The first part of this blog series covers how THOR can be used to scan a Docker image. In the second part of this series, we will talk about how you can use THOR to scan running Docker containers. Now, consider this new use case: You want to check if your running Docker container was attacked by some Log4Shell exploit. To do this, we will show you how you can start THOR inside a running container!
- Running Docker container with a shell installed (e.g. sh, bash, …)
- In this example we will use Alpine Linux
- THOR 🙂
- In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite).
Running THOR in a Docker container
First, we have to find the Docker ID of the container we want to check using:
This will list all Docker containers running on the current host.
Sidenote: The following should also work with all the other containerization platforms (e.g. podman, Kubernetes, OpenShift, etc.).
84d1624f0083. Now we copy the THOR files to the container:
docker cp thor/. 84d1624f0083:/thor
docker exec -it 84d1624f0083 /bin/sh
Inside the Docker container you can
cd thor and start THOR:
These files contain all findings of the THOR scan.
docker cp 84d1624f0083:/thor/dffcea1e1fe9_files_md5s.csv .
docker cp 84d1624f0083:/thor/dffcea1e1fe9_thor_2023-04-26_0728.html .
docker cp 84d1624f0083:/thor/dffcea1e1fe9_thor_2023-04-26_0728.txt .
Note: You have to replace
84d1624f0083 with our Docker ID.
Lastly, to clean up your container run the following:
docker exec -it 84d1624f0083 rm -rf thor.
This will delete all files that were created in the earlier steps.