Dockerfile sets NPM configuration to disable strict SSL

Description

Configuring NPM with the command `npm config set strict-ssl false` within Dockerfiles is deemed insecure. This command directs NPM (Node Package Manager) to forego SSL certificate verification during its interactions with registries or other network-based transactions.

When strict SSL for NPM is disabled, it heightens the risk of man-in-the-middle (MitM) attacks. Such attacks involve unauthorized actors potentially intercepting, altering, or eavesdropping on the communications between the Node.js application and the NPM registry or other servers. This can facilitate unintended code injections, data breaches, or the installation of malicious packages.

Code Example

dockerfile

- RUN npm config set strict-ssl false
+ RUN npm config set strict-ssl true

Remediation

Docker

Rule Details

Field	Value
ID	IAC-0857
Severity	HIGH
IaC Type	dockerfile
Frameworks	Docker
Checkov ID	CKV2_DOCKER_13

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Dockerfile sets NPM configuration to disable strict SSL

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Dockerfile sets NPM configuration to disable strict SSL ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Dockerfile sets NPM configuration to disable strict SSL

Description

Code Example

Remediation

Rule Details

References