checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

CKV_DOCKER_1 rule not failed when using EXPOSE 22/TCP

Open pitfallincode opened this issue 3 years ago • 1 comments

Issue If it is related to an existing check, CKV_DOCKER_1. Dockerfile EXPOSE can accept port using tcp proto by defaut if not specified or you can also specify the protocol with /tcp or /udp.

When using "EXPOSE 22/tcp" the rule does not detect the SSH port. something like '22/tcp'.split('/')[0] will return port without protocol or we can test both '22' or '22/tcp' in the rule.

Examples Issue can be replicated with a Dockerfile which uses "EXPOSE 22/tcp".

Version

  • Checkov Version 2.1.87

Specification EXPOSE specification https://docs.docker.com/engine/reference/builder/#expose

pitfallincode avatar Aug 02 '22 21:08 pitfallincode

hey @pitfallincode thanks for reaching out. Nice catch, you are right, we just check, if there is a port 22 mentioned without the protocol part. I like the idea of testing for both 22 and 22/tcp 🥇

Are you interested in contributing the needed change? If yes, you can find the check and the related tests here https://github.com/bridgecrewio/checkov/blob/master/checkov/dockerfile/checks/ExposePort22.py https://github.com/bridgecrewio/checkov/blob/fe902170cfa620271bff7b124ffc6b1309c0aacc/tests/dockerfile/test_runner.py#L72-L82

gruebel avatar Aug 07 '22 22:08 gruebel