7 new rules to clean your Dockerfiles

Hello,

We just added 7 new rules to help you write cleaner Dockerfiles:

  • S4507: Delivering code in production with debug features activated is security-sensitive
  • S6502: Disabling builder sandboxes is security-sensitive
  • S6472: Using ENV or ARG to handle secrets is security-sensitive
  • S2612: Dangerous “chmod” options on COPY, ADD, and RUN instructions
  • S6497: Using a container image based on its digest is security-sensitive
  • S6474: Sharing the host’s network namespace is security-sensitive
  • S6500: Installing unnecessary packages is security-sensitive

This is available now on SonarCloud and will be part of SonarQube 10.0 soon.

Alex

2 Likes

I believe that S6497: Using a container image based on its digest is security-sensitive advises users to do the opposite of what they should be doing, so I’ve created a topic requesting that the rule be changed: "S6497: Pulling an image based on its digest is security-sensitive" is harmful to security

1 Like