package main import ( "fmt" "io" "log" "os" "regexp" "strings" "gopkg.in/yaml.v3" ) const ( PRIVILEGE_OPT = "no-new-privileges=true" ROOT_USER_GROUP = "1000:1000" ROOT_USER = "1000" ROOT_GROUP = "1000" IM_SO_SORRY = `^(\${{\s*(vars|secrets)\..*}}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):(\${{\s*(vars|secrets)\..*}}|[0-9]+):(\${{\s*(vars|secrets)\..*}}|[0-9]+)` FATAL IssueLevel = "FATAL" WARNING IssueLevel = "WARNING" PASSED IssueLevel = "PASSED" ) type IssueLevel string type Issue struct { Level IssueLevel Safe bool Messages []string } func (i *Issue) Passed() { i.Level = PASSED i.Safe = true } func (i *Issue) Warning() { i.Level = WARNING i.Safe = true } func (i *Issue) Fatal() { i.Level = FATAL i.Safe = false } type RestartConfig struct { Condition *string `yaml:"condition"` Delay *string `yaml:"delay"` MaxAttempts *int `yaml:"max_attempts"` Window *string `yaml:"window"` } type DeployConfig struct { Policy *RestartConfig `yaml:"restart_policy"` } type ServiceConfig struct { MemLimit *string `yaml:"mem_limit"` Cpus *float64 `yaml:"cpus"` Ports *[]string `yaml:"ports"` User *string `yaml:"user"` Deploy *DeployConfig `yaml:"deploy"` SecOpts *[]string `yaml:"security_opt"` Privileged *bool `yaml:"privileged"` } type Compose struct { Services map[string]ServiceConfig `yaml:"services"` } func main() { filePath := os.Getenv("COMPOSE_FILE_PATH") if filePath == "" { filePath = "compose.yaml" } f, err := os.Open(filePath) if err != nil { log.Fatal(err) } defer f.Close() fd, err := io.ReadAll(f) if err != nil { log.Fatal(err) } var data Compose err = yaml.Unmarshal(fd, &data) if err != nil { log.Fatal(err) } // type report struct { // Name string //service name // //restart policy // PolicyPresent bool //is it present // PolicyLevel IssueLevel //how serious // PolicyIssues []string // //are ports behind a proxy? // PortSafe bool // PortIssues []string // PortLevel IssueLevel // //memory limits and cpu // ResourceSafe bool // ResourceIssues []string // ResourceLevel IssueLevel // //proper security options // SecurityOptSafe bool // SecurityOptLevel IssueLevel // SecurityOptIssues []string // //are users nonroot // UserSafe bool // UserIssues []string // UserIssueLevel IssueLevel // } type NewReport struct { Name string Issues []*Issue } var issues []NewReport for name, serviceConf := range data.Services { rprt := NewReport{ Name: name, } i := ResourceCheck(serviceConf) if i != nil { rprt.Issues = append(rprt.Issues, i) } j := SecurityOptCheck(serviceConf) if j != nil { rprt.Issues = append(rprt.Issues, j) } k, err := UserCheck(serviceConf) if err != nil { log.Fatal(err) } if k != nil { rprt.Issues = append(rprt.Issues, k) } l, err := PortCheck(serviceConf) if err != nil { log.Fatal(err) } if len(l) > 0 { rprt.Issues = append(rprt.Issues, l...) } m := PolicyCheck(serviceConf) if m != nil { rprt.Issues = append(rprt.Issues, m) } issues = append(issues, rprt) } for _, p := range issues { fmt.Println(p.Name) for _, x := range p.Issues { fmt.Println(*x) } } } func ResourceCheck(srv ServiceConfig) *Issue { i := &Issue{} if srv.Cpus == nil { i.Warning() i.Messages = append(i.Messages, "there is no cpu limit set for the service") } if srv.MemLimit == nil { i.Warning() i.Messages = append(i.Messages, "there is no memory limit set for the service") } if srv.Cpus == nil && srv.MemLimit == nil { i.Fatal() i.Messages = append(i.Messages, "there are no resource limits set for the service") } i.Passed() i.Messages = append(i.Messages, "resource limits configuration is safe") return i } func PrivilegedCheck(srv ServiceConfig) *Issue { i := &Issue{} if srv.Privileged == nil { i.Passed() i.Messages = append(i.Messages, "no privileged flag set") return i } if *srv.Privileged == true { i.Fatal() i.Messages = append(i.Messages, "privileged flag is set to true") return i } i.Passed() i.Messages = append(i.Messages, "privileged flag is set to false") return i } func SecurityOptCheck(srv ServiceConfig) *Issue { i := &Issue{} if srv.SecOpts == nil { i.Fatal() i.Messages = append(i.Messages, "set no-new-privileges=true on the service security_opts") return i } for _, opt := range *srv.SecOpts { if strings.EqualFold(opt, PRIVILEGE_OPT) { i.Passed() i.Messages = append(i.Messages, "security option are safe") return i } } i.Fatal() i.Messages = append(i.Messages, "set no-new-privileges=true on the container security_opts") return i } func PortCheck(srv ServiceConfig) ([]*Issue, error) { il := []*Issue{} if srv.Ports == nil { i := &Issue{} i.Passed() i.Messages = append(i.Messages, "no ports exposed") il = append(il, i) return il, nil } for _, prt := range *srv.Ports { i := &Issue{} m, err := regexp.Match(`^[0-9]*:[0-9]*`, []byte(prt)) if err != nil { return nil, err } if m { i.Fatal() i.Messages = append(i.Messages, fmt.Sprintf("%s is fully exposed", prt)) il = append(il, i) continue } m2, err := regexp.Match(IM_SO_SORRY, []byte(prt)) if err != nil { return nil, err } if m2 { i.Passed() i.Messages = append(i.Messages, fmt.Sprintf("%s is safe", prt)) il = append(il, i) continue } else { i.Warning() i.Messages = append(i.Messages, fmt.Sprintf("unable to parse port configuration for %s", prt)) il = append(il, i) continue } } return il, nil } func UserCheck(srv ServiceConfig) (*Issue, error) { i := &Issue{} if srv.User == nil { i.Warning() i.Messages = append(i.Messages, "no user is specified in the compose file") return i, nil } mtch, err := regexp.Match("[0-9]*:[0-9]*", []byte(*srv.User)) if err != nil { return nil, err } if mtch { if strings.EqualFold(ROOT_USER_GROUP, *srv.User) { i.Fatal() i.Messages = append(i.Messages, "a root user set in the compose file") } else { i.Passed() i.Messages = append(i.Messages, "user configuration is safe") } return i, nil } else { users := strings.Split(*srv.User, ":") if len(users) != 2 { i.Fatal() i.Messages = append(i.Messages, "user value seems misconfigured, check compose file") return i, nil } //shoutouts and/or blame should go to: https://regex101.com/ -- seems like a cool tool, but time will tell leftUser, err := regexp.Match(`(?m)\${{\s*(vars|secrets)\..*}}`, []byte(users[0])) if err != nil { return nil, err } rightUser, err := regexp.Match(`(?m)\${{\s*(vars|secrets)\..*}}`, []byte(users[1])) if err != nil { return nil, err } if leftUser && rightUser { i.Passed() i.Messages = append(i.Messages, "user configuration is safe") return i, nil } if leftUser { if strings.EqualFold(users[1], ROOT_GROUP) { i.Warning() i.Messages = append(i.Messages, "a root user is present in configuration") } else { i.Passed() i.Messages = append(i.Messages, "user configuration is safe") } return i, nil } if rightUser { if strings.EqualFold(users[0], ROOT_USER) { i.Warning() i.Messages = append(i.Messages, "a root user is present in configuration") } else { i.Passed() i.Messages = append(i.Messages, "user configuration is safe") } return i, nil } } i.Fatal() i.Messages = append(i.Messages, "unable to parse user configuration") return i, nil } func PolicyCheck(srv ServiceConfig) *Issue { i := &Issue{} if srv.Deploy != nil { if srv.Deploy.Policy != nil { if srv.Deploy.Policy.Condition != nil { if srv.Deploy.Policy.MaxAttempts != nil { i.Passed() i.Messages = append(i.Messages, "restart policy configuration is safe") return i } else { i.Warning() i.Messages = append(i.Messages, "no max_attempts value set on restart policy container could death loop") return i } } else { i.Fatal() i.Messages = append(i.Messages, "no restart condition is set on the container") return i } } else { i.Fatal() i.Messages = append(i.Messages, "no restart policy is set on the container") return i } } i.Fatal() i.Messages = append(i.Messages, "no restart policy is set on the container") return i }