class DockerInsecureRegistries
Public Instance Methods
check(dockercheck)
click to toggle source
# File lib/dockscan/modules/audit/docker-insecure-registries.rb, line 7 def check(dockercheck) sp=Dockscan::Scan::Plugin.new si=Dockscan::Scan::Issue.new si.title="Insecure registries in use" si.description="Docker daemon reports it is running configuration with insecure registries.\nThis is not recommended as attacker is able to deploy malicious images to registries." si.solution="It is recommended to use secure registries and configuration without insecure registries." si.severity=4 # Low si.risk = { "cvss" => 3.2 } si.references = {"CIS" => "2.5 Do not use insecure registries" } sp.vuln=si if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("RegistryConfig") sp.state="run" vulnerable = false outputregs = "" outputindexs = "" # ["RegistryConfig"]["InsecureRegistryCIDRs"].each do |item| puts item end scandata["GetDockerInfo"].obj["RegistryConfig"]["InsecureRegistryCIDRs"].each do |item| if item != "127.0.0.0/8" then vulnerable=true outputregs = item << "\n" end end # Docker.info["RegistryConfig"]["IndexConfigs"].each do |item,value| puts item,value,value["Secure"] end scandata["GetDockerInfo"].obj["RegistryConfig"]["IndexConfigs"].each do |item, value| if value["Secure"] != true vulnerable=true outputindexs = item value["Name"] << "\n" end end if vulnerable then sp.state="vulnerable" sp.output = "Docker daemon reports it is using insecure registries. Offending issues below.\n " if outputregs != "" then sp.output << "Insecure CIDRs offending configuration:\n" sp.output << outputregs << "\n" end if outputindexs != "" then sp.output << "Offending registry indexes:\n" sp.output << outputindexs << "\n" end end end return sp end
info()
click to toggle source
# File lib/dockscan/modules/audit/docker-insecure-registries.rb, line 3 def info return 'This plugin checks if insecure registries in use' end