🐳Docker
This page contains docker SAST rules including Vulnerability, Bug, Code Smell, Security Hotspot
Code Smell
1. Descriptive Labels are Mandatory
Issue : when one of the mandatory label are missing . Labels help to organise images by project, record licensing, aid in the automation and for other reasons.
// Non -compliant solution
From Ububtu:22.02
RUN my_command
// Compliant Solution
From Ubuntu:22.02
LABEL maintainer="shubhendu"
LABEL description=" Image is for testing"
LABEL version=1.0
RUN my_command
Argument in long RUN instructions should be sorted
in Docker file , commands within RUN argument should be sorted alphabetically if order is not enforced by the command.
This practice enhance the readability of the code, easier to track modification & prevent potential errors.
// Non-compliant Solution
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y \
unzip \
wget \
curl \
git \
zip
// Non-compliant Solution
FROM alpine:3.12
RUN apk add unzip wget curl git zip
Here commands are not in alphabetically so let's see compliant solution
// Compliant Solution
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y \
curl \
git \
unzip \
wget \
zip
// Compliant Solution
FROM alpine:3.12
RUN apk add curl git unzip wget zip
Security-Hotspot
Delivering code in production with debug ft activated is Security-sensitive
Why ?
Debug instructions or error messages can leak detailed information about the system like application's path or file name
Questions to be asked before deploying application to the end users and if any of the question has "YES" answer then there is a potential Risk
The code or configuration enabling the application debug features is deployed on production servers or distributed to end users
// Non-compliant solution
FROM example
# Sensitive
ENV APP_DEBUG=true
# Sensitive
ENV ENV=development
CMD /run.sh
// Compliant Solution
FROM example
ENV APP_DEBUG=false
ENV ENV=production
CMD /run.sh
Running container as privileged user is security-sensitive
Running containers as a privileged user weakens their runtime security, allowing any user whose code runs on the container to perform administrative actions.
In Linux containers, the privileged user is usually named root
. In Windows containers, the equivalent is ContainerAdministrator
Questions to be Asked
Servers services accessible from the Internet
and there is a security risk if any of the Answer is "YES"
Solution :-
Last updated