Checkmarx/kics

Update "RUN Instruction Using 'cd' Instead of WORKDIR" query for Docker, allow cd when not at the beginning

malte-laukoetter opened this issue · 1 comments

Platform

Docker

Query

f4a6bcd3-e231-4acf-993c-aa027be50d2e

Description

In long RUN commands there sometimes exists cds in the middle of the Instruction to change a directory. It is not helpful to replace such a cd with a WORKDIR instruction as this would create an additional layer. Therefore only cds that are at the beginning of a RUN instruction should be reported.

Example

The official docker image for fluentd uses such a construct in the Dockerfile for its debian image: https://github.com/fluent/fluentd-docker-image/blob/a9e4cee765c7aaf7876d6fe3282aa565dbcdc2a4/v1.14/debian/Dockerfile

Hello @Lergin, thank you very much for raising this issue! This query is a tough one.
We would have 2 options:
1 - A way to go around this would be using the full path instead of cd + relative path, and I would update the query description.
2 - Compromising like you suggested, only looking for cd at the start of the command, which can be a good compromise to ensure image optimization and readability.

After looking around in dockerfiles, it seems most use full paths, so we are inclined to going with the first option.

This PR aims to fix this and other issues you have very attentively raised! Thank you once again!