🐳Docker

This page contains docker SAST rules including Vulnerability, Bug, Code Smell, Security Hotspot

Code Smell

1. Descriptive Labels are Mandatory

Issue : when one of the mandatory label are missing . Labels help to organise images by project, record licensing, aid in the automation and for other reasons. 

// Non -compliant solution 


From Ububtu:22.02
RUN my_command
// Compliant Solution 

From Ubuntu:22.02
LABEL maintainer="shubhendu"
LABEL description=" Image is for testing"
LABEL version=1.0
RUN my_command

  1. Argument in long RUN instructions should be sorted

in Docker file , commands within RUN argument should be sorted alphabetically if order is not enforced by the command.

This practice enhance the readability of the code, easier to track modification & prevent potential errors. 

// Non-compliant Solution 

FROM ubuntu:20.04

RUN apt-get update && apt-get install -y \
    unzip \
    wget \
    curl \
    git \
    zip
// Non-compliant Solution 

FROM alpine:3.12

RUN apk add unzip wget curl git zip

Here commands are not in alphabetically so let's see compliant solution 

// Compliant Solution 

FROM ubuntu:20.04

RUN apt-get update && apt-get install -y \
    curl \
    git \
    unzip \
    wget \
    zip
// Compliant Solution 

FROM alpine:3.12

RUN apk add curl git unzip wget zip

Security-Hotspot

  1. Delivering code in production with debug ft activated is Security-sensitive

Why ?

Debug instructions or error messages can leak detailed information about the system like application's path or file name

Questions to be asked before deploying application to the end users and if any of the question has "YES" answer then there is a potential Risk

The code or configuration enabling the application debug features is deployed on production servers or distributed to end users

// Non-compliant solution 

FROM example
# Sensitive
ENV APP_DEBUG=true
# Sensitive
ENV ENV=development
CMD /run.sh

// Compliant Solution 

FROM example
ENV APP_DEBUG=false
ENV ENV=production
CMD /run.sh

  1. Running container as privileged user is security-sensitive

Running containers as a privileged user weakens their runtime security, allowing any user whose code runs on the container to perform administrative actions. In Linux containers, the privileged user is usually named root. In Windows containers, the equivalent is ContainerAdministrator

Questions to be Asked

Servers services accessible from the Internet

and there is a security risk if any of the Answer is "YES"

Solution :-

PreviousAuthenticationNextCode Like Hacker : Secure Terraform Practices

Last updated