Go to the 'docker-node-hello-world' directory and run the following:
docker build -f Dockerfile -t hello-world:1.0 .
docker run -it --rm -p 4000:4000 hello-world:1.0
Now open your browser and go to "http://localhost:4000"
We will use Trivy to scan the image you've created for Vulnerabilities. Follow the documentation to install Trivy. Once done, run the following command:
trivy image hello-world:1.0
You should see many vulnerabilities:
To fix the vulnerabilities we will update the Base Image of the container image, build a new image and scan it. Look at Dockerfile.fixed - it has a newer base image. Let's now build and scan it
docker build -f Dockerfile.fixed -t hello-world:2.0 .
trivy image hello-world:2.0
As you can see - much less vulnerabilities now...
We will use git-secrets to search for secrets inside our code. Follow the documentation to install git-secrets. Once done, run the following commands:
git secrets --add 'password\s*=\s*.+'
git secrets --scan -r *
As you can see - it found a hard-coded password under server.js file:
We will use kube-hunter to run Kubernetes penetration testing. Run the following commands:
kubectl create -f kube-hunter.yaml
kubectl get pods
kubectl logs <kube-hunter pod name>
You will see the various tests that kube-hunter performs and their findings.
We will use tracee for runtime security on a Linux environment. Run the following commands:
docker run --name tracee --rm --privileged -v /lib/modules:/lib/modules -it aquasec/tracee:0.6.0
You can now run a suspecious actions on the host, like:
strace ls
And look at the Tracee logs, which indicates the suspecious event was identified:
docker logs tracee