Difference between revisions of "SecDocker"

From Security Unileon
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
== SecDocker ==
+
SecDocker is an application that acts as a firewall for Docker. It's designed to receive all the traffic that goes to the Docker API / socket and drop the requests that contain unauthorized parameters. You can provide rules and specifications as well as general restrictions to be applied to every request, modifying the traffic as it goes to the Docker daemon.
  
[[File:SecDocker-logo.png|thumb|SecDocker]]
+
[[File:SecDocker-flow.png|720px|frame|center|SecDocker overview]]
  
==== An application firewall for Docker ====
+
The application is placed on the outside so all the Docker traffic is redirected to itself. Then, it performs all the checks as well as external validations with the plugins. If every option is allowed and the plugins reported a positive result, then SecDocker will apply some general restrictions and finally, send the request to the Docker daemon.
  
=== Description ===
+
== Built With ==
  
SecDocker is a Go application that acts as a firewall for Docker. It's designed to receive all the traffic that goes to the Docker API / socket and drop the requests that contain unauthorized parameters. You can provide rules and specifications as well as general restrictions to be applied to every request, modifying the traffic as it goes to the Docker daemon.
+
* [https://golang.org/ Go]
 +
* [https://github.com/praetorian-inc/trudy Trudy] - Transparent proxy that can modify and drop traffic for arbitrary TCP connections.
 +
* [https://anchore.com/ Anchore] - Inspects, analyzes and applies user-defined acceptance policies.
 +
* [https://github.com/notaryproject/notary Notary] - Ensures the integrity of a trusted collection of Docker images.
 +
* [https://github.com/sirupsen/logrus/ Logrus] - Structured logger.
  
=== How it works ===
+
== Reference ==
  
The application is placed on the outside so all the Docker traffic is redirected to itself. Then, it performs all the checks as well as external validations with the plugins. If every option is allowed and the plugins reported a positive result, then SecDocker will apply some general restrictions and finally, send the request to the Docker daemon.
+
To cite this work, please use the following BibTeX entry:
 +
 
 +
<pre>
 +
@ARTICLE{SecDockerFernandez2022,
 +
  Title    = {SecDocker: Hardening the Continuous Integration Workflow},
 +
  Author    = {Fern{\'a}ndez Gonz{\'a}lez, David and Rodr{\'i}guez Lera, Francisco Javier and Esteban, Gonzalo and Fern{\'a}ndez Llamas, Camino},
 +
  Journal  = {SN Computer Science},
 +
  Volume    = {3},
 +
  Issue    = {1},
 +
  Year      = {2022},
 +
  Publisher = {Springer Nature},
 +
  Doi      = {https://doi.org/10.1007/s42979-021-00939-4}
 +
}
 +
</pre>
  
[[File:SecDocker-flow.png]]
+
== License ==
  
=== Code / External link ===
+
This project is licensed under [https://choosealicense.com/licenses/mit/ MIT License].
  
You can find the application on our Github repository:
+
== External Links ==
  
[https://github.com/uleroboticsgroup/Secdocker SecDocker Repository]
+
# SecDocker, (2021), ''GitHub repository'', https://github.com/uleroboticsgroup/Secdocker

Latest revision as of 07:45, 24 November 2021

SecDocker is an application that acts as a firewall for Docker. It's designed to receive all the traffic that goes to the Docker API / socket and drop the requests that contain unauthorized parameters. You can provide rules and specifications as well as general restrictions to be applied to every request, modifying the traffic as it goes to the Docker daemon.

SecDocker overview

The application is placed on the outside so all the Docker traffic is redirected to itself. Then, it performs all the checks as well as external validations with the plugins. If every option is allowed and the plugins reported a positive result, then SecDocker will apply some general restrictions and finally, send the request to the Docker daemon.

Built With

  • Go
  • Trudy - Transparent proxy that can modify and drop traffic for arbitrary TCP connections.
  • Anchore - Inspects, analyzes and applies user-defined acceptance policies.
  • Notary - Ensures the integrity of a trusted collection of Docker images.
  • Logrus - Structured logger.

Reference

To cite this work, please use the following BibTeX entry:

@ARTICLE{SecDockerFernandez2022,
  Title     = {SecDocker: Hardening the Continuous Integration Workflow},
  Author    = {Fern{\'a}ndez Gonz{\'a}lez, David and Rodr{\'i}guez Lera, Francisco Javier and Esteban, Gonzalo and Fern{\'a}ndez Llamas, Camino},
  Journal   = {SN Computer Science},
  Volume    = {3},
  Issue     = {1},
  Year      = {2022},
  Publisher = {Springer Nature},
  Doi       = {https://doi.org/10.1007/s42979-021-00939-4}
}

License

This project is licensed under MIT License.

External Links

  1. SecDocker, (2021), GitHub repository, https://github.com/uleroboticsgroup/Secdocker