False positive on "Ensure Pinned Pip Package Version" [AC_DOCKER_0010]

Question

False positive on "Ensure Pinned Pip Package Version" [AC_DOCKER_0010]

zadigus opened this issue 2 years ago · 0 comments

terrascan version: 1.18.1
Operating System: linux

Description

I am scanning a folder with a Dockerfile

# Dockerfile
FROM python:3.8-slim-buster

WORKDIR /app

COPY requirements.txt requirements.txt
RUN pip3 install --no-cache-dir -r requirements.txt

COPY ./main.py ./main.py

CMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0", "--port=5000"]

that installs python packages from a requirements.txt file:

# requirements.txt
flask==2.1.1

I want to scan the vulnerabilities of this configuration.

What I Did

When I run

terrascan scan

then I get the following error:

Description: Ensure Pinned Pip Package Version, File: terraform/tests/features/resources/apim/Dockerfile, Line: 8, Severity: MEDIUM, Rule Name: pipUnpinnedVersion, Rule ID: AC_DOCKER_0010, Resource Name: Dockerfile, Resource Type: docker_run, Category: Infrastructure Security

However, as you can see, the requirements.txt has all the python package versions pinned. I expect to get no error.