aligned_layer icon indicating copy to clipboard operation
aligned_layer copied to clipboard
Published 1 month ago verified publisher icon yetanotherco

fix(docker): Dockerfiles can be vulnerable to supply chain attacks

Open PatStiles opened this issue 1 year ago • 0 comments

Overview:

The Dockerfiles used to build the project are vulnerable to supply chain attacks. The vulnerability lies in the FROM directive in the Dockerfiles. The FROM directive is used without specifying a hash. The base image is pulled from the Docker Hub registry. If the base image is compromised, the entire image is compromised.

Mitigation:

Use a specific version of the base image and verifying the integrity of the base image before building the image.

# https://hub.docker.com/_/postgres
FROM postgres:16.3@sha256:d0f363f8366fbc3f52d172c6e76bc27151c3d643b870e1062b4e8bfe65baf609
...

FROM golang:1.22.4@sha256:c8736b8dbf2b12c98bb0eeed91eef58ecef52b8c2bd49b8044531e8d8d8d58e8
...

PatStiles avatar Sep 19 '24 15:09 PatStiles