Docker Image Security Scanner

{
  "hookConfig": {
    "hooks": {
      "postToolUse": {
        "script": "./.claude/hooks/docker-image-security-scanner.sh",
        "matchers": [
          "write",
          "edit"
        ]
      }
    }
  },
  "scriptContent": "#!/usr/bin/env bash\n\n# Read the tool input from stdin\nINPUT=$(cat)\nTOOL_NAME=$(echo \"$INPUT\" | jq -r '.tool_name')\nFILE_PATH=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // .tool_input.path // \"\"')\n\nif [ -z \"$FILE_PATH\" ]; then\n  exit 0\nfi\n\n# Configuration\nSECURITY_REPORT=\".claude/reports/docker-security-$(date +%Y%m%d).txt\"\nSEVERITY_THRESHOLD=${DOCKER_SCAN_SEVERITY:-HIGH}\nSCAN_ENABLED=${DOCKER_SECURITY_SCAN:-true}\n\nmkdir -p \"$(dirname \"$SECURITY_REPORT\")\"\n\n# Function to check if file is a Dockerfile\nis_dockerfile() {\n  local file=$1\n  [[ \"$file\" == *Dockerfile* ]] || [[ \"$file\" == *.dockerfile ]]\n}\n\n# Function to analyze Dockerfile for security issues\nanalyze_dockerfile_security() {\n  local dockerfile=$1\n  \n  echo \"🔍 Analyzing Dockerfile security practices: $dockerfile\" >&2\n  echo \"\" >> \"$SECURITY_REPORT\"\n  echo \"Dockerfile Security Analysis - $(date)\" >> \"$SECURITY_REPORT\"\n  echo \"========================================\" >> \"$SECURITY_REPORT\"\n  echo \"File: $dockerfile\" >> \"$SECURITY_REPORT\"\n  echo \"\" >> \"$SECURITY_REPORT\"\n  \n  local issues_found=0\n  \n  # Check for non-root user\n  if ! grep -i \"^USER\" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"⚠️ WARNING: No USER directive found (running as root)\" >&2\n    echo \"[SECURITY] Missing USER directive - container runs as root\" >> \"$SECURITY_REPORT\"\n    issues_found=$((issues_found + 1))\n  fi\n  \n  # Check for version pinning\n  if grep -i \"^FROM.*:latest\" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"⚠️ WARNING: Using :latest tag (not reproducible)\" >&2\n    echo \"[SECURITY] Base image uses :latest tag instead of pinned version\" >> \"$SECURITY_REPORT\"\n    issues_found=$((issues_found + 1))\n  fi\n  \n  # Check for COPY with broad wildcards\n  if grep -i \"COPY . \" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"💡 INFO: COPY . detected - ensure .dockerignore excludes secrets\" >&2\n    echo \"[INFO] Broad COPY directive - verify .dockerignore configuration\" >> \"$SECURITY_REPORT\"\n  fi\n  \n  # Check for hardcoded secrets\n  if grep -iE \"PASSWORD|SECRET|TOKEN|KEY.*=\" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"🚨 CRITICAL: Potential hardcoded secrets detected!\" >&2\n    echo \"[CRITICAL] Hardcoded credentials found - use build args or secrets\" >> \"$SECURITY_REPORT\"\n    issues_found=$((issues_found + 1))\n  fi\n  \n  # Check for HEALTHCHECK\n  if ! grep -i \"^HEALTHCHECK\" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"💡 INFO: No HEALTHCHECK directive (recommended for production)\" >&2\n    echo \"[INFO] Missing HEALTHCHECK - consider adding for production readiness\" >> \"$SECURITY_REPORT\"\n  fi\n  \n  # Check for minimal base images\n  if grep -iE \"FROM.*ubuntu|FROM.*debian\" \"$dockerfile\" >/dev/null 2>&1; then\n    echo \"💡 INFO: Consider using alpine or distroless for smaller attack surface\" >&2\n    echo \"[INFO] Full OS base image - consider alpine or distroless alternatives\" >> \"$SECURITY_REPORT\"\n  fi\n  \n  echo \"\" >> \"$SECURITY_REPORT\"\n  echo \"Issues found: $issues_found\" >> \"$SECURITY_REPORT\"\n  \n  return $issues_found\n}\n\n# Function to scan image with Trivy\nscan_with_trivy() {\n  local image=$1\n  \n  if ! command -v trivy &> /dev/null; then\n    echo \"💡 Install Trivy for comprehensive vulnerability scanning\" >&2\n    echo \"   brew install trivy (macOS)\" >&2\n    