Container compliance with dockle

Boxing Rules

Street Cred

If you integrate dockle with automated processes, you likely need a way of exposing credentials so that dockle can read images from an image registry. The preferred way of doing so is to use the export command to declare environment variables.

To get you started, the dockle documentation offers code snippets for the Amazon Elastic Container Registry (AWS ECR), the Google Cloud Platform Container Registry (GCP GCR), and self-hosted registries (and how to toggle SSL on and off). In Listing 6 you can see example environment variables for adding Docker Hub credentials before running dockle.

Listing 6

Adding DockerHub Credentials

export DOCKLE_AUTH_URL=https://registry.hub.docker.com
export DOCKLE_USERNAME={DOCKERHUB_USERNAME}
export DOCKLE_PASSWORD={DOCKERHUB_PASSWORD}

Conclusion

Compliance doesn't have to be a word that fills you with dread. Instead, meeting compliance is really the only way to keep security consistent across multiple resources, especially when you are just dealing with your own resources and not thousands in an enterprise. Few standards are better than the CIS Benchmarks, which is backed by industry consensus.

As well as keeping you in line with compliance, dockle also provides useful linting advice to ensure that your Dockerfiles are efficient and sanely written. Also bear in mind the relative ease in which you can integrate compliance checks with CI/CD pipelines. You have little excuse to automate the compliance findings and then fail builds on any images that are out of step.

Finally, the relatively detailed insight into why running containers as root, and, more importantly, how to avoid doing so, should help in the future. Any images and running containers that you build and spawn as a result won't put your infrastructure at unnecessary risk. Stay vigilant.

Infos