- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 1.1k
CIS-DI-0009 #1455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
CIS-DI-0009 #1455
Conversation
| Hmm .. I see the problem ( | 
7323f3e    to
    0018c16      
    Compare
  
    | 
 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be simplified by using the --checksum parameter of the ADD command.
| 
 Okay ... this seems "pretty" new ... :) Didn't recognised it yet. Changed the PR. | 
| Seems like  What's you suggestion? Doesn't look like a simple "ignore" is solving this. | 
| Seems to be that problem: hadolint/hadolint#985 | 
| I moved the  I can add it to  | 
e3354b5    to
    2ba9014      
    Compare
  
    | The latest CI run revealed that  | 
| @tobiasge I added a inline hadolint ignore, so this check is not disabled globally | 
db9067c    to
    b26fa2d      
    Compare
  
    | If you look at the documentation of  | 
72567fc    to
    7bc4d78      
    Compare
  
    | When using the workaround not complaining hadolint, the  So I don't know how to deal about that without doing the checksum check on buildtime at the moment. | 
Add hadolint inline ignore to prevent ignoring it globally
| Unfortunately hadolint hasn't a new release yet and so also super-linter 8 has no fixed hadolint. | 
| 
 Hadolint has got a new release. Hopefully super-linter will catch it soon. | 
| @tobiasge hadolint has been updated by super-linter. Maybe let's try the pipeline again? | 
Related Issue:
New Behavior
Download nginx-keyring.gpg and verify checksum at build time instead of use ADD.
Contrast to Current Behavior
Fixing https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#cis-di-0009 which was introduced with 1c8cdfa.
Discussion: Benefits and Drawbacks
ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.
Changes to the Wiki
Not needed.
Proposed Release Note Entry
Not needed really.
Double Check
developbranch.