Supply Chain
Assess Dockerfile Security with cnspec
Scan Dockerfiles for security misconfigurations using cnspec.
Use cnspec to scan Dockerfiles for security misconfigurations and policy violations before they reach production.
Scan a Dockerfile
Scan a single Dockerfile, substituting the path and name of the file for FILEPATH:
cnspec scan docker file FILEPATHFind nested Dockerfiles within a directory, substituting the directory path for PATH:
cnspec scan docker file PATHExample checks
Run cnspec shell docker file FILEPATH to open the cnspec interactive shell. From there you can make checks like the examples below.
Ensure the Dockerfile does not use the root user
cnspec> docker.file.user.user != "root"
[ok] value: trueEnsure a HEALTHCHECK instruction is defined
cnspec> docker.file.healthcheck.test.length > 0
[ok] value: trueList all base images used in the Dockerfile
cnspec> docker.file.from.list { image tag }List all exposed ports
cnspec> docker.file.expose.list { port protocol }List all stages in a multi-stage build
cnspec> docker.file.stages { name from.image }Scan options
| Option | Description |
|---|---|
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
-j, --json | Return the results as JSON |
Learn more
-
To scan Docker images, read Assess Docker Image Security.
-
To scan running containers, read Assess Docker Container Security.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
Explore the Dockerfile resource reference.