echo \"   apt install trivy (Debian/Ubuntu)\" >&2\n    return\n  fi\n  \n  echo \"🔒 Scanning image with Trivy: $image\" >&2\n  \n  echo \"\" >> \"$SECURITY_REPORT\"\n  echo \"Trivy Vulnerability Scan\" >> \"$SECURITY_REPORT\"\n  echo \"========================\" >> \"$SECURITY_REPORT\"\n  \n  # Run Trivy scan\n  trivy image --severity \"$SEVERITY_THRESHOLD\",CRITICAL \\\n    --format json \"$image\" 2>/dev/null | \\\n    jq -r '.Results[]? | .Vulnerabilities[]? | \"\\(.VulnerabilityID): \\(.Severity) - \\(.Title)\"' 2>/dev/null | \\\n    head -20 >> \"$SECURITY_REPORT\" || \\\n    echo \"✅ No vulnerabilities found at $SEVERITY_THRESHOLD or higher severity\" >> \"$SECURITY_REPORT\"\n  \n  # Get summary\n  local vuln_count=$(trivy image --severity CRITICAL,HIGH --format json \"$image\" 2>/dev/null | \\\n    jq '[.Results[]?.Vulnerabilities[]?] | length' 2>/dev/null || echo \"0\")\n  \n  if [ \"$vuln_count\" -gt 0 ]; then\n    echo \"\" >&2\n    echo \"🚨 Found $vuln_count HIGH/CRITICAL vulnerabilities in $image\" >&2\n    echo \"💡 Review full report: $SECURITY_REPORT\" >&2\n  else\n    echo \"✅ No critical vulnerabilities detected\" >&2\n  fi\n}\n\n# Function to scan with Docker Scout\nscan_with_docker_scout() {\n  local image=$1\n  \n  if ! docker scout version &> /dev/null 2>&1; then\n    echo \"💡 Docker Scout available in Docker Desktop 4.17+\" >&2\n    return\n  fi\n  \n  echo \"🔍 Scanning with Docker Scout: $image\" >&2\n  \n  echo \"\" >> \"$SECURITY_REPORT\"\n  echo \"Docker Scout Analysis\" >> \"$SECURITY_REPORT\"\n  echo \"=====================\" >> \"$SECURITY_REPORT\"\n  \n  docker scout cves \"$image\" --format json 2>/dev/null | \\\n    jq -r '.vulnerabilities[] | \"\\(.id): \\(.severity) - \\(.packageName)\"' 2>/dev/null | \\\n    head -15 >> \"$SECURITY_REPORT\" || \\\n    echo \"✅ Scout scan complete\" >> \"$SECURITY_REPORT\"\n}\n\n# Main execution\nif is_dockerfile \"$FILE_PATH\"; then\n  echo \"🐳 Dockerfile detected: $FILE_PATH\" >&2\n  \n  if [ \"$SCAN_ENABLED\" != \"true\" ]; then\n    echo \"ℹ️ Security scanning disabled (DOCKER_SECURITY_SCAN=false)\" >&2\n    exit 0\n  fi\n  \n  # Analyze Dockerfile best practices\n  analyze_dockerfile_security \"$FILE_PATH\"\n  \n  # Try to determine image name\n  IMAGE_NAME=$(grep -i \"^FROM\" \"$FILE_PATH\" | tail -1 | awk '{print $2}')\n  \n  if [ -n \"$IMAGE_NAME\" ]; then\n    echo \"📦 Base image: $IMAGE_NAME\" >&2\n    \n    # Check if Docker is available and daemon is running\n    if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then\n      # Pull image if not present\n      if ! docker image inspect \"$IMAGE_NAME\" &> /dev/null; then\n        echo \"📥 Pulling base image for scanning...\" >&2\n        docker pull \"$IMAGE_NAME\" >&2 2>/dev/null || \\\n          echo \"⚠️ Could not pull image for scanning\" >&2\n      fi\n      \n      # Run security scans\n      scan_with_trivy \"$IMAGE_NAME\"\n      scan_with_docker_scout \"$IMAGE_NAME\"\n    else\n      echo \"⚠️ Docker daemon not running - cannot scan images\" >&2\n    fi\n  fi\n  \n  # Display security best practices\n  echo \"\" >&2\n  echo \"🛡️ Docker Security Best Practices:\" >&2\n  echo \"   • Use specific version tags, not :latest\" >&2\n  echo \"   • Run containers as non-root user (USER directive)\" >&2\n  echo \"   • Use multi-stage builds to minimize image size\" >&2\n  echo \"   • Scan images regularly with Trivy or Docker Scout\" >&2\n  echo \"   • Keep base images updated and prefer minimal bases\" >&2\n  echo \"   • Never include secrets in images (use build secrets)\" >&2\n  \n  if [ -s \"$SECURITY_REPORT\" ]; then\n    echo \"\" >&2\n    echo \"📄 Full security report: $SECURITY_REPORT\" >&2\n  fi\nfi\n\nexit 0"
}