Dockerfile RPM package manager is configured to skip package signature checks

Description

Employing the `--nosignature` option with the RPM Package Manager (`rpm`) in Dockerfiles presents a substantial security risk. This flag directs RPM to bypass package signature verification during installations.

Neglecting the package signature check opens the door for the potential installation of tampered or malicious packages. This can result in malicious software or vulnerable versions being incorporated into the container image, which could critically jeopardize the container's security and the overall integrity of the applications it houses.

Code Example

dockerfile

- RUN rpm -i --nosignature somepackage.rpm
+ RUN rpm -i somepackage.rpm

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0854
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_10

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile RPM package manager is configured to skip package signature checks

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile RPM package manager is configured to skip package signature checks ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile RPM package manager is configured to skip package signature checks

Description

Code Example

Remediation

Rule Details

References