Docker Curl No Checksum
Description
Detects when curl commands in Dockerfiles download files without verifying checksums or signatures. This represents a security risk since downloaded content could be tampered with during transit, potentially introducing malicious code into container images.
Weakness:
355 - Insufficient data authenticity validation - Checksum verification
Category: Data Manipulation
Detection Strategy
• Scans Dockerfile content for lines containing curl commands
• For each curl command, checks if it spans multiple lines by looking for backslash line continuations
• Verifies if the curl command includes checksum verification using commands like sha256sum, sha1sum, or md5sum
• Reports a vulnerability if a curl download is found without an associated checksum verification
Vulnerable code example
FROM debian:latest
# ❌ Vulnerable: Downloads and executes script without verification
RUN curl -O https://example.com/install.sh && bash install.sh✅ Secure code example
FROM debian:buster@sha256:fb45fd4e25abe55a656ca69a7bef70e62099b8bb42a279a5e0ea4ae1ab410e0d
# Install required verification tools
RUN apt-get update && \
apt-get install -y curl gnupg ca-certificates
# Download script and its signature, verify before execution
RUN curl -O https://example.com/install.sh && \...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.