CKV_DOCKER_9 fires when `apt` appears as an argument (e.g. to `rm -rf` )

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

https://www.checkov.io/

Apache License 2.0

7.03k stars 1.1k forks source link

CKV_DOCKER_9 fires when `apt` appears as an argument (e.g. to `rm -rf` ) #6310

Closed jeffcasavant closed 3 months ago

jeffcasavant commented 4 months ago

Describe the issue CKV_DOCKER_9 correctly pushes me to use apt-get instead of apt. In my current Dockerfile, I am installing several packages with apt-get, and then I do the following:

cd /var/lib && rm -rf apt dpkg cache log

This causes CKV_DOCKER_9 to fire.

Examples

FROM ubuntu

RUN apt-get update && \
    apt-get install --yes --no-install-recommends \
        git && \
    apt-get clean autoclean && \
    apt-get autoremove --yes && \
    cd /var/lib && \
    rm -rf apt dpkg cache log

Version (please complete the following information):

3.2.92

naveednawazkhan commented 4 months ago

Thank you for reaching out, we'll look into this but as a workaround try the following code to avoid alert.

FROM ubuntu

RUN apt-get update && \
    apt-get install --yes --no-install-recommends \
        git && \
    apt-get clean autoclean && \
    apt-get autoremove --yes && \
    cd /var/lib && \
    rm -rf /var/lib/{apt,dpkg,cache,log}

jeffcasavant commented 4 months ago

That was my original formulation, but hadolint was complaining that the bracket expansion thing isn't POSIX.

Combined with SHELL /bin/bash that should work, I think.