Dockerfile Node.js certificate validation is disabled with the NODE_TLS_REJECT_UNAUTHORIZED environment variable

Description

Setting the `NODE_TLS_REJECT_UNAUTHORIZED` environment variable to `0` within Dockerfiles for Node.js applications is a security risk. This setting instructs Node.js to bypass SSL/TLS certificate verification for outgoing HTTPS requests.

By disabling SSL/TLS certificate verification, Node.js applications are exposed to potential man-in-the-middle (MitM) attacks. Attackers can intercept, modify, or eavesdrop on the traffic between the Node.js application and an external server, potentially leading to data breaches or the injection of malicious code.

Code Example

dockerfile

- ENV NODE_TLS_REJECT_UNAUTHORIZED=0
RUN npm install somepackage

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0850
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_6

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile Node.js certificate validation is disabled with the NODE_TLS_REJECT_UNAUTHORIZED environment variable

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile Node.js certificate validation is disabled with the NODE_TLS_REJECT_UNAUTHORIZED environment variable ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile Node.js certificate validation is disabled with the NODE_TLS_REJECT_UNAUTHORIZED environment variable

Description

Code Example

Remediation

Rule Details

References