Check Certificate Validation Curl

Description

The --insecure option with the curl command tells curl to bypass SSL certificate verification. This includes the risk of connecting to a server that is not who it claims to be, potentially exposing sensitive information or becoming vulnerable to man-in-the-middle attacks. This policy checks whether certificate validation is disabled in the Dockerfile using the --insecure option when running the curl command.

Risks

The --allow-unauthenticated flag in a Dockerfile poses significant security risks due to the following reasons:

  • Package Integrity: When this flag is used, it bypasses the validation of package signatures, which ensures that the software you’re installing hasn’t been tampered with. Without signature verification, you’re at risk of installing:
    • Malicious packages: Hackers could inject compromised software into your system, which could lead to data breaches or unauthorized access.
    • Corrupted or modified packages: If a package has been altered, you may install software that contains bugs or vulnerabilities.
  • Susceptibility to Supply Chain Attacks: Disabling signature checks opens the door for supply chain attacks. An attacker could compromise a package repository and replace legitimate packages with malicious versions. Without cryptographic validation, your system wouldn’t detect this change.
  • Undetected Vulnerabilities: Since signature validation is an important step in ensuring the authenticity and integrity of the software, skipping it could allow vulnerabilities to slip into your environment unnoticed. This could potentially expose your application to exploits based on known vulnerabilities.
  • Trust Issues: Without signature verification, you lose the ability to trust the source of the software you’re installing, which undermines the security of your Docker image. This could have long-term impacts, especially if the image is shared or used across multiple environments.

Kyverno policy

Refer to the Nirmata curated policies - check-certificate-validation-curl.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM alpine:latest

RUN apk --no-cache add curl

RUN curl -LO https://github.com/glasskube/glasskube/releases/download/v0.0.1/glasskube_v0.0.1_amd64.deb

ENTRYPOINT ["curl"]