c6c5b42a3a990b4bc4d98b7d065cd6d410
2018/09/17 20:15:35 [INFO] ▶ Analyzing dcb049bb3bf0b86e0066e3aed414200c380d6d5ca00fd583ed958b2ac897596c
2018/09/17 20:15:35 [INFO] ▶ Analyzing 8c676d6c9c7d6b0b5d635bda83b80bea5ee2464ef7c5f22540c541d6345f7713
2018/09/17 20:15:35 [INFO] ▶ Analyzing 97d0cd0812dcf22015d9ffb01bc8d634765aab9774a134daedd75456abc3490a
2018/09/17 20:15:35 [INFO] ▶ Analyzing ea9c1b92c10ef25434adf1a68b87bd82830286fca881dcef5d11df9ce84847b3