AC_DOCKER_0041 false positive for "FROM scratch" in Dockerfile

Question

AC_DOCKER_0041 false positive for "FROM scratch" in Dockerfile

jspiers opened this issue a year ago · 2 comments

terrascan version: 1.18.3
Operating System: Ubuntu 22.04

Description

Linting of a Dockerfile which includes a FROM scratch statement triggers failure of AC_DOCKER_0041 which insists on specifying a tag other than "latest" even though the reserved Docker image scratch has no such tags.

Example Dockerfile for a lightweight Go-based image

FROM golang:1.21-alpine AS build
RUN apk update && apk add --no-cache \
        git \
        ca-certificates
COPY *.go go.* /src/
RUN mkdir -p /src/demo
WORKDIR /src/
RUN CGO_ENABLED=0 go build -o /bin/demo

# trunk-ignore(terrascan/AC_DOCKER_0041): need to ignore AC_DOCKER_0041 because of the following line
FROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /bin/demo /bin/demo
ENTRYPOINT ["/bin/demo"]

Answer 1 · 2023-10-13T10:50:52.000Z

That's likely because the policy is configured to look for a colon : and assume that the image that is used is latest when no colon was defined. Well, that's just lazy writing.

Answer 2 · 2023-11-16T01:02:40.000Z

We encountered the same error when calling FROM for references to aliased images and suppressed the rule altogether.

FROM image:version AS base
...
FROM base AS publish # Errors here.