From b26cff5c7beb0de47ca2b3fdda4f71f6a56a0b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Claudio=20Andr=C3=A9?= Date: Mon, 18 Nov 2024 15:08:29 -0300 Subject: [PATCH] security(cloud): apply a Trivy suggestion (#627) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From docs: - You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files. Signed-off-by: Claudio André --- cloud-tool/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cloud-tool/Dockerfile b/cloud-tool/Dockerfile index 332d54f5..fcdf4991 100644 --- a/cloud-tool/Dockerfile +++ b/cloud-tool/Dockerfile @@ -26,15 +26,15 @@ LABEL description="Automation for John the Ripper (1.0.Cloud Tools)" ENV HC_DOWNLOAD_SHA256="cafb01beac341bf2a9ba89793e6dd2468110291adfbb6c62ed11a0cde6c09029" -ADD https://apt.releases.hashicorp.com/gpg gpg.key +COPY https://apt.releases.hashicorp.com/gpg /gpg.key SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN apt-get update -qq \ && export DEBIAN_FRONTEND="noninteractive" \ && apt-get install -y --no-install-recommends \ ca-certificates=* git=* gnupg=* nano=* software-properties-common=* \ - && echo "$HC_DOWNLOAD_SHA256 gpg.key" | sha256sum -c - \ - && gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg < gpg.key \ + && echo "$HC_DOWNLOAD_SHA256 /gpg.key" | sha256sum -c - \ + && gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg < /gpg.key \ && echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \ tee /etc/apt/sources.list.d/hashicorp.list \ && apt-add-repository --yes --update ppa:ansible/ansible \