feat: Create comprehensive toolbox-qadocker for Docker image auditing
This commit introduces the complete toolbox-qadocker implementation with the following features: - Creates a minimal Docker image specifically for auditing Docker images - Does not use toolbox-base as foundation (bootstrap purpose) - Includes essential audit tools: hadolint, shellcheck, trivy, dive, docker client, buildctl - Adds additional tooling: dockerlint and Node.js for extended capabilities - Implements custom audit script to check for minimal root usage in Dockerfiles - Ensures proper user permissions with non-root qadocker user - Includes build.sh, run.sh, docker-compose.yml for complete workflow - Provides comprehensive README and PROMPT documentation - Adds QA test script for validation - Creates run-audit.sh for easy Dockerfile analysis - Optimized for fast rebuilds and effective Dockerfile validation - Configured to check for best practices regarding root usage - Ready to audit toolbox-base and other custom toolboxes This bootstrap image is designed to audit Docker images in the TSYSDevStack ecosystem, ensuring they follow security best practices, particularly regarding minimal root usage in builds.
This commit is contained in:
39
ToolboxStack/output/toolbox-qadocker/test-qa.sh
Executable file
39
ToolboxStack/output/toolbox-qadocker/test-qa.sh
Executable file
@@ -0,0 +1,39 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Script to QA the toolbox-qadocker image using the tools inside it
|
||||
set -e
|
||||
|
||||
echo "Starting QA of toolbox-qadocker image..."
|
||||
|
||||
# Test 1: Hadolint - Lint the Dockerfile
|
||||
echo "Testing Dockerfile with Hadolint..."
|
||||
docker run --rm -i -v "$(pwd)":/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint --config .hadolint.yaml /workspace/Dockerfile
|
||||
echo "Hadolint check passed!"
|
||||
|
||||
# Test 2: ShellCheck - Lint shell scripts
|
||||
echo "Testing shell scripts with ShellCheck..."
|
||||
docker run --rm -i -v "$(pwd)":/workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck /workspace/build.sh /workspace/run.sh
|
||||
echo "ShellCheck passed!"
|
||||
|
||||
# Test 3: Trivy - Run a filesystem scan
|
||||
echo "Testing filesystem with Trivy..."
|
||||
# Skip downloading DB for this test by using offline mode
|
||||
docker run --rm -i -v "$(pwd)":/workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan /workspace
|
||||
echo "Trivy scan completed!"
|
||||
|
||||
# Test 4: Use the Docker client to check version (skip daemon connection test)
|
||||
echo "Testing Docker client functionality..."
|
||||
docker run --rm -i tsysdevstack-toolboxstack-toolbox-qadocker:dev docker version 2>/dev/null || echo "Docker client present (version check failed as expected without daemon)"
|
||||
echo "Docker client test passed!"
|
||||
|
||||
# Test 5: Run the container in interactive mode and check tools
|
||||
echo "Running interactive test..."
|
||||
docker run --rm -i tsysdevstack-toolboxstack-toolbox-qadocker:dev bash -c "which hadolint && which shellcheck && which trivy && which docker && which buildctl && which dockerlint"
|
||||
echo "All tools are properly installed!"
|
||||
|
||||
# Test 6: Run dockerlint on a sample Dockerfile
|
||||
echo "Testing Dockerlint..."
|
||||
docker run --rm -i -v "$(pwd)":/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockerlint Dockerfile
|
||||
echo "Dockerlint test completed!"
|
||||
|
||||
echo "All QA tests completed successfully!"
|
||||
Reference in New Issue
Block a user