Add docker release to the full release process #963
Wiz IaC Scanner
G'Day, Captain of Configuration! ⚙️
The ink of insight unveiled tales of uncharted territories within this PR. 🖋️🗺️
Revealing IaC misconfigurations with Wiz 🪄
🔮 IaC Misconfigurations Detected: 5
― Note from Wiz: "Your coding journey is a magical saga, unfolding with every commit! 📖🔮"
Annotations
Check failure on line 29 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Missing User Instruction
Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-snowflake}}
A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction
Check failure on line 38 in docker/dev.Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Missing User Instruction
Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-snowflake-dev}}
A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction
Check warning on line 38 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Unpinned Package Version in Pip Install
Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-snowflake}}.{{RUN python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/${dbt_snowflake_ref}"}}
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/dbt-snowflake@main" does not use package pinning form
Check warning on line 5 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Using Platform Flag with FROM Command
Rule ID: c5e5995a-7d8e-4fbb-8dce-880a79438927
Severity: Medium
Resource: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}}
Don't use '--platform' flag with FROM
Raw output
Expected: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}} shouldn't use the flag '--platform'
Found: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}} uses the flag '--platform'
Check notice on line 8 in docker/dev.Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
APT-GET Not Avoiding Additional Packages
Rule ID: 0cbafd91-7f35-4000-b40a-bebedb7bb5f8
Severity: None
Resource: FROM={{ubuntu:22.04 as base}}.{{RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
Raw output
Expected: 'RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*' uses '--no-install-recommends' flag to avoid installing additional packages
Found: 'RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*' does not use '--no-install-recommends' flag to avoid installing additional packages