CIS-DI-0010 reported even when environment variable is empty #180

SIPR-octo · 2022-05-18T16:09:53Z

Description

The checkpoint CIS-DI-0010 is raising a FATAL error even when the detected environment variable is empty.

It is actually a common practice to have empty environment variable, in order to "document" them.

Example: ENV POSTGRES_PASSWORD=

If dockle can read the environment variable value, it would be great if it would not report in case the variable is empty.

How to reproduce

My Dockerfile:

FROM alpine:latest

ENV APPLE_SAUCE_SECRET=

The result:

FATAL	- CIS-DI-0010: Do not store credential in environment variables/files
	* Suspicious ENV key found : APPLE_SAUCE_SECRET (You can suppress it with --accept-key)

I can indeed suppress the error but I think this should not be reported as a non-compliance.

The text was updated successfully, but these errors were encountered:

tomoyamachi · 2022-07-23T07:15:21Z

@SIPR-octo I've fixed it on v0.4.6.

SIPR-octo added the bug Something isn't working label May 18, 2022

tomoyamachi linked a pull request Jul 23, 2022 that will close this issue

Skip assessment if environment variable is empty #194

Merged

tomoyamachi closed this as completed in #194 Jul 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CIS-DI-0010 reported even when environment variable is empty #180

CIS-DI-0010 reported even when environment variable is empty #180

SIPR-octo commented May 18, 2022

tomoyamachi commented Jul 23, 2022

CIS-DI-0010 reported even when environment variable is empty #180

CIS-DI-0010 reported even when environment variable is empty #180

Comments

SIPR-octo commented May 18, 2022

tomoyamachi commented Jul 23, 2022