Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Scorecard:Docker-Deps]: Docker dependencies not pinned #19

Open
laurentsimon opened this issue Jun 2, 2021 · 0 comments
Open

[Scorecard:Docker-Deps]: Docker dependencies not pinned #19

laurentsimon opened this issue Jun 2, 2021 · 0 comments

Comments

@laurentsimon
Copy link
Owner

Hi team,

I ran OSSF's scorecard) on your repo and it reported the following non-pinned docker dependencies:

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'

In light of recent supply chain attacks like codecov, it would be useful to pin the dependencies by hash.

Pinning by version or any floating tag does not protect sufficiently, since it allows attackers to update the dependencies if they can compromise a project.

@laurentsimon @laurentsimon2 FYI

** How to fix **
The fix is to use a hash to pin the dependencies. You can find an example here.

To find the hash corresponding hash to your dependency, run:

$ docker pull <dep>
...
Digest: sha256:acf7795dc91df17e10effee064bd229580a9c34213b4dba578d64768af5d8c51
...

Updates remain feasible. Project owners usually enable github's dependabot through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.

It is recommended to accept dependabot PRs regularly to receive security patches.

Several projects are taking steps to address the same issue, e.g. envoy proxy.

Please let me know if you have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant