Missing checks for CKV_DOCKER_3 (User exists)

[adberger]

Describe the issue
https://github.com/bridgecrewio/checkov/blob/master/checkov/dockerfile/checks/UserExists.py doesn't cover all of https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created

Bridgecrew Policy ID: BC_DKR_3
Checkov Check ID: CKV_DOCKER_3

ToDo: Additionally check if gosu is executed in either CMD or ENTRYPOINT

Examples

FROM alpine:3.14
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]

should be passing but isn't:

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /Dockerfile.
	File: /Dockerfile:1-50
	Guide: https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created

Version (please complete the following information):

• Checkov Version 2.0.692

[nimrodkor]

Hey @adberger !

This is an interesting one. How would checkov know if the first keyword (i.e. gosu) is the name of the command or a user?

Perhaps this should fail:

FROM alpine:3.14
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]

But this should pass:

FROM alpine:3.14
USER gosu
ENTRYPOINT ["gosu", "app", "tini", "--", "/app/run.sh" ]

[adberger]

@nimrodkor I would rather check if gosu is in CMD or ENTRYPOINT, despite the location (first, middle, last etc.).

USER gosu would not be correct, because gosu is the command and app the user which gets created by gosu (AFAIK)

[nimrodkor]

@adberger Right. However, how would you know gosu is a user and not the app / executable / command?

[adberger]

@adberger Right. However, how would you know gosu is a user and not the app / executable / command?

You could parse it according to the gosu usage:
Usage: ./gosu user-spec command [args]

If gosu and then a user-spec is set, the test should be valid.

[nimrodkor]

I think I got it now. Want to fix the check and open a PR? We'd love the contribution @adberger !

[adberger]

@nimrodkor I prepared some changes in my forked repository, which is currently under review by my colleagues:
https://github.com/adberger/checkov

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[tspearconquest]

My mistake, please close it.

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[tspearconquest]

Not stale

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[tspearconquest]

Not stale

[ArjunMenon-bit]

Not stale.
Issue fixed in #2294

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

[stale]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!