Skip to content

bouge/docker-supplychain-vuln-example-

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
base
base
 
 
example
example
 
 
img
img
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 

Repository files navigation

Example of supply chain vulnerabilities in Docker

In this example we see how an innocuous docker container that may seem to just run as node actually manages to steal enviornmentvariables.

This is a very crude example, designed to highlight the importance of using trusted base images or building your own.

Build the container images:

./build.sh

The example container we are running looks just like any other NodeJS container:

FROM node-test
COPY index.js index.js
CMD ["node","index.js"]

Run the built example container:

docker run -e MyAPIKey="SuperSecretString" js-example

After this has run, although it looks like it is running normally, if we look at our API endpoint Example showing extracted environment variables We can see that the data has been extracted.

Furthermore, if we run this new image through Docker Scan: Docker scan coming back clean We can see that it comes back clean, likewise in ECR: ECR container scan result

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages