Dockerfile YUM package manager is configured to skip GPG signature checks

Description

Using the `--nogpgcheck` option with the YUM package manager (`yum`) in Dockerfiles introduces security risks. This flag instructs YUM to bypass GPG signature verification when installing packages.

By skipping the GPG signature check, the container could be exposed to tampered or malicious packages. This bypass can result in the inclusion of compromised software or vulnerable versions in the container image, potentially undermining the container's security and the integrity of applications contained within.

Code Example

dockerfile

- RUN yum install -y --nogpgcheck somepackage
+ RUN yum install -y somepackage

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0853
Severity	MEDIUM
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_9

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile YUM package manager is configured to skip GPG signature checks

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile YUM package manager is configured to skip GPG signature checks ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile YUM package manager is configured to skip GPG signature checks

Description

Code Example

Remediation

Rule Details

References