By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design
By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design
Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
OWASP:
- A01:2021 - Broken Access Control
The last user in the container is ‘root’. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as ‘root’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design
Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A05:2021 - Security Misconfiguration