Skip to content

trigger#6

Open
holdenmcg wants to merge 24 commits into
developfrom
circleci-project-setup
Open

trigger#6
holdenmcg wants to merge 24 commits into
developfrom
circleci-project-setup

Conversation

@holdenmcg

@holdenmcg holdenmcg commented May 17, 2022

Copy link
Copy Markdown
Owner

No description provided.

@semgrep-app

semgrep-app Bot commented Aug 8, 2022

Copy link
Copy Markdown

Semgrep found 1 drivermanager-hardcoded-secret finding:

  • src/main/java/org/owasp/benchmark/helpers/HibernateUtil.java: L74

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

⚪️ This finding does not block your pull request.
🙈 From java.lang.security.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret.

@semgrep-app

semgrep-app Bot commented Sep 9, 2022

Copy link
Copy Markdown

Semgrep found 7 avoid-latest-version findings:

Images should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.

⚪️ This finding does not block your pull request.
🙈 From dockerfile.best-practice.avoid-latest-version.avoid-latest-version.

Semgrep found 4 missing-image-version findings:

  • 1Dockerfile: L3, L9
  • 2Dockerfile: L3, L9

Images should be tagged with an explicit version to produce deterministic container images.

⚪️ This finding does not block your pull request.
🙈 From dockerfile.best-practice.missing-image-version.missing-image-version.

@semgrep-app

semgrep-app Bot commented Nov 15, 2022

Copy link
Copy Markdown

Semgrep found 6 dockerfile-should-pin-to-hash findings:

Images referenced from a Dockerfile FROM should always be pinned to an
exact SHA-256 hash. This gives us confidence that builds are repeatable
and changes to base images are always obvious in CI. This is essentially
Docker's equivalent of a "lockfile".

To fix, run docker pull $IMG:$TAG, then change FROM $IMG:$TAG to
FROM $IMG:$TAG@sha256[...] based on the current SHA-256 hash.

Created by dockerfile-should-pin-to-hash.

@semgrep-app

semgrep-app Bot commented Nov 15, 2022

Copy link
Copy Markdown

Semgrep found 18 dockerfile-should-pin-to-hash findings:

Images referenced from a Dockerfile FROM should always be pinned to an
exact SHA-256 hash. This gives us confidence that builds are repeatable
and changes to base images are always obvious in CI. This is essentially
Docker's equivalent of a "lockfile".

To fix, run docker pull $IMG:$TAG, then change FROM $IMG:$TAG to
FROM $IMG:$TAG@sha256[...] based on the current SHA-256 hash.

Created by dockerfile-should-pin-to-hash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@holdenmcg