# ๐Ÿ” Toolbox-QADocker > **Docker Image Auditing & Quality Assurance** Toolbox-QADocker is a specialized Docker image designed for auditing and quality assurance of Docker images and related files. It serves as the bootstrap image that audits the toolbox-base and other custom toolboxes in the TSYSDevStack ecosystem. --- ## ๐ŸŽฏ Purpose | ๐Ÿงฐ Feature | ๐Ÿ“‹ Description | |------------|----------------| | ๐Ÿ” **Docker Image Auditing** | Equipped with tools like Hadolint, Dive, and Trivy for comprehensive Docker image analysis | | ๐Ÿ“œ **Shell Script Validation** | Includes ShellCheck for validating shell scripts | | ๐Ÿ” **Bootstrap Tool** | Used to audit the base and other custom toolboxes during development | | โšก **Quick Rebuilds** | Designed to be minimal and quick to rebuild when needed | --- ## ๐Ÿ› ๏ธ Tools Included | ๐Ÿ› ๏ธ Tool | ๐Ÿ“ Description | |---------|----------------| | ๐Ÿณ **[Hadolint](https://github.com/hadolint/hadolint)** | Dockerfile linter that checks for best practices | | ๐Ÿš **[ShellCheck](https://www.shellcheck.net/)** | Static analysis tool for shell scripts | | ๐Ÿ›ก๏ธ **[Trivy](https://github.com/aquasecurity/trivy)** | Comprehensive vulnerability scanner for containers | | ๐Ÿณ **Docker Client** | Command-line interface for Docker | | ๐Ÿ” **[Dive](https://github.com/wagoodman/dive)** | Tool to explore layers in Docker images | | ๐Ÿ—๏ธ **Buildctl** | BuildKit client for advanced builds | | ๐Ÿณ **[Dockerlint](https://github.com/RedCoolBeans/dockerlint)** | Additional Dockerfile linter | | ๐ŸŸจ **[Node.js](https://nodejs.org/)** | JavaScript runtime for additional tooling | --- ## ๐Ÿ“Š Image Details | ๐Ÿงฉ Aspect | ๐Ÿ“Œ Value | |-----------|----------| | ๐Ÿ—๏ธ **Base Image** | Ubuntu 24.04 | | ๐Ÿ” **Foundation** | Does NOT use the toolbox-base as foundation (unlike other toolboxes) | | ๐Ÿ‘ค **Non-Root User** | Contains a non-root user `qadocker` for security | | โšก **Optimization** | Optimized for fast rebuilds and audits | --- ## ๐Ÿš€ Usage ### ๐Ÿ—๏ธ Build the Image ```bash ./build.sh ``` ### ๐Ÿ–ฅ๏ธ Run the Container Interactively ```bash ./run.sh ``` ### ๐Ÿณ Run Directly with Docker ```bash docker run -it --rm \ -v "$(pwd)":/workspace \ -w /workspace \ tsysdevstack-toolboxstack-toolbox-qadocker:dev \ bash ``` ### ๐Ÿ” Run QA on a Dockerfile ```bash docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint --config .hadolint.yaml Dockerfile ``` ### ๐Ÿš Run QA on Shell Scripts ```bash docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck script.sh ``` ### ๐Ÿ“Š Run Comprehensive Audit ```bash # Using the custom audit script docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev bash -c "./audit-dockerfile.sh Dockerfile" ``` --- ## ๐Ÿ‘ค Non-Root User - ๐Ÿƒโ€โ™‚๏ธ The container runs as the `qadocker` user by default - ๐Ÿ›ก๏ธ For security purposes, this reduces attack surface - ๐Ÿง‘โ€๐Ÿ’ป If you need root access, run the container with `--user root` --- ## ๐Ÿ”’ Security | ๐Ÿ”’ Security Aspect | ๐Ÿ“‹ Details | |-------------------|------------| | ๐Ÿ›ก๏ธ **Best Practices** | Built with security best practices in mind | | ๐Ÿ”“ **Attack Surface** | Minimal attack surface | | ๐Ÿ‘ค **User Privileges** | Non-root user for running tools | | ๐Ÿ›ก๏ธ **Scanning** | Regular security scanning with Trivy | --- ## ๐Ÿ› ๏ธ Development - ๐Ÿงฉ This image is designed to be simple to modify and rebuild - ๐Ÿงฑ The Dockerfile contains all necessary tool installations - ๐Ÿš€ Optimized for caching and build speed - ๐Ÿงช Includes custom audit scripts for Dockerfile best practices --- ## ๐Ÿ” QA Process | โœ… QA Step | ๐Ÿ“ Description | |------------|----------------| | ๐Ÿณ **Hadolint Validation** | Validating the Dockerfile with Hadolint | | ๐Ÿš **ShellCheck** | Checking shell scripts with ShellCheck | | ๐Ÿ›ก๏ธ **Trivy Scan** | Running filesystem scans with Trivy | | ๐Ÿงช **Tool Verification** | Verifying all tools are properly installed | | ๐Ÿ“Š **Custom Audit** | Using custom scripts to check for best practices | --- ## ๐Ÿ“ˆ Audit Capabilities Toolbox-QADocker excels at identifying: - โŒ **Security Issues**: Common vulnerabilities and misconfigurations - โš™๏ธ **Best Practices**: Adherence to Dockerfile best practices - ๐Ÿ”’ **Root Usage**: Minimizing root operations in Docker builds - ๐Ÿš€ **Optimization**: Layer efficiency and image size optimization - ๐Ÿ›ก๏ธ **Configuration Issues**: Potential security misconfigurations --- ## ๐Ÿ“„ License See [LICENSE](../../LICENSE) for full terms.