Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docker release to the full release process for final releases #51

Merged
merged 50 commits into from
May 20, 2024

remove unused script

201f3e2
Select commit
Loading
Failed to load commit list.
Merged

Add docker release to the full release process for final releases #51

remove unused script
201f3e2
Select commit
Loading
Failed to load commit list.
Wiz Inc. (266a8a9c32) / Wiz IaC Scanner completed May 20, 2024 in 2s

Wiz IaC Scanner

G'Day, Magician of Memory Heaps! 🪄

The elixirs of revelation brewed by Wiz unearthed concealed truths in this code. 🧪📜

Revealing IaC misconfigurations with Wiz 🪄

🔮 IaC Misconfigurations Detected: 4

0C 2H 1M 0L 1I

― Note from Wiz: "Keep casting your code spells, magician of the digital realm! ‍✨"

Annotations

Check failure on line 28 in docker/Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Missing User Instruction

Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-postgres}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

Check failure on line 42 in docker/dev.Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Missing User Instruction

Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-postgres-dev}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

Check warning on line 37 in docker/Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Unpinned Package Version in Pip Install

Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-postgres}}.{{RUN python -m pip install --no-cache-dir "dbt-postgres @ git+https://github.com/dbt-labs/dbt-postgres@${commit_ref}"}}

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-postgres @ git+https://github.com/dbt-labs/dbt-postgres@main" does not use package pinning form

Check notice on line 8 in docker/dev.Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

APT-GET Not Avoiding Additional Packages

Rule ID: 0cbafd91-7f35-4000-b40a-bebedb7bb5f8
Severity: None
Resource: FROM={{ubuntu:22.04 as base}}.{{RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*}}

Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
Raw output
Expected: 'RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*' uses '--no-install-recommends' flag to avoid installing additional packages
Found: 'RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*' does not use '--no-install-recommends' flag to avoid installing additional packages