-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updates to nextra 3 and adds docs for container scanning
Signed-off-by: Sebastian Kawelke <[email protected]>
- Loading branch information
Showing
34 changed files
with
5,693 additions
and
11,384 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Licenses Check Workflow Definition | ||
# This workflow is triggered on every push to the repository | ||
name: Licenses Check Workflow | ||
|
||
|
||
on: | ||
pull_request: | ||
push: | ||
branches: | ||
- '*' | ||
tags: | ||
- '*' | ||
|
||
jobs: | ||
license_check: | ||
runs-on: ubuntu-latest | ||
name: Check for unapproved licenses | ||
steps: | ||
- name: Checkout the code | ||
uses: actions/checkout@v4 | ||
- uses: ralexander-phi/license_approval@master | ||
with: | ||
working_directory: ${{ github.workspace }} | ||
extra_flags: --decisions_file ./docs/dependency_decisions.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,8 @@ | ||
const withNextra = require('nextra')({ | ||
import nextra from 'nextra' | ||
|
||
const withNextra = nextra({ | ||
theme: 'nextra-theme-docs', | ||
themeConfig: './theme.config.tsx', | ||
|
||
}) | ||
|
||
|
||
const config = withNextra({}) | ||
|
||
module.exports = config | ||
export default withNextra({}) |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<browserconfig> | ||
<msapplication> | ||
<tile> | ||
<square150x150logo src="/mstile-150x150.png"/> | ||
<TileColor>#da532c</TileColor> | ||
</tile> | ||
</msapplication> | ||
</browserconfig> |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"name": "", | ||
"short_name": "", | ||
"icons": [ | ||
{ | ||
"src": "/android-chrome-192x192.png", | ||
"sizes": "192x192", | ||
"type": "image/png" | ||
}, | ||
{ | ||
"src": "/android-chrome-512x512.png", | ||
"sizes": "512x512", | ||
"type": "image/png" | ||
} | ||
], | ||
"theme_color": "#ffffff", | ||
"background_color": "#ffffff", | ||
"display": "standalone" | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
export default { | ||
index: { title: 'Introduction' }, | ||
basics: { title: 'Basics' }, | ||
concepts: { title: 'Concepts' }, | ||
guides: { title: 'Guides' }, | ||
contributing: { title: 'Contributing' }, | ||
about: { | ||
title: 'About L3montree ↗', | ||
type: 'page', | ||
href: 'https://l3montree.com/', | ||
newWindow: true, | ||
}, | ||
contact: { | ||
title: 'Contact ↗', | ||
type: 'page', | ||
href: 'mailto:[email protected]', | ||
}, | ||
} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
export default { | ||
index: { title: 'Overview' }, | ||
'getting-started': { title: 'Getting Started' }, | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
export default { | ||
'quickstart-docker': { title: 'Quickstart with Docker' }, | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
export default { | ||
index: { title: 'Overview' }, | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
export default { | ||
'code-of-conduct': { title: 'Code of Conduct' }, | ||
roadmap: { title: 'Roadmap' }, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
export default { | ||
index: { title: 'Guides' }, | ||
'container-scanning': { title: 'Container Scanning' }, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
--- | ||
sidebar_position: 2 | ||
title: Container Scanning | ||
--- | ||
import { Steps } from 'nextra/components' | ||
import { Tabs } from 'nextra/components' | ||
|
||
# Container Scanning | ||
|
||
## Handling Found Flaws: Practical Steps for Mitigation | ||
|
||
When DevGuard's container scanning detects vulnerabilities, such as the example provided below, it’s essential to address them | ||
promptly to maintain security and compliance. Here’s a step-by-step guide to managing identified flaws. | ||
|
||
```md filename="Example Flaw" | ||
# CVE-2022-41903 | ||
|
||
Git is distributed revision control system. git log can display commits in an arbitrary... | ||
|
||
## Affected component | ||
|
||
The vulnerability is in `pkg:deb/debian/[email protected]+deb12u1`, detected by the `container-scanning` scan. | ||
|
||
## Recommended fix | ||
|
||
Upgrade to version 1:2.39.1-0.1 or later. | ||
``` | ||
|
||
### Where to Look | ||
|
||
The `Dockerfile` of the container is typically the starting point for analysis. This file defines the container’s | ||
base image and specifies instructions for building the containerized application. Vulnerabilities often originate | ||
from the base image or additional packages installed during the build. Your dependencies will be checked in the | ||
"Software Composition Analysis" (SCA) step. | ||
|
||
### Steps to Fix | ||
|
||
<Steps> | ||
### Check the Base Image | ||
|
||
Examine the base image specified in the Dockerfile. For example: | ||
|
||
### Update the Base Image or Switch to Distroless | ||
|
||
If the base image contains the vulnerability and a direct update is possible: | ||
- **Update the base image:** | ||
Replace the current base image with a patched version. | ||
|
||
If the base image cannot be updated or you’re looking to minimize attack surface: | ||
|
||
- **Switch to a distroless base image:** | ||
Use distroless images, which contain only the runtime essentials, reducing potential vulnerabilities. | ||
