diff --git a/playbooks/docker-security-audit.md b/playbooks/docker-security-audit.md index fc5f394..28d0581 100644 --- a/playbooks/docker-security-audit.md +++ b/playbooks/docker-security-audit.md @@ -147,9 +147,17 @@ After all scans are complete for this image: After all images are scanned, generate the following files. All output goes into a timestamped folder: -**Folder:** `reports/audit-/` +**Folder structure:** -Create this folder before writing any files. If it already exists, continue writing into it. +``` +reports/audit-/ + audit-.md ← overview report + / ← one folder per image (name only, no tag, slashes replaced with -) + -.md ← per-image detail report + sbom--.json ← SBOM +``` + +Create `reports/audit-/` and each per-image subfolder before writing any files. If folders already exist, continue writing into them. --- @@ -163,7 +171,7 @@ This is the top-level summary. It must link to each per-image detail file. | Image | CRITICAL | HIGH | MEDIUM | LOW | Secrets | Misconfigs | Hadolint | Status | Removed | Detail File | |---|---|---|---|---|---|---|---|---|---|---| -| image:tag | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ACTIVE/NOT ACTIVE | YES/NO/FAILED | [image-name.md](image-name.md) | +| image:tag | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ACTIVE/NOT ACTIVE | YES/NO/FAILED | [image-name/image-name-tag.md](image-name/image-name-tag.md) | #### Critical & High Findings (All Images) @@ -198,9 +206,12 @@ After all findings: ### File 2 — Per-Image Detail Reports -**Filename per image:** `reports/audit-/-.md` +**Filename per image:** `reports/audit-//-.md` -- Replace `:` and `/` in the image name with `-` to form a safe filename (e.g. `nginx-latest.md`, `myrepo-myapp-1.2.3.md`) +- `` is the image name only — no tag, slashes replaced with `-` (e.g. `nginx`, `myrepo-myapp`) +- `` is the image tag (e.g. `latest`, `1.2.3`) +- Example: `nginx:latest` → `reports/audit-2026-03-22/nginx/nginx-latest.md` +- Example: `myrepo/myapp:1.2.3` → `reports/audit-2026-03-22/myrepo-myapp/myrepo-myapp-1.2.3.md` - Generate one file per image — do not combine images into a single detail file Each per-image file must include: @@ -272,10 +283,10 @@ List any unknown or restrictive licenses flagged by Trivy. Note the SBOM filename saved alongside this report: -`SBOM saved: reports/audit-/sbom--.json` +`SBOM saved: reports/audit-//sbom--.json` Update the SBOM output path to match this folder: -`trivy image --format cyclonedx --output reports/audit-/sbom--.json ` +`trivy image --format cyclonedx --output reports/audit-//sbom--.json ` #### Cleanup