[CI] Add zimor to check github action security (#8639) #8229
SchrodingersGatAnnotations
7 warnings
|
Filter
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
|
|
build
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
|
|
JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals:
contrib/container/Dockerfile#L142
JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals
More info: https://docs.docker.com/go/dockerfile/rule/json-args-recommended/
|
|
Legacy key/value format with whitespace separator should not be used:
contrib/container/Dockerfile#L23
LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format
More info: https://docs.docker.com/go/dockerfile/rule/legacy-key-value-format/
|
|
Legacy key/value format with whitespace separator should not be used:
contrib/container/Dockerfile#L24
LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format
More info: https://docs.docker.com/go/dockerfile/rule/legacy-key-value-format/
|
|
Sensitive data should not be used in the ARG or ENV commands:
contrib/container/Dockerfile#L41
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INVENTREE_SECRET_KEY_FILE")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
|
|
Variables should be defined before their use:
contrib/container/Dockerfile#L52
UndefinedVar: Usage of undefined variable '$DATE' (did you mean $PATH?)
More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/
|
Artifacts
Produced during runtime
| Name | Size | |
|---|---|---|
|
inventree~InvenTree~70K1GR.dockerbuild
|
209 KB |
|