Merge pull request #7031 from Checkmarx/AST-40561

fix(dockerfile): remove user root and add platform
Checkmarx · Apr 30, 2024 · a871623 · a871623
2 parents 2ffb991 + 85873d2
commit a871623
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM cgr.dev/chainguard/go@sha256:a06a462f22445088e8bbb4478dedf83228af0db9003cd4f4cde5981694bc3d3d as build_env
+FROM --platform=linux/amd64 cgr.dev/chainguard/go@sha256:4d51574ef33b4edc57a22da062fe335a500eda30a1f1315cb39b4977bf2aef5f as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -31,12 +31,10 @@ USER nonroot
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM cgr.dev/chainguard/git@sha256:f20defbb71126cae9e76cb95d24399df877b4fe62476525c0e67b05c0206b51d
+FROM --platform=linux/amd64 cgr.dev/chainguard/git@sha256:de87d065b0efb4332080a55ccf45015891fce6aa9ee6101730779850d4634a56
 
 ENV TERM xterm-256color
 
-USER root
-
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated
 # kics-scan ignore-line

diff --git a/assets/queries/dockerfile/using_platform_with_from/metadata.json b/assets/queries/dockerfile/using_platform_with_from/metadata.json
@@ -3,10 +3,11 @@
   "queryName": "Using Platform Flag with FROM Command",
   "severity": "LOW",
   "category": "Best Practices",
-  "descriptionText": "Don't use '--platform' flag with FROM",
+  "descriptionText": "'FROM' instruction should use the flag '--platform'",
   "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from",
   "platform": "Dockerfile",
   "descriptionID": "5bd0baab",
+  "cloudProvider": "common",
   "cwe": "695",
   "oldSeverity": "INFO"
 }