Dockerfile certificate validation is disabled with the pip '--trusted-host' option

Description

This policy checks that your Dockerfile does not usepip or pip3 with the `--trusted-host option`.

The `--trusted-host` option in pip is used to mark a particular host as trusted, even if it doesn't have valid or any SSL.

By marking a host as trusted with `--trusted-host`, you're telling pip not to enforce SSL verification for that particular domain. As with the examples for curl and wget, this leaves you vulnerable to man-in-the-middle (MitM) attacks where attackers can intercept or alter the traffic between pip and the trusted host.

Code Example

dockerfile

- RUN pip install somepackage --trusted-host pypi.example.com
+ RUN pip install somepackage

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0848
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_4

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with the pip '--trusted-host' option

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with the pip '--trusted-host' option ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile certificate validation is disabled with the pip '--trusted-host' option

Description

Code Example

Remediation

Rule Details

References