The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated and are inspired by the CIS Docker Benchmark.
The Docker Bench for Security is distributed as a Docker container. You can run it with the following command, which is adapted from the official documentation:
-it: Runs the container in interactive mode with a TTY.
--rm: Automatically removes the container when it exits.
--net host, --pid host, --userns host: Allows the benchmark script to inspect the host's network, PID namespace, and user namespace, which is necessary for a comprehensive analysis.
--cap-add audit_control: Adds the AUDIT_CONTROL capability, required for some tests.
-e DOCKER_CONTENT_TRUST="${DOCKER_CONTENT_TRUST:-}": Passes the host's DOCKER_CONTENT_TRUST environment variable to the container. If it's not set on the host, it defaults to an empty string.
-v /path/on/host:/path/in/container:ro: Mounts host directories and files as read-only (ro) into the container. This allows the script to inspect Docker configurations, systemd files, the Docker socket, etc.
/var/lib typically contains Docker's data directory.
/var/run/docker.sock is the Docker daemon socket.
/etc contains system configuration files.
Paths to containerd and runc binaries are mounted to check their versions and configurations.
/usr/lib/systemd is mounted to inspect Docker service files.
--label docker_bench_security: Applies a label to the container, which can be useful for identifying it.
docker/docker-bench-security: The official Docker image for the benchmark tool.
After running the command, the script will perform a series of checks and output the results to your terminal, indicating areas that are configured well and areas that might need attention.