Wiz Security Bot (22793c4344) / Wiz IaC Scanner
completed
Sep 24, 2024 in 5s
Wiz IaC Scanner
Annotations
Check warning on line 39 in Dockerfile
wiz-security-bot-22793c4344 / Wiz IaC Scanner
Install command without pinned version
Rule ID: 2594c504-dcdd-4294-acdb-81eca2baeb9f
Severity: Medium
Resource: FROM={{$NODE_ALPINE_IMAGE}}.{{RUN npm install -g corepack && corepack enable && yarn set version berry && yarn --version && npm install -g serverless@$SERVERLESS_VERSION && serverless --version}}
Check if packages installed by npm and pnpm are pinning a specific version.
Raw output
Expected: 'RUN npm install -g corepack && corepack enable && yarn set version berry && yarn --version && npm install -g serverless@$SERVERLESS_VERSION && serverless --version' uses npm install with a pinned version
Found: 'RUN npm install -g corepack && corepack enable && yarn set version berry && yarn --version && npm install -g serverless@$SERVERLESS_VERSION && serverless --version' does not uses npm install with a pinned version
Check warning on line 11 in Dockerfile
wiz-security-bot-22793c4344 / Wiz IaC Scanner
Unpinned Package Version in Apk Add
Rule ID: a9814cfa-c0c7-4fd8-9bd7-bdc323973360
Severity: Medium
Resource: FROM={{$NODE_ALPINE_IMAGE}}.{{RUN apk --no-cache add python3 python3-dev py-pip poetry aws-cli ca-certificates groff less bash make cmake jq curl wget g++ zip git openssh && update-ca-certificates}}
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'
Found: RUN instruction apk --no-cache add python3 python3-dev py-pip poetry aws-cli ca-certificates groff less bash make cmake jq curl wget g++ zip git openssh && update-ca-certificates does not use package pinning form
Loading