CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
      • Audit
      • Best practice
      • Correctness
      • Security
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Dockerfile

Security

missing-user-entrypoint

By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

missing-user

By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

secret-in-build-arg

Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
OWASP:
- A01:2021 - Broken Access Control

last-user-is-root

The last user in the container is ‘root’. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as ‘root’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

no-sudo-in-dockerfile

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A05:2021 - Security Misconfiguration
CorrectnessBest practice
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.