SecDocker

From Security Unileon

SecDocker is an application that acts as a firewall for Docker. It's designed to receive all the traffic that goes to the Docker API / socket and drop the requests that contain unauthorized parameters. You can provide rules and specifications as well as general restrictions to be applied to every request, modifying the traffic as it goes to the Docker daemon.

SecDocker overview

The application is placed on the outside so all the Docker traffic is redirected to itself. Then, it performs all the checks as well as external validations with the plugins. If every option is allowed and the plugins reported a positive result, then SecDocker will apply some general restrictions and finally, send the request to the Docker daemon.

Built With

  • Go
  • Trudy - Transparent proxy that can modify and drop traffic for arbitrary TCP connections.
  • Anchore - Inspects, analyzes and applies user-defined acceptance policies.
  • Notary - Ensures the integrity of a trusted collection of Docker images.
  • Logrus - Structured logger.

Reference

To cite this work, please use the following BibTeX entry:

@ARTICLE{SecDockerFernandez2022,
  Title     = {SecDocker: Hardening the Continuous Integration Workflow},
  Author    = {Fern{\'a}ndez Gonz{\'a}lez, David and Rodr{\'i}guez Lera, Francisco Javier and Esteban, Gonzalo and Fern{\'a}ndez Llamas, Camino},
  Journal   = {SN Computer Science},
  Volume    = {3},
  Issue     = {1},
  Year      = {2022},
  Publisher = {Springer Nature},
  Doi       = {https://doi.org/10.1007/s42979-021-00939-4}
}

License

This project is licensed under MIT License.

External Links

  1. SecDocker, (2021), GitHub repository, https://github.com/uleroboticsgroup/Secdocker