Dagda

Dagda is designed for identifying and mitigating vulnerabilities, malware, and anomalous activities in Docker images and containers. At its core, Dagda leverages a comprehensive technical architecture that integrates multiple tools and databases. It imports known vulnerabilities such as CVEs, BIDs, RHSAs, and RHBAs, along with exploits from the Offensive Security database, into a MongoDB database. This database facilitates efficient searches during the analysis process.

Dagda performs static analysis by retrieving information about the software installed in Docker images, including OS packages and dependencies of various programming languages (e.g., Java, Python, Node.js, Ruby, PHP). It uses OWASP dependency check and Retire.js to analyze these dependencies for vulnerabilities. Additionally, Dagda employs ClamAV as an antivirus engine to detect trojans, viruses, and malware within the images and containers.

For runtime monitoring, Dagda is integrated with Falco to detect anomalous activities in running Docker containers. It also gathers real-time events from the Docker daemon. The integration with Falco requires the installation of kernel headers in the host OS, which can be done using specific commands for Debian-like or RHEL-like distributions. Each analysis report, including both static analysis and runtime monitoring, is stored in the MongoDB database for historical tracking.

Key operational considerations include the requirement for MongoDB 3.6 or later and the installation of necessary dependencies such as Python 3.8.X or later, Docker, and the relevant kernel headers. Dagda also supports multiple Linux base images, including Red Hat/CentOS/Fedora, Debian/Ubuntu, OpenSUSE, and Alpine. The tool can be managed via a CLI or a REST API, providing flexibility in its usage and integration into existing security workflows.