Skip to content

11.Dockerfile_Security_Linting.md

Latest commit

 

History

History
226 lines (151 loc) · 3.38 KB

11.Dockerfile_Security_Linting.md

File metadata and controls

226 lines (151 loc) · 3.38 KB

Dockerfile: Security Linting

Securing the Building Block of Cloud Native Applications

Common Security Pitfalls in Dockerfiles

Using an Insecure Base Image

# No version pinning, could introduce breaking changes or vulnerabilities
FROM ubuntu:latest  
# Use a specific, trusted version to ensure stability and security
FROM ubuntu:22.04

Running as Root

FROM node:18
WORKDIR /app
COPY . .
RUN npm install
CMD ["node", "app.js"]  # Runs as root by default
FROM node:18
WORKDIR /app
RUN useradd -m nonrootuser
USER nonrootuser
COPY . .
RUN npm install
CMD ["node", "app.js"]

Hardcoding Secrets in the Dockerfile

# Hardcoded sensitive data
ENV DB_PASSWORD="SuperSecret123"  
ARG DB_PASSWORD
ENV DB_PASSWORD=${DB_PASSWORD}

Failing to Reduce the Attack Surface

FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
  curl \
  vim \
  netcat \
  htop \
  iputils-ping \
  wget
FROM alpine:3.17
RUN apk add --no-cache curl \
  && rm -rf /var/cache/apk/*

Exposing Unnecessary Ports

RUN apt-get update && apt-get install -y \
  apache2
# Too many ports exposed
EXPOSE 22 8080 3306 5000 80
# Only expose the necessary port
EXPOSE 80

Not Using Multi-Stage Builds

FROM golang:1.19
WORKDIR /app
COPY . .
RUN go build -o myapp .
# Development tools remain in the final image (go, git)
CMD ["./myapp"]  
FROM golang:1.19 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .

FROM alpine:3.17
WORKDIR /app
# Only copy the necessary artifacts from the builder image
# Leave development tools behind
COPY --from=builder /app/myapp .
CMD ["./myapp"]

Not Setting Proper Permissions

COPY myapp /usr/local/bin/myapp
COPY myapp /usr/local/bin/myapp
RUN chmod 755 /usr/local/bin/myapp

Overuse of ADD Instead of COPY

ADD https://example.com/malicious.sh /usr/local/bin/malicious.sh
COPY localfile /usr/local/bin/

A Practical Security Linting Example with Hadolint

FROM python:3.9-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
CMD ["python", "app.py"]
FROM python:3.9-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
CMD ["python", "app.py"]
FROM bitnami/postgresql:17.4.0-debian-12-r1
# Install Hadolint
URL=https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
curl -sL $URL -o /usr/local/bin/hadolint
chmod +x /usr/local/bin/hadolint
# Lint the menu-service Dockerfile
hadolint $HOME/RestQR/menu/Dockerfile

# Lint the qr-service Dockerfile
hadolint $HOME/RestQR/qr/Dockerfile

# Lint the menu-postgresql Dockerfile
hadolint $HOME/RestQR/postgresql/Dockerfile
Dockerfile:4 DL3042 warning: Avoid use of cache directory with pip. Use `pip install --no-cache-dir <package>`
# Find and replace
find $HOME/RestQR -type f \
    -name Dockerfile \
    -exec sed \
    -i 's/pip install -r requirements.txt/pip install --no-cache-dir -r requirements.txt/g' {} \;
# $HOME/RestQR/.hadolint.yaml
ignore:
  - DL3042

Dockerfile Linting Alternatives