search

๐ŸณDocker

This page contains docker SAST rules including Vulnerability, Bug, Code Smell, Security Hotspot

hashtag
Code Smell

hashtag
1. Descriptive Labels are Mandatory

Issue : when one of the mandatory label are missing . Labels help to organise images by project, record licensing, aid in the automation and for other reasons. 

// Non -compliant solution 


From Ububtu:22.02
RUN my_command
// Compliant Solution 

From Ubuntu:22.02
LABEL maintainer="shubhendu"
LABEL description=" Image is for testing"
LABEL version=1.0
RUN my_command

  1. Argument in long RUN instructions should be sorted

in Docker file , commands within RUN argument should be sorted alphabetically if order is not enforced by the command.

This practice enhance the readability of the code, easier to track modification & prevent potential errors.

Here commands are not in alphabetically so let's see compliant solution

hashtag
Security-Hotspot

  1. Delivering code in production with debug ft activated is Security-sensitive

Why ?

Debug instructions or error messages can leak detailed information about the system like application's path or file name

Questions to be asked before deploying application to the end users and if any of the question has "YES" answer then there is a potential Risk

The code or configuration enabling the application debug features is deployed on production servers or distributed to end users

  1. Running container as privileged user is security-sensitive

Running containers as a privileged user weakens their runtime security, allowing any user whose code runs on the container to perform administrative actions. In Linux containers, the privileged user is usually named root. In Windows containers, the equivalent is ContainerAdministrator

Questions to be Asked

Servers services accessible from the Internet

and there is a security risk if any of the Answer is "YES"

Solution :-

PreviousAuthenticationNextCode Like Hacker : Secure Terraform Practices

Last updated