# Dockerfile Security Rules

16 detection rules for Dockerfile

- Total rules: 16
- CRITICAL: 1
- HIGH: 2
- MEDIUM: 4
- LOW: 8

## Frameworks

- docker
- nodejs

## Rules by CWE

###  (CWE-other)

- **Docker Build Optimization and Best Practices** [LOW]: Detects build optimization issues like relative WORKDIR paths.
- **Docker Compose Obsolete Version Field** [LOW]: Detects Docker Compose files using the obsolete 'version' field.
- **Docker File Operations Best Practices** [LOW]: Detects ADD usage instead of COPY and copying entire build context.
- **Invalid Port Number in EXPOSE** [ERROR]: Detects invalid port numbers in EXPOSE instructions (valid range: 0-65535).
- **Multiple ENTRYPOINT Instructions** [MEDIUM]: Detects multiple ENTRYPOINT instructions where only the last one takes effect.

### CWE-1104 (CWE-1104)

- **Docker Base Image Security** [MEDIUM]: Detects base images using "latest" tag or missing version tags.
- **Use npm ci for Reproducible Builds** [LOW]: Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.
- **Dockerfile Uses Outdated Node.js Version** [MEDIUM]: Detects Dockerfiles using outdated or end-of-life Node.js versions.
- **Node.js Version Mismatch Between Configuration Files** [MEDIUM]: Detects inconsistent Node.js versions across project configuration files.

When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:

- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
  production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues locally)

This rule detects mismatches between:
- .nvmrc and Dockerfile
- .nvmrc and package.json engines
- .tool-versions and Dockerfile

NOTE: Detection is handled by internal/frameworks/nodejs/detector.go.
The actual recommended version comes from the docker-image-outdated finding
which uses the Docker image API for real-time version data.

### CWE-1395 (CWE-1395)

- **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer.
- **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag.
- **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds.

### CWE-250 (CWE-250)

- **Container runs as root** [HIGH]: Detects CMD or ENTRYPOINT without a preceding USER instruction.
The container will run as root, which is a security risk.
- **Docker User and File Permissions** [HIGH]: Detects explicit root user and overly permissive chmod 777 permissions.

### Protection Mechanism Failure (CWE-693)

- **Missing Healthcheck Configuration** [LOW]: Detects Dockerfiles missing HEALTHCHECK instructions for container monitoring.

### Hardcoded Credentials (CWE-798)

- **Docker Secrets and Security Best Practices** [CRITICAL]: Detects hardcoded secrets in ENV/ARG and piping curl/wget to shell.