Risk grade
D
59 / 100
Findings
16
0 critical3 high11 medium1 low1 info0 on CISA KEV0ATT&CK
Showing 16 of 16 findings
Findings
- By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. EnsurBy not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.semgrepDockerfile:34
- 'apt-get' missing '--no-install-recommends''apt-get' install should use '--no-install-recommends' to minimize image size.trivyDockerfile:8
- Image user should not be 'root'Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.trivyDockerfile:0
- Ensure that a user for the container has been createdEnsure that a user for the container has been created on /Dockerfile.checkovDockerfile:1
- Ensure that HEALTHCHECK instructions have been added to container imagesEnsure that HEALTHCHECK instructions have been added to container images on /Dockerfile.checkovDockerfile:1
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(Update website)checkov.github/workflows/website.yml:37
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(oniguruma)checkov.github/workflows/oniguruma.yml:0
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(Clang scan-build Static Analyzer Build)checkov.github/workflows/scanbuild.yml:0
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(valgrind)checkov.github/workflows/valgrind.yml:0
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(decnum)checkov.github/workflows/decnum.yml:0
- Ensure top-level permissions are not set to write-allEnsure top-level permissions are not set to write-all on on(Building man page, man.test, manonig.test)checkov.github/workflows/manpage.yml:0
- Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_tDetected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.semgrepdocs/build_website.py:13
- Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlDetected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'.semgrepdocs/build_website.py:36
- Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlDetected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'.semgrepdocs/build_website.py:37
- No HEALTHCHECK definedYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.trivyDockerfile:0
This report is public.