Dockerfile configures GIT to disable SSL verification
Description
Setting the `GIT_SSL_NO_VERIFY` environment variable to `true` within Dockerfiles is considered insecure. This configuration instructs GIT to bypass SSL certificate verification when cloning repositories or interacting with remote servers.
When SSL verification for GIT is disabled, the Docker container and its underlying operations are exposed to man-in-the-middle (MitM) attacks. During such attacks, malicious entities can intercept, modify, or eavesdrop on the traffic between the GIT client and the remote server. This can lead to the cloning of malicious repositories, code alterations, or the leak of sensitive information.
Code Example
dockerfile
- ENV GIT_SSL_NO_VERIFY=true
+ ENV GIT_SSL_NO_VERIFY=falseRemediation
Docker
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0858 |
| Severity | HIGH |
| IaC Type | dockerfile |
| Frameworks | Docker |
| Checkov ID | CKV2_DOCKER_14 |