ALM used: Azure DevOps
CI system used: SonarCloud paid plan - Azure DevOps
Languages of the repository
Only a Dockerfile in repository
Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
First of all, Thank you for having corrected the problem in this topic: Dockerfile indexed with language 'null'
My problem is still linked to the Dockerfile
SonarCloud indexes and treats my file, but although it has a security error, the quality gate does not identify it.
My quality gate has the rule active, and does not recognize the problem, neither from a pull request, nor from my main branch or a scan on main main branch directly.
In the analysis, the new lines are recognized as new lines of code but are not classified as High Severity, as described in rule docker:S6437 (Credentials should not be hard-coded).
I would like to know if it is an error on my part or if there is really a problem in the service.
- Steps to reproduce
FROM ***.jfrog.io/dotnet/sdk:6.0 AS BuildEnv WORKDIR /app RUN dotnet new webapp RUN dotnet publish -c Release -o output FROM ***.jfrog.io/dotnet/runtime:6.0-alpine3.17 WORKDIR /app COPY --from=BuildEnv /app/output . EXPOSE 8080 ENTRYPOINT [ "dotnet" , "app.dll" ]
FROM ***.jfrog.io/dotnet/sdk:6.0 AS BuildEnv WORKDIR /app # Noncompliant RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key RUN /example.sh --ssh /etc/ssh/rsa_key RUN dotnet new webapp RUN dotnet publish -c Release -o output FROM ***.jfrog.io/dotnet/runtime:6.0-alpine3.17 WORKDIR /app COPY --from=BuildEnv /app/output . EXPOSE 8080 ENTRYPOINT [ "dotnet" , "app.dll" ]
trigger: none pool: vmImage: ubuntu-latest steps: - checkout: self fetchDepth: 0 - task: SonarCloudPrepare@1 inputs: SonarCloud: '***' organization: '***' scannerMode: 'CLI' configMode: 'manual' cliProjectKey: '***' cliProjectName: '***' cliSources: 'SonarCloud/sonar-docker' extraProperties: | sonar.verbose=true - task: SonarCloudAnalyze@1 displayName: 'Run SonarCloud analysis' - task: SonarCloudPublish@1 displayName: 'Publish results on build summary'
Thank you very much for your help