►
A
Last
week
I
worked
on
the
parser.
I
basically
finished
the
parser,
including
a
lot
of
tests
that
should
cover
every
case
possible,
but
maybe
I
missed
something
and
that's
also
what's
coming
up
this
week
this
week,
I'm
going
to
get
probably
20
docker
files
from
the
most
popular
docker
images
run
the
parser
against
this
and
manually
verify
that
they
work.
A
A
I
think
it's
going
to
be
easier
to
just
use
plain
text
from
the
other
thing
that
I
worked
on
was
the
analyzer,
so
I
basically
created
three
rules
that
I
wanted
to
begin
with
for
validating
a
secure
docker
file,
the
first
one
is
to
validate
that
no
credentials
are
being
copied
over,
so
it
just
looks
for
these
type
of
files.
Currently
it's
static,
so
it
just
takes
a
look
at
if
these
files
are
being
copied
not
if
they
are
actually
present.
A
So
if
you
do
a
copy
dot
to
some
directory,
then
this
will
obviously
fail.
That
would
be
the
next
step
to
actually
parse
which
files
are
actually
going
to
be
copied.
The
second
one
is
to
prevent
build
arguments
leaking
sensitive
information.
If
you
use
a
build
arc
like
an
api
token
that
will
get
stored
in
the
docker
image,
so
that's
something
that
you
don't
want
and
the
last
one
is
to
verify
that
the
last
use
is
not
root.
A
I
looked
at
hudderlin
to
find
more
obvious
rules.
I
didn't
find
them
that
quickly
and
I
figured
this
is
fine
for
now,
once
we
have
the
data
from
dockerfiles,
we
can
find
out
what
is
actually
leading
to
insecure,
docker
images.