checkov
checkov copied to clipboard
bridgecrewio
Missing checks for CKV_DOCKER_3 (User exists)
Describe the issue https://github.com/bridgecrewio/checkov/blob/master/checkov/dockerfile/checks/UserExists.py doesn't cover all of https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Bridgecrew Policy ID: BC_DKR_3 Checkov Check ID: CKV_DOCKER_3
ToDo: Additionally check if gosu is executed in either CMD or ENTRYPOINT
Examples
FROM alpine:3.14
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]
should be passing but isn't:
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /Dockerfile.
File: /Dockerfile:1-50
Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
Version (please complete the following information):
- Checkov Version 2.0.692
Hey @adberger !
This is an interesting one. How would checkov know if the first keyword (i.e. gosu) is the name of the command or a user?
Perhaps this should fail:
FROM alpine:3.14
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]
But this should pass:
FROM alpine:3.14
USER gosu
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]
@nimrodkor I would rather check if gosu is in CMD or ENTRYPOINT, despite the location (first, middle, last etc.).
USER gosu would not be correct, because gosu is the command and app the user which gets created by gosu (AFAIK)
@adberger Right. However, how would you know gosu is a user and not the app / executable / command?
@adberger Right. However, how would you know
gosuis a user and not the app / executable / command?
You could parse it according to the gosu usage:
Usage: ./gosu user-spec command [args]
If gosu and then a user-spec is set, the test should be valid.
I think I got it now. Want to fix the check and open a PR? We'd love the contribution @adberger !
@nimrodkor I prepared some changes in my forked repository, which is currently under review by my colleagues: https://github.com/adberger/checkov
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!