docker updates

.dockerignore

@@ -1 +1,6 @@
-.git
+*
+!docker-bench-security.sh
+!functions/
+!tests/
+!log/
+log/*

.github/workflows/issues.yml

@@ -0,0 +1,19 @@
+name: Issue assignment
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: read
+
+jobs:
+  auto-assign:
+    permissions:
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'auto-assign issue'
+        uses: pozil/auto-assign-issue@74b9f64cc1a08f99358061073e243a4c3d7dd5c4 # v1.11.0
+        with:
+          assignees: konstruktoid

.github/workflows/slsa.yml

@@ -0,0 +1,80 @@
+---
+name: SLSA
+on:
+  push:
+  release:
+    permissions:
+      contents: write
+    types: [published, released]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build artifacts
+        run: |
+          find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload ${{ env.REPOSITORY_NAME }}.sha256
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: ${{ env.REPOSITORY_NAME }}.sha256
+          path: ${{ env.REPOSITORY_NAME }}.sha256
+          if-no-files-found: error
+          retention-days: 5
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
+
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    needs: [build, provenance]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Download ${{ env.REPOSITORY_NAME }}.sha256
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ env.REPOSITORY_NAME }}.sha256
+
+      - name: Upload asset
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
+        with:
+          files: |
+            ${{ env.REPOSITORY_NAME }}.sha256

.gitignore

@@ -1 +1,3 @@
-*.log
+log/*
+*.swp*
+.vagrant/

CONTRIBUTING.md

@@ -3,49 +3,56 @@
 Want to hack on Docker Bench? Awesome! Here are instructions to get you
 started.
 
-The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows
-the same rules and principles. If you're already familiar with the way
-Docker does things, you'll feel right at home.
+The Docker Bench for Security is a part of the [Docker](https://www.docker.com)
+project, and follows the same rules and principles. If you're already familiar
+with the way Docker does things, you'll feel right at home.
 
 Otherwise, go read
-[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
+[Contribute to the Moby Project](https://github.com/moby/moby/blob/master/CONTRIBUTING.md).
 
-### Development Environment Setup
+## Development Environment Setup
 
-The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability
-
-#### Start hacking
+### Start hacking
 
 You can build the container that wraps the docker-bench for security:
+
 ```sh
-✗ git clone [email protected]:docker/docker-bench-security.git
-✗ cd docker-bench-security
-✗ docker build -t docker-bench-security .
+git clone [email protected]:docker/docker-bench-security.git
+cd docker-bench-security
+docker build -t docker-bench-security .
 ```
 
 Or you can simply run the shell script locally:
 
 ```sh
-✗ git clone [email protected]:docker/docker-bench-security.git
-✗ cd docker-bench-security
-✗ sh docker-bench-security.sh
+git clone [email protected]:docker/docker-bench-security.git
+cd docker-bench-security
+sudo sh docker-bench-security.sh
 ```
 
-The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests.
+The Docker Bench has the main script called `docker-bench-security.sh`.
+This is the main script that checks for all the dependencies, deals with
+command line arguments and loads all the tests.
 
-The tests are split in 6 different files:
+The tests are split into the following files:
 
 ```sh
-✗ tree tests/
 tests/
 ├── 1_host_configuration.sh
 ├── 2_docker_daemon_configuration.sh
 ├── 3_docker_daemon_configuration_files.sh
 ├── 4_container_images.sh
 ├── 5_container_runtime.sh
-└── 6_docker_security_operations.sh
+├── 6_docker_security_operations.sh
+├── 7_docker_swarm_configuration.sh
+├── 8_docker_enterprise_configuration.sh
+└── 99_community_checks.sh
 ```
 
-To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes.
+To modify the Docker Bench for Security you should first clone the repository,
+make your changes, check your code with `shellcheck`, or similar tools, and
+then sign off on your commits. After that feel free to send us a pull request
+with the changes.
 
-While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions.
+While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://www.cisecurity.org/benchmark/docker/)
+and its successors, feel free to add new tests.

