Skip to content

Commit 69d2025

Browse files
MaxymVlasovMaxymVlasov
committed
Add information about docker security as it not obvious
1 parent 857e768 commit 69d2025

File tree

1 file changed

+13
-0
lines changed

1 file changed

+13
-0
lines changed

README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,17 @@ docker pull ghcr.io/antonbabenko/pre-commit-terraform:$TAG
129129

130130
All available tags [here](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions).
131131

132+
> [!WARNING]
133+
> Pre-built Docker images contain the latest versions of tools available at the time of their build and remain unchanged afterward. Tags should be immutable whenever possible, and it is highly recommended to pin them using hash sums for security and reproducibility.
134+
>
135+
> This means that most Docker images will include known CVEs, and the longer an image exists, the more CVEs it may accumulate. This applies even to the latest `vX.Y.Z` tags.
136+
>
137+
> To address this, you can use the `nightly` tag, which rebuilds nightly with the latest versions of all dependencies and `pre-commit-terraform` hooks. However, using mutable tags introduces different security conserns.
138+
>
139+
> Note: Currently, we DO NOT test third-party tools or their dependencies for security vulnerabilities, corruption, or injection (including obfuscated content). If you have ideas for introducing image scans or other security improvements, please open an issue or submit a PR. Some ideas are already tracked in [#835](https://github.com/antonbabenko/pre-commit-terraform/issues/835).
140+
>
141+
> From a security perspective, the best approach is to manage the Docker image yourself and update its dependencies as needed. This allows you to remove unnecessary dependencies, reducing the number of potential CVEs and improving overall security.
142+
132143
**Build from scratch**:
133144

134145
> [!IMPORTANT]
@@ -1182,6 +1193,8 @@ Example:
11821193

11831194
## Docker Usage
11841195

1196+
1197+
11851198
### File Permissions
11861199

11871200
A mismatch between the Docker container's user and the local repository file ownership can cause permission issues in the repository where `pre-commit` is run. The container runs as the `root` user by default, and uses a `tools/entrypoint.sh` script to assume a user ID and group ID if specified by the environment variable `USERID`.

0 commit comments

Comments
 (0)