Dockerfile configuration disables strict SSL for NPM

Description

Setting the `npm_config_strict_ssl` environment variable to `false` within Dockerfiles is insecure. By doing so, you are instructing NPM (Node Package Manager) to bypass SSL certificate verification when interacting with registries or other network-based operations.

Disabling strict SSL for NPM can leave the container and its underlying applications susceptible to man-in-the-middle (MitM) attacks. In these attacks, malicious actors can intercept, modify, or eavesdrop on the traffic between the Node.js application and the NPM registry or other servers, leading to potential code injections or data leaks.

Code Example

dockerfile

- ENV npm_config_strict_ssl=false
+ ENV npm_config_strict_ssl=true

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0856
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_12

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile configuration disables strict SSL for NPM

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile configuration disables strict SSL for NPM ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile configuration disables strict SSL for NPM

Description

Code Example

Remediation

Rule Details

References