Skip to content

feat: add a check to detect Dockerfile insecure patterns #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add a check to detect Dockerfile insecure patterns #1116

wants to merge 3 commits into from

Conversation

achrafmag
Copy link
Contributor

Summary

Added a checker for insecure Dockerfile patterns.

Description of changes

Created security analyzer for Dockerfile following current available literature emphasizing:

  • Use of outdated or insecure base images (FROM)
  • Running containers as root (USER)
  • Copying sensitive files into the image (COPY, ADD)
  • Exposing insecure ports (EXPOSE)
  • Environment variable leaks (ENV)
  • Mounting unsafe host directories (VOLUME)
  • Use of potentially dangerous shell commands (RUN)

Related issues

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • [] I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

achrafmag added 2 commits June 25, 2025 11:48
@achrafmag
feat: add Dockerfile analysis for build command detection
07dbd0a 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <[email protected]>
@achrafmag
feat: add dockerfile checker for insecure patterns
3456d3c 
Changes:

-Created security analyzer for Dockerfile following current available literature emphasizing:

Use of outdated or insecure base images (FROM)

Running containers as root (USER)

Copying sensitive files into the image (COPY, ADD)

Exposing insecure ports (EXPOSE)

Environment variable leaks (ENV)

Mounting unsafe host directories (VOLUME)

Use of potentially dangerous shell commands (RUN)

Signed-off-by: Achraf Maghous <[email protected]>
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 2, 2025
@tromai tromai changed the title Created a check for known Dockerfile insecure patterns feat: add a check to detect Dockerfile insecure patterns Jul 3, 2025
@achrafmag
feat: Creating unit tests for insecure_patterns_dockerfile_check
081a4c6 
Changes: -Added unit tests handling different Docker
files

Signed-off-by: Achraf Maghous <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@achrafmag