Dockerfile certificate validation is disabled with curl

Description

This policy checks for the use of either the --insecure option or the -k shorthand with `curl`. Both these flags tell curl to skip verifying the server's certificate when making a request over HTTPS.

Bypasses SSL Verification: By using either --insecure or -k, you're telling curl to not validate the SSL certificate of the server it's connecting to. This makes the request vulnerable to man-in-the-middle (MitM) attacks, where an attacker can intercept and possibly modify the traffic between curl and the server.

Code Example

dockerfile

- RUN curl --insecure https://example.com/somepackage.tar.gz | tar xz
+ RUN curl https://example.com/somepackage.tar.gz | tar xz

Remediation

Docker

Don't use the --insecure flag.

Rule Details

Field	Value
ID	IAC-0846
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_2

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with curl

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with curl ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile certificate validation is disabled with curl

Description

Code Example

Remediation

Rule Details

References