CIS Docker Benchmark (Development SDK)
Target: Development Image | Profile: Level 1 - Container | Benchmark Ver: docker-cis-1.6.0
Compliance Scorecard
-
Automated Score --- 100% Based on 6 Automated Checks
-
Manual Review --- 6
Items Require Operational Audit
-
Blocking Failures --- 0 Critical Config Errors
Operational Context Required
Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level where the SDK is executed.
Detailed Audit Log
1. Automated Controls (Static Image Analysis)
| Status | ID | Control Description | Severity |
|---|---|---|---|
| 4.1 | Ensure a user for the container has been created | HIGH | |
| 4.4 | Ensure images are scanned and rebuilt to include security patches | CRITICAL | |
| 4.6 | Ensure HEALTHCHECK instructions have been added to the container image | LOW | |
| 4.7 | Ensure update instructions are not used alone in the Dockerfile | HIGH | |
| 4.9 | Ensure COPY is used instead of ADD | LOW | |
| 4.10 | Ensure secrets are not stored in Dockerfiles | CRITICAL |
2. Manual / Host-Level Controls (Out-of-Scope)
| Status | ID | Control Description | Severity |
|---|---|---|---|
| 4.2 | Ensure that containers use only trusted base images (Manual) | HIGH | |
| 4.3 | Ensure unnecessary packages are not installed in the container (Manual) | HIGH | |
| 4.5 | Ensure Content trust for Docker is Enabled (Manual) | LOW | |
| 4.8 | Ensure setuid and setgid permissions are removed in the images (Manual) | HIGH | |
| 4.11 | Ensure only verified packages are installed (Manual) | MEDIUM | |
| 4.12 | Ensure all signed artifacts are validated (Manual) | MEDIUM |
Audit Legend
- Passed: Hardcoded configuration is correct.
- Failed: Violation detected in the image layers.
- Manual: Responsibility of the infrastructure/cluster administrator.