feat(docker): Add Phase 1 critical security rules (4 new rules) #427
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add 4 high-priority security rules based on industry best practices: **Dockerfile Security Rules:** - DOCKER-SEC-001: Last USER Instruction is Root (HIGH) Detects when final USER is root, increasing container compromise impact Uses final_stage_has() to check last build stage - DOCKER-SEC-007: Sudo Usage in Dockerfile (MEDIUM) Detects unnecessary sudo usage that adds attack surface Matches various sudo patterns in RUN instructions **Docker-Compose Security Rules:** - COMPOSE-SEC-009: Missing no-new-privileges (MEDIUM) Detects services without no-new-privileges:true in security_opt Prevents setuid/setgid privilege escalation attacks - COMPOSE-SEC-010: SELinux Separation Disabled (MEDIUM) Detects label:disable in security_opt Warns when mandatory access control is disabled All rules include: - Comprehensive security impact documentation - Real-world attack scenarios and examples - Secure alternatives and remediation steps - CWE mappings and references Based on analysis of reference rule collection covering 38 missing rules. Phase 1 focuses on critical security issues. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Owner
Author
|
Closing to rebase on docker/08 and add more rules in comprehensive PR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Phase 1: Critical Security Rules Implementation
This PR adds 4 high-priority security rules based on comprehensive analysis of 59 reference rules from industry best practices. These rules focus on critical security issues that have significant real-world impact.
📊 Coverage Analysis Summary
Analysis document:
/cpf_plans/docker_rules_comparison.md🎯 Phase 1 Rules (This PR)
Dockerfile Security Rules
1. DOCKER-SEC-001: Last USER Instruction is Root (HIGH)
final_stage_has()to check if final build stage has USER root2. DOCKER-SEC-007: Sudo Usage in Dockerfile (MEDIUM)
sudopatterns in RUN instructionsDocker-Compose Security Rules
3. COMPOSE-SEC-009: Missing no-new-privileges (MEDIUM)
no-new-privileges:truein security_opt4. COMPOSE-SEC-010: SELinux Separation Disabled (MEDIUM)
label:disablein security_opt🏗️ Technical Implementation
DSL Infrastructure
@dockerfile_ruleand@compose_ruledecoratorsRule Structure
Each rule includes:
📈 Future Phases
Phase 2: Package Manager Best Practices (11 rules)
Phase 3: Dockerfile Correctness (7 rules)
Phase 4: Additional Best Practices (~13 rules)
✅ Quality Metrics
🔗 Dependencies
📚 References
Note: This PR does NOT mention the source collection anywhere in code or rule names, as requested.
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 [email protected]