You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .labspace/03-image-scanning.md
+8-12Lines changed: 8 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ The app logic is implemented in the :fileLink[app.js]{path="app.js"} file.
10
10
11
11
To follow modern best practices, we want to containerize the app and eventually deploy it to production. Before doing so, we must ensure the image is secure by using [Docker Scout](https://www.docker.com/products/docker-scout/)
12
12
13
-
Our Dockerfile takes a multi-stage build approach and is based on the `node:24.9.0-trixie-slim` image.
13
+
Our Dockerfile takes a multi-stage build approach and is based on the `node:24-trixie-slim` image.
14
14
15
15
**Let’s build our image with SBOM and provenance metadata**
16
16
This lab already has a :fileLink[Dockerfile]{path="Dockerfile"}, so you can easily build the image.
As you can see, there are no CVEs at the application level, but the base image contains 2 high, 1 medium, and 18 low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
51
+
As you can see, there are no CVEs at the application level, but the base image contains a number of high, medium, and low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
Copy file name to clipboardExpand all lines: .labspace/04-switch-to-dhi.md
+23-21Lines changed: 23 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,20 +1,20 @@
1
1
# Making the Switch to Docker Hardened Images
2
2
3
-
Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image `node:24.9.0-trixie-slim` with a DHI equivalent.
3
+
Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image `node:24-trixie-slim` with a DHI equivalent.
4
4
5
5
Docker Hardened Images come in two variants:
6
6
7
-
* Dev variant (`$$orgname$$/dhi-node:24.9.0-debian13-dev`) – includes a shell and package managers, making it suitable for building and testing.
8
-
* Runtime variant (`$$orgname$$/dhi-node:24.9.0-debian13`) – stripped down to only the essentials, providing a minimal and secure footprint for production.
7
+
* Dev variant (`$$orgname$$/dhi-node:24-debian13-dev`) – includes a shell and package managers, making it suitable for building and testing.
8
+
* Runtime variant (`$$orgname$$/dhi-node:24-debian13`) – stripped down to only the essentials, providing a minimal and secure footprint for production.
9
9
10
10
This makes them perfect for use in multi-stage Dockerfiles. We can build the app in the dev image, then copy the built application into the runtime image, which will serve as the base for production.
11
11
12
-
1. Update the `Dockerfile` to use the `$$orgname$$/dhi-node:24.9.0-debian13-dev` as a `dev` stage image and `$$orgname$$/dhi-node:24.9.0-debian13` as a `runtime` image
12
+
1. Update the `Dockerfile` to use the `$$orgname$$/dhi-node:24-debian13-dev` as a `dev` stage image and `$$orgname$$/dhi-node:24-debian13` as a `runtime` image
13
13
```dockerfile
14
-
FROM $$orgname$$/dhi-node:24.9.0-debian13-dev AS dev
14
+
FROM $$orgname$$/dhi-node:24-debian13-dev AS dev
15
15
```
16
16
```dockerfile
17
-
FROM $$orgname$$/dhi-node:24.9.0-debian13 AS prod
17
+
FROM $$orgname$$/dhi-node:24-debian13 AS prod
18
18
```
19
19
2. Looking back at the output for the `scout quickview`, the `No default non-root user found` policy was not met. To resolve this we typically need to add a non-root user to the Dockerfile description. The good news is that the DHI comes with a nonroot user built-in, so no changes should be made.
Base image │ $$orgname$$/dhi-node:24.9.0-debian13 │
30
+
Target │ orgname/demo-node-dhi:v1 │ 0C 0H 0M 0L
31
+
digest │ cec31e6f0a36 │
32
+
Base image │ orgname/dhi-node:24-debian13 │
33
33
34
34
Policy status SUCCESS (9/9 policies met)
35
35
@@ -49,34 +49,36 @@ Hooray! There are zero CVEs and policy violations now!
49
49
50
50
**Let’s look at the image size and package count advantages of using distroless Hardened Images.**
51
51
52
-
Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24.9.0-trixie-slim` and `dhi-node:24.9.0-debian13` based images.
52
+
Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24-trixie-slim` and `dhi-node:24-debian13` based images.
Base image │ demonstrationorg/dhi-node-smontri:24 │ node:24-trixie-slim
71
+
Base image │ orgname/dhi-node:24 │ node:24-trixie-slim
72
72
tags │ also known as │ also known as
73
-
│ │ • current-trixie-slim
74
-
│ │ • trixie-slim
75
-
vulnerabilities │ 0C 0H 0M 0L │ 0C 2H 1M 18L
73
+
│ │ • 24.11-trixie-slim
74
+
│ │ • 24.11.1-trixie-slim
75
+
| | • krypton-trixie-slim
76
+
| | • lts-trixie-slim
77
+
vulnerabilities │ 0C 0H 0M 0L │ 0C 1H 2M 20L
76
78
77
79
```
78
80
79
-
As you can see, the `dhi-node:24.9.0-debian13`–based image is **41 MB (around 40%) smaller**, contains **248 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24.9.0-trixie-slim`–based image.
81
+
As you can see, the `dhi-node:24-debian13`–based image is **40 MB (around 40%) smaller**, contains **214 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24-trixie-slim`–based image.
Copy file name to clipboardExpand all lines: .labspace/05-compliance.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,9 @@
4
4
5
5
In addition to providing a minimal and secure base image, Docker Hardened Images include a comprehensive set of attestations.
6
6
7
-
You can run the following command to see the full list of attestations for `dhi-node:24.9.0-debian13`:
7
+
You can run the following command to see the full list of attestations for `dhi-node:24-debian13`:
8
8
```bash
9
-
docker scout attest list $$orgname$$/dhi-node:24.9.0-debian13
9
+
docker scout attest list $$orgname$$/dhi-node:24-debian13
10
10
```
11
11
In the output you will see the list of available attestations, such as:
12
12
* CycloneDX SBOM (A software bill of materials in CycloneDX format, listing components, libraries, and versions.)
@@ -26,7 +26,7 @@ In the output you will see the list of available attestations, such as:
26
26
27
27
DHI provides SBOMs in the CycloneDX, SPDX, or Scout formats. To view a specific SBOM file, such as the SPDX SBOM that is widely adopted in open-source ecosystems, you can use the `docker scout attest get` command:
28
28
```bash
29
-
docker scout attest get $$orgname$$/dhi-node:24.9.0-debian13 \
29
+
docker scout attest get $$orgname$$/dhi-node:24-debian13 \
30
30
--predicate-type https://spdx.dev/Document
31
31
```
32
32
@@ -36,9 +36,9 @@ FIPS 140 compliance is required or strongly recommended in many regulated enviro
36
36
37
37
DHIs include variants that use cryptographic modules validated under FIPS 140.
38
38
39
-
You can retrieve and inspect the FIPS attestation for the `$$orgname$$/dhi-node:24.9.0-debian13-fips` using the Docker Scout CLI:
39
+
You can retrieve and inspect the FIPS attestation for the `$$orgname$$/dhi-node:24-debian13-fips` using the Docker Scout CLI:
40
40
```bash
41
-
docker scout attest get --predicate-type https://docker.com/dhi/fips/v0.1 --predicate $$orgname$$/dhi-node:24.9.0-debian13-fips
41
+
docker scout attest get --predicate-type https://docker.com/dhi/fips/v0.1 --predicate $$orgname$$/dhi-node:24-debian13-fips
42
42
```
43
43
In the output you'll see the CMVP # and the FIPS Provider name, for example:
44
44
```plaintext no-copy-button
@@ -55,7 +55,7 @@ Docker also provides a signed STIG scan attestation for each STIG-hardened image
55
55
56
56
You can retrieve and inspect a STIG scan attestation using the Docker Scout CLI:
57
57
```bash
58
-
docker scout attest get --predicate-type https://docker.com/dhi/stig/v0.1 --predicate $$orgname$$/dhi-node:24.9.0-debian13-fips
58
+
docker scout attest get --predicate-type https://docker.com/dhi/stig/v0.1 --predicate $$orgname$$/dhi-node:24-debian13-fips
0 commit comments