DNF usage of packages with untrusted or missing GPG signatures allowed

Description

This policy detects whether the Ansible `dnf`` module is used to install packages without GPG signature verification. GPG signatures provide assurance that the packages have not been tampered with, and originate from trusted sources.

Code Example

yaml

- name: Example
  ansible.builtin.dnf:
    name: nginx
    state: latest
    disable_gpg_check: false

Remediation

Ansible

Module: dnf
Attribute: disable_gpg_check

To mitigate this risk, ensure that the disable_gpg_check attribute in your DNF tasks is either set to 'false' or not specified (defaulting to false). This ensures that GPG signature checks are performed, preventing the installation of potentially compromised or untrusted packages.

Secure Code Example:

Rule Details

Field	Value
ID	IAC-0051
Severity	MEDIUM
IaC Type	Ansible
Frameworks	Ansible
Checkov ID	CKV2_ANSIBLE_4

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

DNF usage of packages with untrusted or missing GPG signatures allowed

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

DNF usage of packages with untrusted or missing GPG signatures allowed ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

DNF usage of packages with untrusted or missing GPG signatures allowed

Description

Code Example

Remediation

Rule Details

References