Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(checks): Only One Entrypoint false negative #8364

Open
2 tasks done
simar7 opened this issue Feb 7, 2025 · 0 comments · May be fixed by #8366
Open
2 tasks done

fix(checks): Only One Entrypoint false negative #8364

simar7 opened this issue Feb 7, 2025 · 0 comments · May be fixed by #8366
Assignees
@nikpivkin
Milestone
v0.60.0

Comments

@simar7
Copy link
Member

simar7 commented Feb 7, 2025

Discussed in #8362

Originally posted by ArtemkaKun February 6, 2025

IDs

AVD-DS-0007

Description

I think "Only One Entrypoint" check throws false misconfiguration error. I have only one ENTRYPOINT in my Dockerfile. The only second ENTRYPOINT I can think of - is the ENTRYPOINT from the base image, which I believe must be committed in the check.

Reproduction Steps

Scan the following Dockerfile with the trivy `0.59.1`


FROM aquasec/trivy:0.59.1

RUN addgroup -S scannergroup && adduser -S scanneruser -G scannergroup

USER scanneruser

HEALTHCHECK --timeout=1s --retries=1 CMD trivy --version || exit 1

# NOTE: `--db-repository` is needed because sometimes GHCR hits the rate limit, and AWS will be used instead.
ENTRYPOINT ["trivy", "image", "--db-repository", "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db", "--format", "table", "--exit-code", "1", "--ignore-unfixed", "--pkg-types", "os,library", "--severity", "CRITICAL,HIGH,MEDIUM,LOW", "--image-config-scanners", "misconfig,secret", "--scanners", "vuln,secret,misconfig"]

Target

Container Image

Scanner

Misconfiguration

Target OS

No response

Debug Output

See https://github.com/Articola-Tools/dockerfile-security-scanner/actions/runs/13185687866/job/36807092534?pr=11

Version

0.59.1

Checklist
@simar7 simar7 added this to the v0.60.0 milestone Feb 7, 2025
@nikpivkin nikpivkin linked a pull request Feb 7, 2025 that will close this issue
Draft
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
None yet
Projects
Trivy Roadmap
Status: No status
Milestone
v0.60.0
Development

Successfully merging a pull request may close this issue.

fix(image): do not export entrypoint to Dockerfile nikpivkin/trivy
2 participants
@simar7 @nikpivkin