Triage policy check warnings
This commit is contained in:
@@ -32,6 +32,7 @@ powershell -ExecutionPolicy Bypass -File .\ops\policy-checks\check_repo.ps1 -Rep
|
||||
- Host-Port-Mappings
|
||||
- Traefik-Router mit `Host(...)` und Middleware-Standard fuer geschuetzte Admin-/Ops-Dienste
|
||||
- sichtbare Report-Punkte fuer dokumentierte Ausnahmen wie `user: "0"`, `privileged: true` oder `network_mode: host`
|
||||
- digest-gepinnte mutable Tags bleiben sichtbar; nur explizit dokumentierte Ausnahmen werden als Info statt Warning gewertet
|
||||
|
||||
## Wichtige Betriebsregel
|
||||
|
||||
|
||||
@@ -253,7 +253,11 @@ function Test-ServicePolicies {
|
||||
}
|
||||
|
||||
if ($service.Image -match ':[Ll]atest(?:[-@]|$)') {
|
||||
Add-Finding -Findings $Findings -Severity 'warning' -Code 'IMAGE001' -Target $targetBase -Message 'Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.'
|
||||
if (($service.Image -match '@sha256:') -and (Test-IdentityMatch -Service $service -Candidates $Exceptions.allowed_mutable_tag_identities)) {
|
||||
Add-Finding -Findings $Findings -Severity 'info' -Code 'IMAGE002' -Target $targetBase -Message 'Image uses a latest tag but is digest-pinned and documented as an exception.'
|
||||
} else {
|
||||
Add-Finding -Findings $Findings -Severity 'warning' -Code 'IMAGE001' -Target $targetBase -Message 'Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.'
|
||||
}
|
||||
}
|
||||
|
||||
$isDataService = $false
|
||||
@@ -362,6 +366,7 @@ $exceptionsRaw = Get-Content -LiteralPath $exceptionsPath -Raw | ConvertFrom-Jso
|
||||
$exceptions = @{
|
||||
middleware_exempt_identities = @($exceptionsRaw.middleware_exempt_identities)
|
||||
allowed_root_identities = @($exceptionsRaw.allowed_root_identities)
|
||||
allowed_mutable_tag_identities = @($exceptionsRaw.allowed_mutable_tag_identities)
|
||||
allowed_privileged_identities = @($exceptionsRaw.allowed_privileged_identities)
|
||||
allowed_host_network_identities = @($exceptionsRaw.allowed_host_network_identities)
|
||||
allowed_host_port_identities = @{}
|
||||
|
||||
@@ -32,10 +32,16 @@
|
||||
"allowed_root_identities": [
|
||||
"monitoring-influxdb3-core"
|
||||
],
|
||||
"allowed_mutable_tag_identities": [
|
||||
"ddns-updater",
|
||||
"glances",
|
||||
"scrutiny"
|
||||
],
|
||||
"allowed_privileged_identities": [
|
||||
"scrutiny"
|
||||
],
|
||||
"allowed_host_network_identities": [
|
||||
"plex",
|
||||
"tailscale",
|
||||
"Tailscale-Docker"
|
||||
]
|
||||
|
||||
@@ -3,26 +3,26 @@
|
||||
## Summary
|
||||
- Compose files checked: 29
|
||||
- Critical findings: 0
|
||||
- Warnings: 5
|
||||
- Info findings: 9
|
||||
- Warnings: 1
|
||||
- Info findings: 13
|
||||
|
||||
## Critical
|
||||
- none
|
||||
|
||||
## Warnings
|
||||
- [HOSTNET002] host-services\plex\docker-compose.yml :: plex: network_mode: host is enabled.
|
||||
- [IMAGE001] infra\ddns-updater\docker-compose.yml :: ddns-updater: Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.
|
||||
- [USER001] monitoring\docker-compose.yml :: influxdb3-core: Runs as user 0. Documented exception, keep visible for hardening.
|
||||
- [IMAGE001] ops\glances\docker-compose.yml :: glances: Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.
|
||||
- [IMAGE001] ops\scrutiny\docker-compose.yml :: scrutiny: Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.
|
||||
|
||||
## Info
|
||||
- [PORT001] core\gitea\docker-compose.yml :: gitea: Allowed host port mapping: 222:22
|
||||
- [PORT001] host-services\Adguard\docker-compose.yml :: adguard: Allowed host port mapping: 53:53/tcp
|
||||
- [PORT001] host-services\Adguard\docker-compose.yml :: adguard: Allowed host port mapping: 53:53/udp
|
||||
- [PORT001] host-services\Adguard\docker-compose.yml :: adguard: Allowed host port mapping: 100.80.98.33:8082:80
|
||||
- [HOSTNET001] host-services\plex\docker-compose.yml :: plex: network_mode: host is a documented exception.
|
||||
- [HOSTNET001] host-services\tailscale\docker-compose.yml :: tailscale: network_mode: host is a documented exception.
|
||||
- [IMAGE002] infra\ddns-updater\docker-compose.yml :: ddns-updater: Image uses a latest tag but is digest-pinned and documented as an exception.
|
||||
- [PORT001] monitoring\docker-compose.yml :: influxdb3-core: Allowed host port mapping: ${INFLUXDB_BIND_IP:-127.0.0.1}:8181:8181
|
||||
- [IMAGE002] ops\glances\docker-compose.yml :: glances: Image uses a latest tag but is digest-pinned and documented as an exception.
|
||||
- [IMAGE002] ops\scrutiny\docker-compose.yml :: scrutiny: Image uses a latest tag but is digest-pinned and documented as an exception.
|
||||
- [PRIV001] ops\scrutiny\docker-compose.yml :: scrutiny: Privileged mode is a documented exception.
|
||||
- [PORT001] traefik\docker-compose.yml :: traefik: Allowed host port mapping: 80:80
|
||||
- [PORT001] traefik\docker-compose.yml :: traefik: Allowed host port mapping: 443:443
|
||||
|
||||
Reference in New Issue
Block a user