NShiftKey

• Image user should not be 'root'

  • Description : Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
  • Countermeasure : Specify at least 1 USER command in Dockerfile with non-root user as argument
    • Target Code : darpa-i2o-synapse/Dockerfile [view change history] [ignore this]
      https://github.com/2lambda123/darpa-i2o-synapse/blob/021428b5277853d8d4edd166c5915c8b2d8aef0e/Dockerfile#L0-L1
        

• 'RUN cd ...' to change directory

  • Description : Use WORKDIR instead of proliferating instructions like 'RUN cd … && do-something', which are hard to read, troubleshoot, and maintain.
  • Countermeasure : RUN should not be used to change directory: 'mkdir /syndata && cd /root/git/synapse && python setup.py install && cp synapse/docker/cortex/ram_dmon.json /syndata/dmon.json'. Use 'WORKDIR' statement instead.
    • Target Code : darpa-i2o-synapse/Dockerfile [view change history] [ignore this]
      

      darpa-i2o-synapse/Dockerfile

      Lines 6 to 10 in 021428b

      	COPY . /root/git/synapse
      	RUN mkdir /syndata \
      	&& cd /root/git/synapse && python setup.py install \
      	&& cp synapse/docker/cortex/ram_dmon.json /syndata/dmon.json

      
        

• No HEALTHCHECK defined

  • Description : You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
  • Countermeasure : Add HEALTHCHECK instruction in your Dockerfile
    • Target Code : darpa-i2o-synapse/Dockerfile [view change history] [ignore this]
      https://github.com/2lambda123/darpa-i2o-synapse/blob/021428b5277853d8d4edd166c5915c8b2d8aef0e/Dockerfile#L0-L1