Add docker release to the full release process for final releases #1004
Wiz IaC Scanner
Ahoy, Captain of Conditionals! ⚖️
The threads of enchantment revealed enigmatic tapestries of knowledge within this realm. 🧵📚
Revealing IaC misconfigurations with Wiz 🪄
🔮 IaC Misconfigurations Detected: 4
― Note from Wiz: "Code artist, keep enchanting! 🪄🎨"
Annotations
Check failure on line 47 in docker-dev/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Missing User Instruction
Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-spark-dev}}
A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction
Check failure on line 32 in docker-release/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Missing User Instruction
Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-spark}}
A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction
Check warning on line 42 in docker-release/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
Unpinned Package Version in Pip Install
Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-spark}}.{{RUN python -m pip install --no-cache-dir "dbt-spark[${extras}] @ git+https://github.com/dbt-labs/dbt-spark@${commit_ref}"}}
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-spark[all] @ git+https://github.com/dbt-labs/dbt-spark@main" does not use package pinning form
Check notice on line 8 in docker-dev/Dockerfile
wiz-inc-266a8a9c32 / Wiz IaC Scanner
APT-GET Not Avoiding Additional Packages
Rule ID: 0cbafd91-7f35-4000-b40a-bebedb7bb5f8
Severity: None
Resource: FROM={{ubuntu:22.04 as base}}.{{RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*}}
Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
Raw output
Expected: 'RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*' uses '--no-install-recommends' flag to avoid installing additional packages
Found: 'RUN apt-get update && apt-get install -y software-properties-common=0.99.22.9 && add-apt-repository -y ppa:deadsnakes/ppa && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*' does not use '--no-install-recommends' flag to avoid installing additional packages