search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.85k stars 1.1k forks source link

False positive on CKV_DOCKER_9 #6567

Closed jefimm closed 1 month ago

jefimm commented 1 month ago

dockerfile check fail with checkov 3.2.180 on intel mac

used to pass with previous version

command: checkov -d . --framework dockerfile --skip-check CKV_DOCKER_2,CKV_DOCKER_4,CKV_DOCKER_7,CKV_DOCKER_3

dockerfile:

FROM cypress/included:13.6.1
RUN apt-get update -qq && apt-get install -y gnupg curl && \
    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
    curl -sf https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - && \
    apt-get update && apt-get install -y google-cloud-sdk kubectl google-cloud-sdk-gke-gcloud-auth-plugin && apt-get clean

error:

Check: CKV_DOCKER_9: "Ensure that APT isn't used"
    FAILED for resource: /Dockerfile.RUN
    File: /Dockerfile:3-6
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-is-not-used

        3 | RUN apt-get update -qq && apt-get install -y gnupg curl && \
        4 |     echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sd
FROM cypress/included:13.6.1
k.list && \
        5 |     curl -sf https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - && \
        6 |     apt-get update && apt-get install -y google-cloud-sdk kubectl google-cloud-sdk-gke-gcloud-auth-plugin && apt-get clean

it looks like it does not like https://packages.cloud.google.com/apt

achiar99 commented 1 month ago

@jefimm Hello The definition of this check - if the command contains apt and not rm we consider this check as failed You can take a look here - https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py

IUADE0H5 commented 1 month ago

@achiar99 Can you add to docs/error message about apt-get preferable? There is no word how to "fix" error, I get the idea only at check description from github.

jefimm commented 1 month ago

as you may see there is no apt command in dockerfile

tsmithv11 commented 1 month ago

Thanks for flagging, @jefimm. It should be fixed with this PR: https://github.com/bridgecrewio/checkov/pull/6611

@IUADE0H5 thank you as well. You were right that the docs were not clear. Updated here: https://github.com/hlxsites/prisma-cloud-docs/pull/783