ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6500/docker/rule.adoc
Jonas Wielage c101d61c31
Modify rule S6504: Update code example (#3143)
2023-09-25 13:59:44 +02:00

83 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

Installing recommended packages automatically can lead to vulnerabilities in the
Docker image.
Potentially unnecessary packages are installed via a known Debian package
manager. These packages will increase the attack surface of the created
container as they might contain unidentified vulnerabilities or malicious code.
Those packages could be used as part of a broader supply chain attack.
In general, the more packages are installed in a container, the weaker its
security posture is. +
Depending on the introduced vulnerabilities, a malicious actor accessing such a
container could use these for privilege escalation. +
Removing unused packages can also significantly reduce your Docker image size.
To be secure, remove unused packages where possible and ensure images are
subject to routine vulnerability scans.
== Ask Yourself Whether
* Container vulnerability scans are not performed.
There is a risk if you answered yes to the question.
== Recommended Secure Coding Practices
* Avoid installing package dependencies that are not strictly required.
== Sensitive Code Example
[source,docker,diff-id=1,diff-type=noncompliant]
----
FROM ubuntu:22.04
# Sensitive
RUN apt install -y build-essential
# Sensitive
RUN apt-get install -y build-essential
# Sensitive
RUN aptitude install -y build-essential
----
== Compliant Solution
[source,docker,diff-id=1,diff-type=compliant]
----
FROM ubuntu:22.04
RUN apt --no-install-recommends install -y build-essential
RUN apt-get --no-install-recommends install -y build-essential
RUN aptitude --without-recommends install -y build-essential
----
== See
* https://www.debian.org/doc/debian-policy/ch-relationships.html[Debian Documentation] - Binary Dependencies
* https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends[Ubuntu Blog] - Container size reduction
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
== Message
* Make sure automatically installing recommended packages is safe here.
== Highlighting
Highlight the entire package manager statement.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink