You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linting of a Dockerfile which includes a FROM scratch statement triggers failure of AC_DOCKER_0041 which insists on specifying a tag other than "latest" even though the reserved Docker image scratch has no such tags.
Example Dockerfile for a lightweight Go-based image
FROM golang:1.21-alpine AS build
RUN apk update && apk add --no-cache \
git \
ca-certificates
COPY *.go go.* /src/
RUN mkdir -p /src/demo
WORKDIR /src/
RUN CGO_ENABLED=0 go build -o /bin/demo
# trunk-ignore(terrascan/AC_DOCKER_0041): need to ignore AC_DOCKER_0041 because of the following lineFROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /bin/demo /bin/demo
ENTRYPOINT ["/bin/demo"]
The text was updated successfully, but these errors were encountered:
That's likely because the policy is configured to look for a colon : and assume that the image that is used is latest when no colon was defined. Well, that's just lazy writing.
robmaw
added a commit
to robmaw/terrascan
that referenced
this issue
Nov 9, 2023
By default, in a docker FROM statement, if no tag is specified, it is treated as the :latest tag.
This is flagged by rule AC_DOCKER_0041, but the current rego implementation of the rule erroneously includes the case when the FROM references the special reserved 'image' - "scratch" - ref https://hub.docker.com/_/scratch
This PR ensures FROM scratch is not flagged.
Description
Linting of a Dockerfile which includes a
FROM scratch
statement triggers failure ofAC_DOCKER_0041
which insists on specifying a tag other than "latest" even though the reserved Docker imagescratch
has no such tags.Example Dockerfile for a lightweight Go-based image
The text was updated successfully, but these errors were encountered: