diff --git a/dockerfile/security/missing-user-entrypoint.dockerfile b/dockerfile/security/missing-user-entrypoint.dockerfile index d3110f1814..de9fe40c12 100644 --- a/dockerfile/security/missing-user-entrypoint.dockerfile +++ b/dockerfile/security/missing-user-entrypoint.dockerfile @@ -9,6 +9,6 @@ RUN pip3 install semgrep # ruleid: missing-user-entrypoint ENTRYPOINT semgrep -f p/xss -# TODO: metavar bug -# ok: missing-user-entrypoint +# TODO: metavar ellipses bug, this should be a finding but is a false negative +# ruleid: missing-user-entrypoint ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] diff --git a/dockerfile/security/missing-user-entrypoint.fixed.dockerfile b/dockerfile/security/missing-user-entrypoint.fixed.dockerfile index 170b6fd3bd..61ee3b400c 100644 --- a/dockerfile/security/missing-user-entrypoint.fixed.dockerfile +++ b/dockerfile/security/missing-user-entrypoint.fixed.dockerfile @@ -7,9 +7,10 @@ RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep # ruleid: missing-user-entrypoint -USER non-root ENTRYPOINT semgrep -f p/xss -# TODO: metavar bug +# TODO: metavar ellipses bug # ok: missing-user-entrypoint ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] + +USER non-root \ No newline at end of file diff --git a/dockerfile/security/missing-user-entrypoint.yaml b/dockerfile/security/missing-user-entrypoint.yaml index 659ddaa77c..cf2ea76961 100644 --- a/dockerfile/security/missing-user-entrypoint.yaml +++ b/dockerfile/security/missing-user-entrypoint.yaml @@ -4,6 +4,7 @@ rules: - pattern: | ENTRYPOINT $...VARS - pattern-not-inside: | + ... USER $USER ... fix: | diff --git a/dockerfile/security/missing-user.dockerfile b/dockerfile/security/missing-user.dockerfile index a089ea0e8d..6bcee188f0 100644 --- a/dockerfile/security/missing-user.dockerfile +++ b/dockerfile/security/missing-user.dockerfile @@ -6,12 +6,9 @@ FROM busybox RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep -# ruleid: missing-user -CMD semgrep -f p/xss - # ruleid: missing-user CMD semgrep --config localfile targets -# TODO: metavar ellipses bug -# ok: missing-user +# TODO: metavar ellipses bug, this should be a failure but is a false negative +# ruleid: missing-user CMD ["semgrep", "--version"] diff --git a/dockerfile/security/missing-user.fixed.dockerfile b/dockerfile/security/missing-user.fixed.dockerfile index 90c753f54e..187f99ae28 100644 --- a/dockerfile/security/missing-user.fixed.dockerfile +++ b/dockerfile/security/missing-user.fixed.dockerfile @@ -6,14 +6,11 @@ FROM busybox RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep -# ruleid: missing-user -USER non-root -CMD semgrep -f p/xss # ruleid: missing-user -USER non-root CMD semgrep --config localfile targets # TODO: metavar ellipses bug # ok: missing-user -CMD ["semgrep", "--version"] +CMD ["semgrep", "--config", "localfile", "targets"] +USER non-root \ No newline at end of file diff --git a/dockerfile/security/missing-user.yaml b/dockerfile/security/missing-user.yaml index accb35eb1e..dad7f51571 100644 --- a/dockerfile/security/missing-user.yaml +++ b/dockerfile/security/missing-user.yaml @@ -4,6 +4,7 @@ rules: - pattern: | CMD $...VARS - pattern-not-inside: | + ... USER $USER ... fix: |