๐ณDocker
This page contains docker SAST rules including Vulnerability, Bug, Code Smell, Security Hotspot
Code Smell
1. Descriptive Labels are Mandatory
Issue : when one of the mandatory label are missing . Labels help to organise images by project, record licensing, aid in the automation and for other reasons.
// Non -compliant solution
From Ububtu:22.02
RUN my_command// Compliant Solution
From Ubuntu:22.02
LABEL maintainer="shubhendu"
LABEL description=" Image is for testing"
LABEL version=1.0
RUN my_command Argument in long RUN instructions should be sorted
in Docker file , commands within RUN argument should be sorted alphabetically if order is not enforced by the command.
This practice enhance the readability of the code, easier to track modification & prevent potential errors.
Here commands are not in alphabetically so let's see compliant solution
Security-Hotspot
Delivering code in production with debug ft activated is Security-sensitive
Why ?
Debug instructions or error messages can leak detailed information about the system like application's path or file name
Questions to be asked before deploying application to the end users and if any of the question has "YES" answer then there is a potential Risk
The code or configuration enabling the application debug features is deployed on production servers or distributed to end users
The application runs by default with debug features activated
Running container as privileged user is security-sensitive
Running containers as a privileged user weakens their runtime security, allowing any user whose code runs on the container to perform administrative actions.
In Linux containers, the privileged user is usually named root. In Windows containers, the equivalent is ContainerAdministrator
Questions to be Asked
Servers services accessible from the Internet
Doesn't require a privileged user to run
and there is a security risk if any of the Answer is "YES"
Solution :-
Last updated