Dockerfile certificate validation is disabled with the PYTHONHTTPSVERIFY environmnet variable

Description

The use of the `PYTHONHTTPSVERIFY` environment variable set to 0 within Dockerfiles is insecure. Setting `PYTHONHTTPSVERIFY=0` is a way to bypass SSL certificate verification for Python's built-in HTTP client.

When `PYTHONHTTPSVERIFY` is set to 0, Python's built-in HTTP client will skip SSL certificate verification when making HTTPS requests. This exposes any Python-based HTTP requests to man-in-the-middle (MitM) attacks. In such attacks, unauthorized actors can intercept, alter, or eavesdrop on the traffic between the Python application and the server.

Code Example

dockerfile

- ENV PYTHONHTTPSVERIFY=0
RUN pip install somepackage

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0849
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_5

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with the PYTHONHTTPSVERIFY environmnet variable

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile certificate validation is disabled with the PYTHONHTTPSVERIFY environmnet variable ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile certificate validation is disabled with the PYTHONHTTPSVERIFY environmnet variable

Description

Code Example

Remediation

Rule Details

References