|
||
Example multi-stage, distroless build: | ||
|
||
<Tabs items={['Golang', 'NodeJS']}> | ||
<Tabs.Tab> | ||
```docker filename="Dockerfile" copy | ||
# Step 1 - Build the application | ||
FROM golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31 as build | ||
WORKDIR /go/src/app | ||
COPY . . | ||
RUN go mod download | ||
RUN CGO_ENABLED=0 go build -o /go/bin/app /go/src/app/cmd/scanner | ||
# Step 2 - Create the final image | ||
FROM gcr.io/distroless/static-debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea | ||
USER 53111 | ||
COPY --from=build /go/bin/app / | ||
EXPOSE 8080 | ||
CMD ["/app"] | ||
``` | ||
</Tabs.Tab> | ||
<Tabs.Tab> | ||
```docker filename="Dockerfile" copy | ||
# Step 1 - Build the application | ||
FROM node:22.11.0-bookworm@sha256:5c76d05034644fa8ecc9c2aa84e0a83cd981d0ef13af5455b87b9adf5b216561 as builder | ||
WORKDIR /usr/app/ | ||
ENV PORT 3000 | ||
ENV NODE_ENV production | ||
COPY package.json . | ||
COPY package-lock.json . | ||
RUN npm ci | ||
COPY . . | ||
RUN npm run build | ||
# Step 2 - Create the final image | ||
FROM gcr.io/distroless/nodejs22-debian12:nonroot@sha256:de286271ef771e563194702ff49cc5d60e7ea59a09349cdae129e3b0c6ab396b | ||
USER 53111 | ||
WORKDIR /usr/app/ | ||
ENV PORT 3000 | ||
ENV NODE_ENV production | ||
EXPOSE 3000 | ||
COPY --from=builder --chown=53111:53111 /usr/app/.next /usr/app/.next | ||
COPY --from=builder /usr/app/node_modules /usr/app/node_modules | ||
COPY --from=builder /usr/app/package.json /usr/app/package.json | ||
COPY --from=builder --chown=53111:53111 /usr/app/public /usr/app/public | ||
CMD [ "./node_modules/next/dist/bin/next", "start" ] | ||
``` | ||
</Tabs.Tab> | ||
</Tabs> | ||
|
||
### Manually Update Vulnerable Packages | ||
|
||
If reproducibility is not a strict requirement or the base image cannot be updated: | ||
Use the package manager during the build to patch the specific vulnerability. | ||
Example for Debian-based containers: | ||
|
||
```docker filename="Dockerfile" copy | ||
RUN apt-get update && apt-get install --only-upgrade git -y | ||
``` | ||
|
||
**Disclaimer:** This approach may hinder reproducibility, as future builds may result in different package versions if repositories change. | ||
|
||
### Alternative Measures | ||
|
||
If none of the above fixes are feasible: | ||
- **Risk Acceptance**: Temporarily accept the risk using DevGuard’s risk management feature. | ||
- Document the accepted risk by providing a justification. Use the UI or slash commands in the issue. | ||
- Set a reminder for future review; DevGuard will automatically notify you after a predefined period. | ||
|
||
- **Avoidance**: Disable risky functionality or service. | ||
|
||
</Steps> | ||
|
||
## What is a Container? | ||
|
||
A container is a lightweight, standalone, and executable software package that includes everything | ||
needed to run a piece of software: code, runtime, system tools, libraries, and settings. Containers | ||
are built on the concept of virtualization but are more resource-efficient because they share the | ||
host system’s operating system kernel (basically, they are an encapsulated “normal process”). | ||
|
||
They are widely used in modern software development to ensure consistency across different environments, | ||
such as development, testing, and production, as they encapsulate the application and its dependencies. | ||
Popular containerization tools include Docker and Kubernetes for container management. | ||
|
||
## What Happens During Container Scanning? | ||
|
||
![Container Scanning](../../assets/container-scanning.png) | ||
|
||
Container scanning is a crucial process in a security assessment, designed to uncover vulnerabilities | ||
and security risks within containerized applications. With tools like DevGuard, the scanning process | ||
involves the following key steps: | ||
|
||
1. **Generating a Software Bill of Materials (SBOM)** | ||
|
||
An SBOM is a detailed inventory of all components and dependencies within the container. During this phase: | ||
- The container image is analysed to identify the software packages, libraries, and tools it contains. | ||
- Version information for each component is extracted. | ||
|
||
This SBOM provides a transparent view of the container’s contents, serving as the foundation for further | ||
security analysis. | ||
|
||
2. **Checking for Known Vulnerabilities** | ||
|
||
DevGuard leverages its vulnerability database to detect known security flaws in the components listed in the SBOM: | ||
- The identified software packages are cross-referenced with vulnerability databases, such as CVE (Common Vulnerabilities and Exposures) lists, and DevGuard’s extended database. | ||
- The scanning process flags outdated or insecure versions of software. | ||
- Vulnerabilities are categorized by severity, enabling prioritization of remediation efforts. | ||
|
||
By detecting known vulnerabilities, container scanning helps prevent the exploitation of weaknesses in production environments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
sidebar_position: 1 | ||
title: Guides | ||
--- | ||
|
||
# Guides |
Oops, something went wrong.