Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Scorecard:Docker-Deps]: Docker dependencies not pinned #5

Open
laurentsimon opened this issue May 28, 2021 · 0 comments
Open

[Scorecard:Docker-Deps]: Docker dependencies not pinned #5

laurentsimon opened this issue May 28, 2021 · 0 comments

Comments

@laurentsimon
Copy link
Owner

Hi team,

We (scorecard team) have become aware of a security vulnerability in your repo configuration.
This bug was reported by running the scorecard tool.
I've enclosed information for your review to help you correct this issue.

@laurentsimon @laurentsimon2 FYI

** ::: Vulnerability description :::**
scorecard reported that you are not pinning dockerfile dependencies by hash:

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-blabla'

::: What is dependency pinning :::
Dependency pinning lets you control your dependencies by pinning them by hash. A hash is a cryptographic
construct that ensures an attacker cannot alter the content of the dependencies without being detected.

Pinning by version or any floating tag does not protect sufficiently. There have been recent cases of such vulnerabilities,
most infamously the codecov one.

Updates are still feasible. You can install dependabot to help you with this process. It will automatically
create a PR that you can review, accept or reject when new version of your dependencies become available.

It is recommended to accept dependabot PRs regularly to receive security patches.

Several projects have taken steps to address the same issue, e.g. envoy proxy.

::: Remediation guidance :::

TODO - we need a page for this

::: Support :::

Should you need any help, or have any questions, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant