Dockerfile configuration scanning

Checkov supports the evaluation of policies on your Dockerfile files. When using checkov to scan a directory that contains Dockerfile it will validate if the file is compliant with Docker best practices such as not using root user, making sure health check exists and not exposing SSH port.

Full list of Dockerfile policies checks can be found here.

Example misconfigured Dockerfile

FROM node:alpine
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000 22
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
CMD ["node","app.js"]

Running in CLI

checkov -d . --framework dockerfile

Example output

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: x.x.x 

dockerfile scan results:

Passed checks: 3, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_5: "Ensure update instructions are not use alone in the Dockerfile"
	PASSED for resource: /Dockerfile.
	File: /Dockerfile:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-update-instructions-are-not-used-alone-in-the-dockerfile

Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
	PASSED for resource: /Dockerfile.
	File: /Dockerfile:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/ensure-the-base-image-uses-a-non-latest-version-tag

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	PASSED for resource: /Dockerfile.HEALTHCHECK
	File: /Dockerfile:7-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/ensure-that-healthcheck-instructions-have-been-added-to-container-images

Check: CKV_DOCKER_1: "Ensure port 22 is not exposed"
	FAILED for resource: /Dockerfile.EXPOSE
	File: /Dockerfile:6-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/ensure-port-22-is-not-exposed

		6 | EXPOSE 3000 22


Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /Dockerfile.
	File: /Dockerfile:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM node:alpine
		2 | WORKDIR /usr/src/app
		3 | COPY package*.json ./
		4 | RUN npm install
		5 | COPY . .
		6 | EXPOSE 3000 22
		7 | HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1
		8 | CMD ["node","app.js"]