Dockerfile APK package manager is configured to allow untrusted repositories

Description

Using the `--allow-untrusted` option with the APK package manager (`apk`) in Dockerfiles is a significant security risk. This flag tells APK to skip the signature verification process for packages, allowing the installation of packages that have not been cryptographically signed.

By bypassing the signature verification, you expose your Docker containers to potential threats like tampered packages, which can lead to the inclusion of malicious code or vulnerable software versions in your container images.

Code Example

dockerfile

- RUN apk add --no-cache --allow-untrusted somepackage
+ RUN apk add --no-cache somepackage

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0851
Severity	MEDIUM
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_7

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile APK package manager is configured to allow untrusted repositories

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile APK package manager is configured to allow untrusted repositories ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile APK package manager is configured to allow untrusted repositories

Description

Code Example

Remediation

Rule Details

References