Complete dockerfile toolkit with generation and validation capabilities
74
92%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
You are given the following Dockerfile for a payment processing service:
FROM node:18
WORKDIR /app
ENV NODE_ENV=production
ENV API_KEY=sk_live_abcdef1234567890
ENV DATABASE_URL=postgres://admin:P@ssw0rd!@db.internal:5432/payments
COPY package*.json ./
RUN npm ci --only=production
COPY . .
EXPOSE 3000
EXPOSE 22
CMD ["node", "server.js"]Perform Stage 2 (Security Scan) on this Dockerfile using Checkov-equivalent analysis.
Identify all security findings, classify each by severity (Critical / High / Medium / Low), and provide a recommended fix or alternative for each finding. Do not modify the Dockerfile.
ENV API_KEY and ENV DATABASE_URL as hardcoded secrets, classify them as Critical severity, and explain they will persist in all image layers--mount=type=secret in a RUN instruction or runtime environment injection as the correct alternative to ENV for secretsEXPOSE 22 as a security risk (SSH port exposure) and recommend removing it unless SSH access is explicitly requiredENV API_KEY and ENV DATABASE_URL as hardcoded secrets, classifies them as Critical severity, and explains they will persist in all image layers--mount=type=secret in a RUN instruction or runtime environment injection as the correct alternative to ENV for secretsEXPOSE 22 as a security risk (SSH port exposure) and recommends removing it unless SSH access is explicitly required