dockerfile.security.missing-user has a false positive related to HEALTHCHECK CMD #3436
Description
Describe the bug
dockerfile.security.missing-user has a false positive related to HEALTHCHECK CMD. It triggers for Dockerfiles that do not have a CMD directive and only use an ENTRYPOINT directive.
To Reproduce
FROM some.registry/java/jre-17-corretto-amazonlinux-2023:latest
WORKDIR /service
EXPOSE 18252 18253
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -sSfI --retry 0 --tcp-nodelay http://localhost:18253/actuator/health/liveness || exit 1
USER user
COPY ./scripts/entrypoint.sh /service/bin/
COPY build-artifact /service/bin/build-artifact.jar
ENTRYPOINT ["/service/bin/entrypoint.sh"]
Expected behavior
This rule should not trigger because a non-root user is specified.
Priority
How important is this to you?
- P0: blocking me from making progress
- P1: this will block me in the near future
- P2: annoying but not blocking me
Additional Context
I don't think that this rule should trigger in the first place as this isn't the CMD directive, it's part of the HEALTHCHECK. I believe the intent of this rule is to prevent services to run as root so as to minimize exposure if the service is compromised. I'm not sure how you take advantage of the HEALTHCHECK calling curl with root permissions to cause problems.
There is another missing-user rule for ENTRYPOINT directive. This is odd because the CMD and ENTRYPOINT directives can both be used in a Dockerfile and this is valid. There is even a documented example as such. I would think that this should be one rule given this fact.
Lastly, my understanding is that any ENTRYPOINT or CMD directive uses the last declared user in the Dockerfile. I don't believe the USER directive is required to be declared before the ENTRYPOINT or CMD directive. If I understand both of these rules correctly, they assume that the USER directive must be declared before the ENTRYPOINT and CMD directive.