Docker Wget No Checksum
Description
Detects wget commands in Dockerfiles that download files without verifying checksums or signatures. This creates a security risk as downloaded files could be tampered with during transit, potentially introducing malicious code into the container image.
Detection Strategy
• Identifies wget commands used in Dockerfile instructions
• Checks if the wget command or subsequent lines include checksum verification (e.g. sha256sum, md5sum)
• Handles multi-line wget commands that use backslash (\) line continuations
• Reports a vulnerability if a wget download lacks corresponding integrity checks
Vulnerable code example
FROM debian:latest
RUN apt-get update && apt-get install -y wget
# ❌ Vulnerable: Downloading and executing script without checksum verification
RUN wget https://example.com/setup.sh && bash setup.sh✅ Secure code example
FROM debian:bullseye-slim@sha256:a165446a88794db4fec31e35e9441433f9552ae048fb1e17a3872029a210f5c8
# Install required packages with versions pinned
RUN apt-get update && \
apt-get install -y wget=1.21-1+deb11u1 ca-certificates=20210119 && \
rm -rf /var/lib/apt/lists/*
# Download script and verify checksum before execution...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.