Skip to content

feat: add a check to detect Dockerfile insecure patterns #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add a check to detect Dockerfile insecure patterns #1116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
07dbd0a
feat: add Dockerfile analysis for build command detection
achrafmag Jun 25, 2025
3456d3c
feat: add dockerfile checker for insecure patterns
achrafmag Jul 2, 2025
081a4c6
feat: Creating unit tests for insecure_patterns_dockerfile_check
achrafmag Jul 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ dependencies = [
"problog >= 2.2.6,<3.0.0",
"cryptography >=44.0.0,<45.0.0",
"semgrep == 1.113.0",
"dockerfile-parse >= 2.0.1"
]
keywords = []
# https://pypi.org/classifiers/
Expand Down Expand Up @@ -79,6 +80,7 @@ dev = [
"pylint >=3.0.3,<4.0.0",
"cyclonedx-bom >=4.0.0,<5.0.0",
"types-beautifulsoup4 >= 4.12.0,<5.0.0",
"types-dockerfile-parse >= 2.0.0"
]
docs = [
"sphinx >=8.0.0,<9.0.0",
Expand Down
35 changes: 35 additions & 0 deletions src/macaron/slsa_analyzer/checks/build_script_check.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,12 +107,15 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
# we parse bash scripts that are reachable through CI only.
result_tables: list[CheckFacts] = []
ci_services = ctx.dynamic_data["ci_services"]

for tool in build_tools:
for ci_info in ci_services:
ci_service: BaseCIService = ci_info["service"]
# Checking if a CI service is discovered for this repo.
if isinstance(ci_service, NoneCIService):
continue

# Process regular workflow build commands
try:
for build_command in ci_service.get_build_tool_commands(
callgraph=ci_info["callgraph"], build_tool=tool
Expand Down Expand Up @@ -148,6 +151,38 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
except CallGraphError as error:
logger.debug(error)

# Process Docker build commands if the CI service has the method
if hasattr(ci_service, "get_docker_build_commands"):
try:
for build_command in ci_service.get_docker_build_commands(
callgraph=ci_info["callgraph"], build_tool=tool
):
logger.debug("Processing Docker build command %s", build_command)
# For Dockerfile, link to the Dockerfile itself
relative_path = os.path.relpath(build_command["ci_path"], ctx.component.repository.fs_path)
trigger_link = ci_service.api_client.get_file_link(
ctx.component.repository.full_name,
ctx.component.repository.commit_sha,
relative_path,
)
logger.debug("Trigger link for Docker build command: %s", trigger_link)

result_tables.append(
BuildScriptFacts(
build_tool_name=tool.name,
ci_service_name=ci_service.name,
build_trigger=trigger_link,
language=build_command["language"],
language_distributions=None,
language_versions=None,
language_url=None,
build_tool_command=tool.serialize_to_json(build_command["command"]),
confidence=Confidence.HIGH,
)
)
except CallGraphError as error:
logger.debug(error)

return CheckResultData(result_tables=result_tables, result_type=CheckResultType.PASSED)


Expand Down
Loading
Loading