netbox-docker CIS-DI-0009

Related Issue:

New Behavior

Download nginx-keyring.gpg and verify checksum at build time instead of use ADD.

Contrast to Current Behavior

Fixing https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#cis-di-0009 which was introduced with 1c8cdfa.

Discussion: Benefits and Drawbacks

ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.

Changes to the Wiki

Not needed.

Proposed Release Note Entry

Not needed really.

Double Check

[x] I have read the comments and followed the PR template.
[x] I have explained my PR according to the information in the comments.
[x] My PR targets the develop branch.

May 15 '25 07:05 waja

Hmm .. I see the problem (source can't be a URL for COPY) ... the issue mentioned in CIS-DI-0009 is still valid. But I can't imagine a way to solve this easily yet.

May 15 '25 07:05 waja

ADD has a parameter to verify the checksum: https://docs.docker.com/reference/dockerfile/#add---checksum

May 15 '25 09:05 tobiasge

This can be simplified by using the --checksum parameter of the ADD command.

Okay ... this seems "pretty" new ... :) Didn't recognised it yet. Changed the PR.

May 15 '25 09:05 waja

Seems like hadolint doesn't like (or know) about --checksum:

DOCKERFILE_HADOLINT
  2025-05-15 10:24:06 [INFO]   Linting DOCKERFILE_HADOLINT items...
  Error: -15 10:24:07 [ERROR]   Found errors when linting DOCKERFILE_HADOLINT. Exit code: 1.
  2025-05-15 10:24:07 [INFO]   Command output for DOCKERFILE_HADOLINT:
  ------
  /github/workspace/Dockerfile:52:5 invalid flag: --checksum

What's you suggestion? Doesn't look like a simple "ignore" is solving this.

May 15 '25 11:05 waja

Seems to be that problem: https://github.com/hadolint/hadolint/issues/985 I think we can ignore that for now.

May 15 '25 11:05 tobiasge

I moved the --checksum to the end of the ADD statement and hadolint is working well about this, but my local test is complaining about DL3020 error: Use COPY instead of ADD for files and folders now.

I can add it to .hadolint.yaml, but I'm unsure if this is the way you intend to fix it.

May 15 '25 11:05 waja

The latest CI run revealed that hadolint is also complaining there. But the bigger issue is, it seems the build environment seems to have issues with the ADD syntax.

May 15 '25 12:05 waja

@tobiasge I added a inline hadolint ignore, so this check is not disabled globally

May 16 '25 12:05 waja

If you look at the documentation of ADD https://docs.docker.com/reference/dockerfile/#add you can see that the options need to be placed before the source and destination.

May 16 '25 13:05 tobiasge

#10 [main  3/18] ADD https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg --chmod=444 --chown=0:0 --checksum=sha256:7d3d5a7adf37e17d6882e2f6f55324b9a8f978ef3c99c50fe801af67c9847c91
  #10 ERROR: failed to calculate checksum of ref cgo21278a3kk11hgospq0tdf7::pimc1tpuoeefuzy1txmbj1vnq: "/--chown=0:0": not found

When using the workaround not complaining hadolint, the ADD fails. When using the correct syntax of ADD hadolint is complaining about the flag --checksum:

Dockerfile:51:75 invalid flag: --checksum

So I don't know how to deal about that without doing the checksum check on buildtime at the moment.

May 16 '25 14:05 waja

Unfortunately hadolint hasn't a new release yet and so also super-linter 8 has no fixed hadolint.

Jul 18 '25 17:07 waja

Unfortunately hadolint hasn't a new release yet and so also super-linter 8 has no fixed hadolint.

Hadolint has got a new release. Hopefully super-linter will catch it soon.

Sep 03 '25 06:09 waja

@tobiasge hadolint has been updated by super-linter. Maybe let's try the pipeline again?

Oct 17 '25 09:10 waja

Because Nginx Unit was discontinued we switched to Granian. This PR is not needed any more.

Nov 12 '25 13:11 tobiasge