add docker release to release pipeline
Wiz IaC Scanner
Greetings, Guardian of Garbage Collection! 🗑️
Wiz's lantern's glow brought hidden secrets into the light within this PR. 🔮🔦
Revealing IaC misconfigurations with Wiz 🪄
🔮 IaC Misconfigurations Detected: 11
― Note from Wiz: "Your code is a symphony of enchantment - keep composing! 🎵🪄"
Annotations
Check failure on line 32 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Missing User Instruction
Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-postgres}}
A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'make' has version defined
Found: Package 'make' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'ssh-client' has version defined
Found: Package 'ssh-client' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'build-essential' has version defined
Found: Package 'build-essential' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'software-properties-common' has version defined
Found: Package 'software-properties-common' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'ca-certificates' has version defined
Found: Package 'ca-certificates' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'git' has version defined
Found: Package 'git' does not have version defined
Check warning on line 8 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Apt Get Install Pin Version Not Defined
Rule ID: 8dabde7b-ee7e-440a-8b59-73636b0cfda5
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.RUN={{apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends git ssh-client software-properties-common make build-essential ca-certificates libpq-dev && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
When installing a package, its pin version should be defined
Raw output
Expected: Package 'libpq-dev' has version defined
Found: Package 'libpq-dev' does not have version defined
Check warning on line 33 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Unpinned Package Version in Pip Install
Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-postgres}}.{{RUN python -m pip install --no-cache-dir "dbt-postgres @ git+https://github.com/dbt-labs/${dbt_postgres_ref}"}}
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-postgres @ git+https://github.com/dbt-labs/[email protected]" does not use package pinning form
Check warning on line 3 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Using Platform Flag with FROM Command
Rule ID: c5e5995a-7d8e-4fbb-8dce-880a79438927
Severity: Medium
Resource: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.{{FROM --platform=$build_for python:3.10.7-slim-bullseye as base}}
Don't use '--platform' flag with FROM
Raw output
Expected: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.{{FROM --platform=$build_for python:3.10.7-slim-bullseye as base}} shouldn't use the flag '--platform'
Found: FROM={{--platform=$build_for python:3.10.7-slim-bullseye as base}}.{{FROM --platform=$build_for python:3.10.7-slim-bullseye as base}} uses the flag '--platform'
Check notice on line 32 in docker/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Healthcheck Instruction Missing
Rule ID: db295f99-0fff-4e7b-9906-ec2a057f384b
Severity: Low
Resource: FROM={{base as dbt-postgres}}
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Raw output
Expected: Dockerfile should contain instruction 'HEALTHCHECK'
Found: Dockerfile doesn't contain instruction 'HEALTHCHECK'