safeImages list in docker:S6471 rule not honored

marcin.bebas · March 11, 2026, 1:16pm

Hello

We lately updatet SonarQube Server to v2026.1 (119033) and a problem occur that we hadn’t noticed before. For docker rule S6471 This image might run with “root” as the default user. Make sure it is safe here, we have defined safelist of images.

However, this list does not work correctly, even though the image is included in the list, a hot spot is reported for this rule.

According to the documentation, I added this image with no tag do list:

<our_docker_host>:<custom_port>/<somepath>/dotnet/aspnet/8.0

But hotspot for dockerfile still reported:

FROM <our_docker_host>:<custom_port>/<somepath>/dotnet/aspnet/8.0:1.1.11 AS runtime

This image might run with "root" as the default user. Make sure it is safe here.

maksim.grebeniuk · March 17, 2026, 1:32pm

Hello @marcin.bebas ,

Thanks for the reporting.

We have reproduced the issue and created a ticket to make a fix for the rule.

Thanks,
Maksim Grebeniuk

marcin.bebas · March 18, 2026, 6:49am

That’s good news, thank you

Topic		Replies	Views
7 new rules to clean your Dockerfiles Sonar Updates docker	1	1276	July 10, 2023
7 additional new rules to clean your Dockerfiles Sonar Updates docker	2	814	April 13, 2023
Dockerfile analysis is available on SonarQube and SonarCloud Sonar Updates docker	0	4831	February 7, 2023
Quality Gate Passed on PR having a security issue in Dockerfile SonarQube Cloud docker , quality-gate	3	341	November 6, 2023
docker:S6596 false positive "FROM scratch" SonarQube Server / Community Build docker	1	284	April 11, 2024

safeImages list in docker:S6471 rule not honored

Related topics