Using Unnamed Build Stages
- Query id: 68a51e22-ae5a-4d48-8e87-b01a323605c9
- Query name: Using Unnamed Build Stages
- Platform: Dockerfile
- Severity: Low
- Category: Build Process
- CWE: 710
- URL: Github
Description¶
This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn't break.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM golang:1.16
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=0 /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM golang:1.7.3 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
# another dockerfile
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app .
CMD ["./app"]