Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[Specification] 4.9 Consistency with CIS specification #362
The CIS specification paragraph 4.9 discourage to use ADD, and docker bench security check it.
1. The CIS specification indicates this check is not scored, but the actual implementation scores it.
2. The use of ADD is discouraged for security purpose in the specification (and scored in docker bench security). However, the security aspect is not mentioned in docker documentation.
3. Several base image use ADD, such as Debian or Alpine. Then, all of images based on them are scored. How to make it consistent? Should we not check base image layer ? Or should we insist to not use ADD, even at this level. Indeed RHEL images do not use it for the time being.
Please let me know if I am missing something,
Hi @anthony-roger and I'm so sorry for the late reply.
Do you get a different result?
1. The failure doesn't decrease the score but the success increase it.
2. Shouldn't be the security aspect mentioned in docker documentation?
3. What should we think about the use of ADD by scratch images such as Debian or Alpine?
added a commit
Mar 14, 2019
Thanks @anthony-roger, I see what you mean and I'll merge a fix.
From CIS guide:
Running something like