- New guide on container security best practices

- MDX plugin to show snippets of code from external files

docs/guides/software-lifecycle/security/container-security/.pre-commit-config.yml

@@ -0,0 +1,7 @@
+repos:
+  - repo: local
+    hooks:
+      - id: docker-scout-cve-scan
+        name: Docker Scout CVE Scan
+        entry: docker scout cves fs://.
+        language: system

docs/guides/software-lifecycle/security/container-security/README.mdx

@@ -0,0 +1,100 @@
+import CodeBlock from '@theme/CodeBlock';
+import PreCommitConfigSource from '!!raw-loader!./.pre-commit-config.yml';
+import DependabotSource from '!!raw-loader!./dependabot.yml';
+
+# Container Security
+
+<pre align="center">Comprehensive guide to scanning container images for security vulnerabilities using pre-commit hooks and automated repository scanning tools.</pre>
+
+![banner-image](/img/container-security-screen.png)
+
+## Introduction
+
+**Background**: Container security is crucial for ensuring that your applications and services run in a secure environment. Containers encapsulate software and dependencies, providing consistency across environments. However, they also carry the risk of vulnerabilities within the base images or dependencies. This guide will help you establish a secure environment by implementing proactive vulnerability scanning. By using pre-commit hooks and repository-level automated scanning, you'll be able to identify security issues early, before they impact production.
+
+**Use Cases**:
+- Running vulnerability scans for all containers at the development stage
+- Ensuring that base images used in CI/CD pipelines are free from known vulnerabilities
+- Automating container vulnerability scans in repositories hosting container images
+
+---
+
+## Prerequisites
+**Software:**
+- Docker containers
+- `pre-commit` framework
+- Docker Hub or GitHub Dependabot
+
+**Skills:**
+- Basic understanding of Git hooks and Docker commands
+- Familiarity with YAML files for pre-commit configuration
+
+---
+
+## Quick Start
+**⬇️ [.pre-commit-config.yml](.pre-commit-config.yml)**
+
+Download the file above to access the pre-commit configuration file, which includes an example hook for Docker Scout vulnerability scanning. The file should be placed within your local Git repository. You'll want to ensure you have the [pre-commit](https://pre-commit.com) framework installed. 
+
+**⬇️ [dependabot.yml](dependabot.yml)**
+
+Download the file above to access the recommended `dependabot.yml` file, which configures a GitHub dependabot deployment to perform Docker vulnerability scanning. The file should be placed within `.github/dependabot.yml`. You'll want to ensure you have dependabot configured - see our [GitHub Security Best Practices](/docs/guides/software-lifecycle/security/github-security/README.md) guide for details. 
+
+---
+
+## Step-by-Step Guide
+
+### Step 1: Setup Automated Local Scanning of Container Vulnerabilities
+1. Install the pre-commit framework via Python:
+   ```bash
+   pip install pre-commit
+   ```
+2. Initialize pre-commit in your repository:
+   ```bash
+   pre-commit install
+   ```
+3. Create a `.pre-commit-config.yaml` file in the root directory of your Git repository with the following content:
+   <CodeBlock language="yaml">{PreCommitConfigSource}</CodeBlock>
+
+   NOTE: you'll need a DockerHub account to run the `docker scout` tool. Note that this command will compare a local scan's results with Docker's database. See more information [here](https://docs.docker.com/scout/quickstart/).
+
+### Step 2: Set Up Automated Repository Scanning
+- **Docker Hub**:
+   - Push your images to Docker Hub, where automatic scans are enabled by default.
+
+- **GitHub**:
+   - Leverage Dependabot to perform automated scans of containers (Docker) at a prescribed schedule.
+   - Example `.github/dependabot.yml` file contents:
+   <CodeBlock language="yaml">{DependabotSource}</CodeBlock>
+
+---
+
+## Frequently Asked Questions (FAQ)
+
+**Q: What happens if the pre-commit scan finds vulnerabilities?**
+
+A: The pre-commit hook will prevent you from committing your changes until vulnerabilities are resolved. It's your responsibility to resolve the issue given the recommendations.
+
+**Q: What if I want to skip the pre-commit scan temporarily?**
+
+A: Use the `--no-verify` flag with the `git commit` command to bypass the hook, though this is not recommended.
+
+**Q: Is it possible to run vulnerability scans without pre-commit hooks?**
+
+A: Yes, you can incorporate scans into your CI/CD pipeline or use repository scanning tools like Docker Hub or Dependabot, though this poses the risk of having code pushed to other developers that may be vulnerable.
+
+---
+
+## Credits 
+
+**Authorship**:
+- [Rishi Verma](https://www.github.com/riverma)
+
+**Acknowledgements**:
+* OPERA SDS Project for implementation guidance
+
+---
+
+## Feedback and Contributions
+
+We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/).

docs/guides/software-lifecycle/security/container-security/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: 'daily'
+    labels:
+      - 'dependencies'

package.json

@@ -21,6 +21,7 @@
     "bootstrap": "^5.3.0",
     "clsx": "^1.2.1",
     "prism-react-renderer": "^1.3.5",
+    "raw-loader": "^4.0.2",
     "react": "^17.0.2",
     "react-bootstrap": "^2.8.0",
     "react-dom": "^17.0.2"

yarn.lock

@@ -6525,6 +6525,14 @@ [email protected]:
     iconv-lite "0.4.24"
     unpipe "1.0.0"
 
+raw-loader@^4.0.2:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/raw-loader/-/raw-loader-4.0.2.tgz#1aac6b7d1ad1501e66efdac1522c73e59a584eb6"
+  integrity sha512-ZnScIV3ag9A4wPX/ZayxL/jZH+euYb6FcUinPcgiQW0+UBtEv0O6Q3lGd3cqJ+GHH+rksEv3Pj99oxJ3u3VIKA==
+  dependencies:
+    loader-utils "^2.0.0"
+    schema-utils "^3.0.0"
+
 [email protected], rc@^1.2.8:
   version "1.2.8"
   resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"