So, this has always bugged me. How do you validate a Docker container? No one wants to pull a laced up container, so there has to be a way one can check. Of course, sticking to original docker containers from Docker Hub would be one method I suppose. Is there some kind of scan one can do? I do this on my Windows computer; scan before installing. Besides looking at code that I would have no idea what is going on, what protocols do you guys use?
You must log in or register to comment.
Are you looking for https://docs.docker.com/build/metadata/attestations/?
I didn’t know that existed. I’m reading presently.
Well, a big advantage of containers is, that you can isolate them pretty aggressively. So if you run a container that is supposed to serve content on a single HTTP port, expose only that port, mount no unnecessary volumes and run it on a network that blocks all outgoing traffic. Ideally the only thing left will be incoming traffic on the one port the service is supposed to serve.
Block outgoing traffic, do you mean blocking it at my router or at the level of where I have the container hosted?
I talk fully about software. Add appropriate nftable rules to the container network and that’s it.
Docker scout might be worth a try, I also have a look for the dockerfile. Some people have a link to the git repo the image was built from, most don’t. I then do a bit of looking and if not happy, look for a different image
I briefly checked out Docker Scout. That looks very interesting. I’ll dive in here in a little bit.
