Checkmarx/kics

Update "Changing Default Shell Using SHELL Command" query for Docker, query and reasoning are in conflict

malte-laukoetter opened this issue · 1 comments

Platform

Docker

Query

8a301064-c291-4b20-adcb-403fe7fd95fd

Description

The query currently checks that the SHELL instruction is not used at all in a Dockerfile. Instead, it suggests changing the shell within every RUN instruction. This conflicts with the Dockerfile reference that is mentioned as the reasoning. Here it is instead suggested that the shell is changed using the SHELL instruction (https://docs.docker.com/engine/reference/builder/#shell) and not in the RUN instructions. When using a command to change the shell (eg. RUN powershell -command) this leads to inefficiencies. The JSON syntax for the RUN instruction could be used to stop this. But the Dockerfile reference instead proposes to use the SHELL instruction as then the RUN instructions are simpler to read. I was not able to find any reasoning for why the SHELL instruction should be avoided.

I would therefore suggest either removing this query, changing it to check that the shell is not changed using the RUN instruction or updating the reasoning if there is one.

Hello Lergin, thank you once again for being so attentive! I have refactored the query in question in this PR, thank you for your time!