-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S6497[Docker]: Using a container image based on its diges…
…t is security-sensitive (APPSEC-443) (#1515)
- Loading branch information
1 parent
8656528
commit 0c88ad0
Showing
3 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
"title": "Pulling an image based on its digest is security-sensitive", | ||
"type": "SECURITY_HOTSPOT", | ||
"status": "ready", | ||
"remediation": { | ||
"func": "Constant\/Issue", | ||
"constantCost": "15min" | ||
}, | ||
"tags": [ | ||
"dockerfile", | ||
"cwe" | ||
], | ||
"defaultSeverity": "Minor", | ||
"ruleSpecification": "RSPEC-6497", | ||
"sqKey": "S6497", | ||
"scope": "Main", | ||
"securityStandards": { | ||
"CWE": [ | ||
1329 | ||
] | ||
}, | ||
"defaultQualityProfiles": [ | ||
"Sonar way" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
A container image digest uniquely and immutably identifies a container image. | ||
A tag, on the other hand, is a mutable reference to a container image. | ||
|
||
This tag can be updated to point to another version of the container at any point in time. + | ||
In general, the use of image digests instead of tags is intended to keep | ||
determinism stable within a system or infrastructure for reliability reasons. | ||
|
||
The problem is that pulling such an image prevents the resulting container from | ||
being updated or patched in order to remove vulnerabilities or significant bugs. | ||
|
||
|
||
|
||
== Ask Yourself Whether | ||
|
||
* You expect to receive security updates of the base image. | ||
|
||
There is a risk if you answer yes to this question. | ||
|
||
== Recommended Secure Coding Practices | ||
|
||
Containers should get the latest security updates. If there is a need for determinism, | ||
the solution is to find tags that are not as prone to change as `latest` or | ||
https://github.com/docker-library/faq#whats-the-difference-between-shared-and-simple-tags[shared tags]. | ||
|
||
To do so, favor a more precise tag that uses https://semver.org/[semantic versioning] and target a major version, for example. | ||
|
||
|
||
== Sensitive Code Example | ||
|
||
[source,docker] | ||
---- | ||
FROM mongo@sha256:8eb8f46e22f5ccf1feb7f0831d02032b187781b178cb971cd1222556a6cee9d1 | ||
RUN echo ls | ||
---- | ||
|
||
== Compliant Solution | ||
|
||
|
||
Here, mongo:6.0 is better than using a digest, and better than using a more precise version, such as 6.0.4, | ||
because it would prevent 6.0.5 security updates: | ||
|
||
[source,docker] | ||
---- | ||
FROM mongo:6.0 | ||
RUN echo ls | ||
---- | ||
|
||
== See | ||
|
||
* https://github.com/safe-waters/docker-lock[Docker-Lock] | ||
* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-image-digests-in-kubernetes-manifests#recommendations[Skaffold, kpt, digester, kustomize, gke-deploy, ko, and Bazel] | ||
* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-images[GKE, Using Container Image Digests] | ||
* https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/builds_and_image_streams.html#image-streams[OpenShift, Builds and Image Streams] | ||
|
||
ifdef::env-github,rspecator-view[] | ||
|
||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
=== Message | ||
|
||
Setting a digest will prevent receiving updates of the base image. Make sure it is safe here. | ||
|
||
=== Highlighting | ||
|
||
* Presence of a digest: The digest | ||
|
||
endif::env-github,rspecator-view[] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
{ | ||
} |