CONTRIBUTORS.md

@@ -0,0 +1,58 @@
+The following people, listed in alphabetical order, have contributed to docker-bench-security:
+
+* alberto <[email protected]>
+* Andreas Stieger <[email protected]>
+* Anthony Roger <[email protected]>
+* Aurélien Gasser <[email protected]>
+* binary <[email protected]>
+* Boris Gorbylev <[email protected]>
+* Cheng-Li Jerry Ma <[email protected]>
+* Csaba Palfi <[email protected]>
+* Daniele Marcocci <[email protected]>
+* Dhawal Patel <[email protected]>
+* Diogo Monica <[email protected]>
+* Diogo Mónica <[email protected]>
+* Ernst de Haan <[email protected]>
+* HuKeping <[email protected]>
+* Ivan Angelov <[email protected]>
+* J0WI <[email protected]>
+* jammasterj89 <[email protected]>
+* Jessica Frazelle <[email protected]>
+* Joachim Lusiardi <[email protected]>
+* Joachim Lusiardi <[email protected]>
+* Joachim Lusiardi <[email protected]>
+* Joe Williams <[email protected]>
+* Julien Garcia Gonzalez <[email protected]>
+* Jürgen Hermann <[email protected]>
+* kakakakakku <[email protected]>
+* Karol Babioch <[email protected]>
+* Kevin Lim <[email protected]>
+* kevinll <[email protected]>
+* Liron Levin <[email protected]>
+* liron-l <[email protected]>
+* LorensK <[email protected]>
+* lusitania <[email protected]>
+* Maik Ellerbrock <[email protected]>
+* Mark Stemm <[email protected]>
+* Matt Fellows <[email protected]>
+* Michael Crosby <[email protected]>
+* Michael Stahn <[email protected]>
+* Mike Ritter <[email protected]>
+* Mr. Secure <[email protected]>
+* MrSecure <[email protected]>
+* Nigel Brown <[email protected]>
+* Paul Czarkowski <[email protected]>
+* Paul Morgan <[email protected]>
+* Pete Sellars <[email protected]>
+* Peter <[email protected]>
+* Ravi Kumar Vadapalli <[email protected]>
+* Scott McCarty <[email protected]>
+* Sebastiaan van Stijn <[email protected]>
+* telepresencebot2 <[email protected]>
+* Thomas Sjögren <[email protected]>
+* Tom Partington <[email protected]>
+* Werner Buck <[email protected]>
+* will Farrell <[email protected]>
+* Zvi "Viz" Effron <[email protected]>
+
+This list was generated Tue Nov  5 09:45:35 UTC 2019.

Dockerfile

@@ -1,28 +1,20 @@
-# REPOSITORY https://github.com/docker/docker-bench-security
+FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
 
-FROM alpine:3.2
+LABEL \
+  org.label-schema.name="docker-bench-security" \
+  org.label-schema.url="https://dockerbench.com" \
+  org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
 
-ENV VERSION 1.9.1
+RUN apk add --no-cache iproute2 \
+    docker-cli \
+    dumb-init \
+    jq
 
-MAINTAINER dockerbench.com
+COPY . /usr/local/bin/
 
-WORKDIR /usr/bin
+HEALTHCHECK CMD exit 0
 
-RUN apk update && \
-    apk upgrade && \
-    apk --update add curl && \
-    curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION > docker-$VERSION && \
-    curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.sha256 > docker-$VERSION.sha256 && \
-    sha256sum -c docker-$VERSION.sha256 && \
-    ln -s docker-$VERSION docker && \
-    chmod u+x docker-$VERSION && \
-    apk del curl && \
-    rm -rf /var/cache/apk/*
+WORKDIR /usr/local/bin
 
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
+ENTRYPOINT [ "/usr/bin/dumb-init", "/bin/sh", "docker-bench-security.sh" ]
+CMD [""]

MAINTAINERS

@@ -30,5 +30,5 @@
 
 	[people.konstruktoid]
 	Name = "Thomas Sjögren"
-	Email = "thomas.sjogren@outlook.com"
+	Email = "thomas.sjogren@protonmail.com"
 	GitHub = "konstruktoid"