Enforcing familiarization with the different software pieces is not feasible for already overworked teams, and many people we have talked to do not even know if they have a specific configuration file or not, let alone where to find it.
So we decided: Let's create a simple tool that automates the discovery of configuration files inside containers and scans them in CoGuard in seconds!
Since Docker containers are everywhere, we decided that their associated images are a good starting point and established an open source project, coguard-cli, which is published online here.
With coguard-cli, users now have a tool in their toolkit to secure the image and ensure that best practices are being followed.
Say you are using a Docker image, which you either created yourself or pulled from a repository like DockerHub. For demonstration purposes, let us use the image for `mysql`.
You can now install the coguard-cli via pip (pip install coguard-cli) and run
Here is a screenshot on part of the output:
As you can see, CoGuard also analyzes the last Dockerfile used.
Now you know that there is a configuration inside the image: /etc/mysql/my.cnf
With this, and the Dockerfile recommendations, you can alter or create a Dockerfile pulling from the original image, and fixing the outlined issues, until you have a solid image which is ready to be used in any of your environments.
A summary of your scans is also captured on our web-portal (https://portal.coguard.io), where you can log in and see your scans and trends over time.
Overall, what matters is YOU. We want to hear from YOU as to how YOU would love this project to progress. It is open source, hence everyone can contribute. We want to see better infrastructure, and it starts with the smallest components: The containers themselves.
Here is our current rough plan of action, which may be subject to change:
Over time and with this community's input, we will be releasing more supported software that can be installed and configured inside your image and expanding this project beyond Docker images.
In a series of blog articles that we release soon, we are going to talk about how to include this tool into the different CI/CD pipelines you have out there. Stay tuned.
In the meantime, if you are interested in the back story and inspiration that led us to start this project, you can read more here.
Automated tools for discovering, scanning and securing the configuration files for IaC, containers, applications and their interdependencies.