bug(misconf): Apply AVD-DS-0011 only to final layer #7368
Labels
kind/bug
Categorizes issue or PR as related to a bug.
scan/misconfiguration
Issues relating to misconfiguration scanning
Milestone
Discussed in #7320
Originally posted by candrews August 8, 2024
IDs
ds016
Description
Trivy misconfiguration scan incorrectly reports duplicate CMD instructions for some docker images.
Trivy seems to be looking for
CMD
instructions in all of the layers of the docker image. Instead, it should only be looking at the final image.Here's an example:
The
Dockerfile
for this image can be seen at https://catalog.redhat.com/software/containers/ubi8/python-312/657c12cade3664622a12ed50?container-tabs=dockerfile - it contains exactly 1CMD
so it does not violate the https://avd.aquasec.com/misconfig/ds016 rule.Reproduction Steps
Target
Container Image
Scanner
Misconfiguration
Target OS
No response
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctThe text was updated successfully, but these errors were encountered: