"Omitting --ignore-scripts can lead to execution of shell scripts"

We are currently getting a vulnerability that is being flagged in our Dockerfile several times - each time that the word ‘yarn’ appears within the Dockerfile.

The recommendation is to append --ignore-scripts to disable the execution of post-install scripts - however - as far as I can tell the --ignore-scripts can only be appended to the yarn install command, not other commands such as apk add yarn or yarn test:coverage

Is this a bug in the scanner itself?

Hi @faheemgani,

indeed, this is a false positive and we will fix this issue in the next release.
I created a ticket so you can track the process.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.