Details
-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
x86_64
-
0
-
0%
Description
To improve container security, it is very useful to enforce policies on writing Dockerfiles.
Projects to do this are:
These can be both quality lints and security lints. What matters for me specially is security lints that would allow a security team to enforce a specific policy on Dockerfiles.
Unlike most registries, Quay is also in charge of building container images, which means it can also require Dockerfiles to be written in a certain way. In many cases, Quay is the only place where Dockerfiles get centralized and therefore the only place where such linting can be done. Quay can be used as a trusted registry and in cooperation with Open Policy Agent (https://www.openpolicyagent.org/) it can be used to better enforce what code gets in a Kubernetes cluster for example. Open Policy Agent can enforce that images come from a certain registry. And Quay could have a registry endpoint that can't contain images that don't pass the lint passes.
The ideal situation would include both a way to execute an arbitrary linter with an output format and a way to nicely help the developer understand how they can improve their Dockerfile according to the policy with line-by-line information. Say the linter prints to stdout in a documented format on all line X and column Y display Z message, so the developer knows exactly what the lint is about and where.
This means :
- pre-build lint hooks with arbitrary scripts
- implementing UI/UX to review lint results
- parsing for the documented lint result stdout format
- integrating few linters with that format by making pull requests to them
- implement mechanism to re-lint Dockerfiles if linter rules change and warn developer and security team of active violations to solve them ASAP
I am willing to put effort into this! Please suggest ideas if anything here feels off or wrong or if you've had internal plans about this already (couldnt find about it).
