Skip to content

Merge pull request #284 from LedgerHQ/fix-ci

Ledger Wiz (CSPM & secret detection) / Wiz IaC Scanner completed Oct 7, 2024 in 5s

Wiz IaC Scanner

IaC Misconfigurations Detected: 2

0C 0H 2M 0L 0I

View scan details in Wiz

Annotations

Check warning on line 22 in .github/workflows/Dockerfile

See this annotation in the file changed.

@ledger-wiz-cspm-secret-detection ledger-wiz-cspm-secret-detection / Wiz IaC Scanner

COPY '--from' Without FROM Alias Defined Previously

Rule ID: 3cc68033-2ce9-4f64-9949-a0d36aeff197
Severity: Medium
Resource: FROM={{ghcr.io/ledgerhq/speculos:latest}}.{{COPY --from=0 /usr/local/bin/ /usr/local/bin/}}

COPY command with the flag '--from' should mention a previously defined FROM alias
Raw output
Expected: COPY '--from' should reference a previously defined FROM alias
Found: COPY '--from' does not reference a previously defined FROM alias

Check warning on line 10 in .github/workflows/Dockerfile

See this annotation in the file changed.

@ledger-wiz-cspm-secret-detection ledger-wiz-cspm-secret-detection / Wiz IaC Scanner

Run Using apt

Rule ID: 853ed0e2-f329-4e58-95bb-9094a29691a7
Severity: Medium
Resource: FROM={{ghcr.io/ledgerhq/speculos:latest}}.{{RUN apt install -y bsdmainutils build-essential cmake pkg-config ccache git libboost-dev libboost-filesystem-dev libboost-system-dev libboost-test-dev libevent-dev libminiupnpc-dev libnatpmp-dev libqt5gui5 libqt5core5a libqt5dbus5 libsqlite3-dev libtool libzmq3-dev pkg-config python3 qttools5-dev qttools5-dev-tools qtwayland5 systemtap-sdt-dev}}

apt is discouraged by the Linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache
Raw output
Expected: RUN instructions should not use the 'apt' program
Found: RUN instruction is invoking the 'apt' program