CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
        • Audit
        • Best practice
        • Correctness
        • Security
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Dockerfile

    Security

    By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    By not specifying a USER, a program in the container may run as ‘root’. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than ‘root’.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
    OWASP:
    - A01:2021 - Broken Access Control

    The last user in the container is ‘root’. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as ‘root’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.
    Likelihood: LOW
    Confidence: HIGH
    CWE:
    - CWE-250: Execution with Unnecessary Privileges
    OWASP:
    - A05:2021 - Security Misconfiguration

    CorrectnessBest practice
    twitterlinkedin
    Powered by Mintlify