This project is an operationalized PIQUE model for the assessment of quality in docker images.
Because of the various development environment challenges when dealing with numerous 3rd party applications, this project is also provided as a packaged standalone docker image. That image is available here.
These tools and 3rd party libraries will be automatically pulled with the docker image
- Grype version 0.72.0
- Trivy version 0.59.1
- Dive version 0.12.0
- Maven version 3.9.6
- PIQUE-core version 1.0.1
The dockerfile has been designed to easily adjust version information as new versions are released.
docker engine 20.10.24 (not tested with versions 21+)
The image for this project is hosted on dockerhub here. Instructions to download and run are supplied below
It is important to note, that the docker image cannot be run without the msusel/nvd-mirror image. A docker-compose file is provided that handles this, see Running below.
It is not suggested to run PIQUE-cloud-dockerfile without the pre-built docker image, but all files and configs are supplied on this repository.
- If not already installed on your system, download and install Docker engine
- Configure docker group (no sudo required) Instructions here
- Navigate to a working directory for this project
- Run the following command to download the docker-compose file:
curl -o docker-compose.yml https://raw.githubusercontent.com/MSUSEL/msusel-pique-cloud-dockerfile/refs/heads/master/docker-compose.yml - Create two directories,
inputandoutputinside the working directory. - Create a file named 'docker-image-target.json' and place it in the 'input' directory.
- Copy and paste the contents of the targets file to 'docker-image-target.json'
- Modify 'docker-image-target.json' to target the docker images to be analyzed.
- The resulting directory structure should look like this:
├── $WORKDIR
│ ├── input
│ │ ├── docker-image-target.json
│ ├── output
- Run the command
docker compose up - Results will be generated in the 'output' directory
Funding Agency:
