Description

Docker dependencies are not pinned to an exact digest, making the Docker build unable the verify the integrity of the image and allowing a malicious actor to override the used components with malicious components without leaving a trace.

Impact

Override dependencies or component with malicious content.

Recommendation

Use mechanisms such as git-commits, or artifacts and hashes to verify the data integrity.

Threat

Anonymous attacker from Internet with write access to the provider releases.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

Fixes