search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.67k stars 495 forks source link

Support for Dockerfiles with heredocs #1016

Open cesar-rodriguez opened 2 years ago

cesar-rodriguez commented 2 years ago

Description

Dockerfiles now support the heredocs syntax. I tried executing Terrascan against a Dockerfile with this syntax, but it's confusing the docker parser.

What I Did

$ cat Dockerfile 
FROM debian
RUN <<eot bash
    apt-get update
    apt-get install -y vim
eot
$ terrascan scan -i docker
2021-09-10T22:21:36.416-0400    error   v1/load-file.go:52  error while parsing dockerfile /Users/cesar/programming/terrascan-vulnerability-management/docker/Dockerfile%!(EXTRA *errors.withStack=unknown instruction: APT-GET)
2021-09-10T22:21:36.419-0400    error   v1/load-dir.go:54   error while searching for iac files%!(EXTRA zapcore.Field={root dir 15 0 /Users/cesar/programming/terrascan-vulnerability-management/docker <nil>}, string=error while parsing file /Users/cesar/programming/terrascan-vulnerability-management/docker/Dockerfile)

Scan Summary -

    File/Folder         :   /Users/cesar/programming/terrascan-vulnerability-management/docker
    IaC Type            :   docker
    Scanned At          :   2021-09-11 02:21:37.720936 +0000 UTC
    Policies Validated  :   777
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0
d-mankowski-synerise commented 1 year ago

A recent Docker update promoted Buildx/BuildKit to be the default builder, hence, heredocs are supported without setting DOCKER_BUILDKIT=1. It seems it wouldn't be hard to add support for it in Terrascan, since module imported by parser also supports heredocs.