Add Dockle container security scanning #321
Description
Summary
Add Dockle container linter to enhance security scanning by checking Docker images for best practices and CIS Benchmark compliance.
Motivation
While PR #319 adds secret scanning with gitleaks and trufflehog, we need additional container-specific security checks to ensure our Docker images follow security best practices.
Proposed Solution
Integrate Dockle into our CI/CD pipeline to scan Docker images for:
- Security best practices violations
- CIS Docker Benchmark compliance
- Exposed secrets in container layers
- Insecure base images and configurations
- Missing security metadata
Implementation Details
1. Add Dockle to Security Workflow
Update .github/workflows/security.yml to include:
dockle:
name: dockle-container-scan
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker images
run: |
docker build -t rag-modulo/backend:test -f backend/Dockerfile.backend backend/
docker build -t rag-modulo/frontend:test -f webui/Dockerfile webui/
- name: Run Dockle on backend image
uses: goodwithtech/dockle-action@v0.1.2
with:
image: rag-modulo/backend:test
format: sarif
output: dockle-backend.sarif
- name: Run Dockle on frontend image
uses: goodwithtech/dockle-action@v0.1.2
with:
image: rag-modulo/frontend:test
format: sarif
output: dockle-frontend.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dockle-backend.sarif
category: dockle-backend
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dockle-frontend.sarif
category: dockle-frontend2. Add Dockle Configuration
Create .dockle.yaml:
# Dockle configuration for container security scanning
debug: false
exit-code: 0 # Don't block CI on findings
exit-level: WARN
# Ignore specific checks if needed
ignore:
# Example: Ignore specific CIS checks with justification
# - CIS-DI-0001 # Create a user for the container
# Acceptable keys for custom labels
accept-keys:
- maintainer
- org.opencontainers.image.created
- org.opencontainers.image.authors3. Fix Common Issues
Address typical Dockle findings in Dockerfiles:
- Use non-root user in containers
- Add health checks
- Use specific base image tags (not
latest) - Add security metadata labels
- Minimize image layers
- Remove unnecessary packages
4. Documentation
Update security documentation:
- Document container security best practices
- Explain Dockle findings and how to fix them
- Add container hardening guidelines
Acceptance Criteria
- Dockle integrated into
.github/workflows/security.yml -
.dockle.yamlconfiguration file created - Backend Docker image scans successfully
- Frontend Docker image scans successfully
- SARIF results upload to GitHub Security tab
- Workflow uses
continue-on-errorto avoid blocking PRs - Documentation updated with container security guidelines
- Common Dockle findings addressed in Dockerfiles
References
- Dockle GitHub Repository
- Dockle GitHub Action
- CIS Docker Benchmark
- Related: PR feat: Implement secret scanning with gitleaks and trufflehog #319 (Secret Scanning)
Priority
Medium - Security enhancement that complements existing secret scanning
Estimated Effort
Small - 2-4 hours
- 1 hour: Configure Dockle workflow and action
- 1 hour: Address findings in Dockerfiles
- 1 hour: Test and validate
- 1 hour: Documentation