DevOps工作流之docker镜像安全审查-dive

/ devops工作流Docker / 没有评论 / 254浏览

Foreword

尽管镜像仓库Harbor已经集成了Clair,但是他的功能现阶段感觉有点弱,不能完美的融入到pipline之中,dive可以解决这个问题。

dive会大大提升我们审查镜像的速度,并且可以将这个过程做成自动化,自动化的反馈与记录。

demo

image-20190706143429758

Installation

Ubuntu/Debian

wget https://github.com/wagoodman/dive/releases/download/v0.7.2/dive_0.7.2_linux_amd64.deb
sudo apt install ./dive_0.7.2_linux_amd64.deb

RHEL/Centos

curl -OL https://github.com/wagoodman/dive/releases/download/v0.7.2/dive_0.7.2_linux_amd64.rpm
rpm -i dive_0.7.2_linux_amd64.rpm

Basic use

可以把cmd放到CI&CD的pipline的构建完成的动作

➜  ~ CI=true dive hub.lijinghua.club/test/py-test:v1
Using config file: /root/.dive.yaml
Fetching image... (this can take a while with large images)
Parsing image...
Analyzing image...
  efficiency: 98.8929 %  # 效率百分比
  wastedBytes: 11876170 bytes (12 MB) #多余的字节 12M
  userWastedPercent: 1.2857 % # 基本上它的值+效率百分比=100%
Run CI Validations...
  Using default CI config
  PASS: highestUserWastedPercent
  SKIP: highestWastedBytes: rule disabled
  PASS: lowestEfficiency
Result:PASS [Total:3] [Passed:2] [Failed:0] [Warn:0] [Skipped:1]
➜  ~ CI=true dive byrnedo/alpine-curl:0.1.6
Using config file: /root/.dive.yaml
Fetching image... (this can take a while with large images)
Parsing image...
Analyzing image...
  efficiency: 99.3700 %
  wastedBytes: 54099 bytes (54 kB)
  userWastedPercent: 1.3057 %
Run CI Validations...
  Using default CI config
  PASS: highestUserWastedPercent
  SKIP: highestWastedBytes: rule disabled
  PASS: lowestEfficiency
Result:PASS [Total:3] [Passed:2] [Failed:0] [Warn:0] [Skipped:1]

Config file 默认使用顺序是

--help

  --ci-config string   If CI=true in the environment, use the given yaml to drive validation rules. (default ".dive-ci")
      --config ## ~/.config/dive/*.yaml, or $XDG_CONFIG_HOME/dive.yaml)
  -j, --json string        Skip the interactive TUI and write the layer analysis statistics to a given file.
  -v, --version            display version number

输出json结果到文件

➜  ~ CI=true dive hub.lijinghua.club/test/py-test:v1 -j ./py-dive.json
Using config file: /root/.dive.yaml
Fetching image... (this can take a while with large images)
Parsing image...
Analyzing image... (export to './py-dive.json')
  efficiency: 98.8929 %
  wastedBytes: 11876170 bytes (12 MB)
  userWastedPercent: 1.2857 %
Run CI Validations...
  Using default CI config
  PASS: highestUserWastedPercent
  SKIP: highestWastedBytes: rule disabled
  PASS: lowestEfficiency
Result:PASS [Total:3] [Passed:2] [Failed:0] [Warn:0] [Skipped:1]
➜  ~ cat ./py-dive.json
{
  "layer": [
    {
      "index": 0,
      "digestId": "sha256:f94641f1fe1f5c42c325652bf55f0513c881c86b620b912b15460e0bca07cc12",
      "sizeBytes": 100574959,
      "command": "#(nop) ADD file:caf91edab64f988bc24766c58ee66c00311c7c921296b8e5b51d7023422a1485 in / "
    },
    {
      "index": 1,
      "digestId": "sha256:ec62f19bb3aa1dcfacc9864be06f0af635c18021893d42598da1564beed97448",
      "sizeBytes": 23210152,
      "command": "apt-get update \u0026\u0026 apt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tnetbase \t\twget \t\u0026\u0026 rm -rf /var/lib/apt/lists/*"
    },
    {
      "index": 2,
      "digestId": "sha256:2c719774c1e1c4b82c5b23bd40a7fc139aa5f0efddf7a969f72f8170c71dd058",
      "sizeBytes": 7811994,
      ········· 略 ·······

旅途愉快~