Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AC_DOCKER_0041 false positive for "FROM scratch" in Dockerfile #1613

Open
jspiers opened this issue Sep 15, 2023 · 2 comments
Open

AC_DOCKER_0041 false positive for "FROM scratch" in Dockerfile #1613

jspiers opened this issue Sep 15, 2023 · 2 comments

Comments

@jspiers
Copy link

jspiers commented Sep 15, 2023

  • terrascan version: 1.18.3
  • Operating System: Ubuntu 22.04

Description

Linting of a Dockerfile which includes a FROM scratch statement triggers failure of AC_DOCKER_0041 which insists on specifying a tag other than "latest" even though the reserved Docker image scratch has no such tags.

Example Dockerfile for a lightweight Go-based image

FROM golang:1.21-alpine AS build
RUN apk update && apk add --no-cache \
        git \
        ca-certificates
COPY *.go go.* /src/
RUN mkdir -p /src/demo
WORKDIR /src/
RUN CGO_ENABLED=0 go build -o /bin/demo

# trunk-ignore(terrascan/AC_DOCKER_0041): need to ignore AC_DOCKER_0041 because of the following line
FROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /bin/demo /bin/demo
ENTRYPOINT ["/bin/demo"]
@lisenet
Copy link

lisenet commented Oct 13, 2023

That's likely because the policy is configured to look for a colon : and assume that the image that is used is latest when no colon was defined. Well, that's just lazy writing.

robmaw added a commit to robmaw/terrascan that referenced this issue Nov 9, 2023
@robmaw
exclude "scratch" from the default latest check tenable#1613
f3adf6e 
By default, in a docker FROM statement, if no tag is specified, it is treated as the :latest tag.
This is flagged by rule AC_DOCKER_0041, but the current rego implementation of the rule erroneously includes the case when the FROM references the special reserved 'image' - "scratch" - ref https://hub.docker.com/_/scratch 
This PR ensures FROM scratch is not flagged.
@weldevops
Copy link

We encountered the same error when calling FROM for references to aliased images and suppressed the rule altogether.

FROM image:version AS base
...
FROM base AS publish # Errors here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jspiers @lisenet @weldevops