Skip to content

SonarQube Docker Security Issues - Solutions Guide

This document explains how to address common SonarQube security hotspots in Dockerfiles and provides the specific fixes implemented in our project.

Common SonarQube Docker Security Issues

1. Write Permissions on Copied Resources (docker:S6504)

Issue: Files copied into containers should not have write permissions to prevent tampering.

Solution: Use --chmod=444 for read-only files and --chmod=755 only for executable files.

# ❌ Bad: Default permissions may allow writing
COPY package*.json ./

# ✅ Good: Explicit read-only permissions
COPY --chown=appuser:appuser --chmod=444 package*.json ./

2. Missing --ignore-scripts Flag (docker:S6505)

Issue: npm install without --ignore-scripts can execute malicious scripts from dependencies.

Solution: Always use --ignore-scripts flag with npm commands.

# ❌ Bad: Can execute arbitrary scripts
RUN npm install

# ✅ Good: Prevents script execution
RUN npm ci --legacy-peer-deps --ignore-scripts

3. Copying Recursively Adds Sensitive Data (docker:S6470)

Issue: Using COPY . . can inadvertently copy sensitive files like .env, .git, secrets, etc.

Solution: Copy only necessary files explicitly or use .dockerignore.

# ❌ Bad: Copies everything including sensitive files
COPY . .

# ✅ Good: Copy only necessary files
COPY --chown=appuser:appuser --chmod=444 src/ ./src/
COPY --chown=appuser:appuser --chmod=444 public/ ./public/
COPY --chown=appuser:appuser --chmod=444 index.html ./
COPY --chown=appuser:appuser --chmod=444 vite.config.ts ./

4. Running as Root User (docker:S6471)

Issue: Running containers as root increases security risk if compromised.

Solution: Create and use non-root users, configure nginx to run as non-root.

# ❌ Bad: Running as root
FROM nginx:alpine
CMD ["nginx", "-g", "daemon off;"]

# ✅ Good: Running as non-root user
FROM nginx:alpine
RUN adduser -D -u 1001 appuser
USER nginx
CMD ["nginx", "-g", "daemon off;"]

5. Clear-text Protocols (docker:S5332)

Issue: Using HTTP for health checks or communications is less secure than HTTPS.

Solution: Use HTTPS when possible, with HTTP as fallback.

# ❌ Bad: Only HTTP
HEALTHCHECK CMD wget --spider http://localhost:80/ || exit 1

# ✅ Good: HTTPS with HTTP fallback
HEALTHCHECK CMD wget --no-verbose --tries=1 --spider --no-check-certificate https://localhost:80/ || \
    wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1

Implementation in Our Project

tracker-frontend/Dockerfile

Key security improvements implemented:

  1. Read-only file permissions: All copied files use --chmod=444
  2. Selective file copying: Only necessary source files are copied
  3. Non-root execution: Nginx runs as the nginx user
  4. Secure npm install: Uses --ignore-scripts flag
  5. Enhanced healthcheck: Tries HTTPS first, falls back to HTTP

tracker-admin/Dockerfile

Key security improvements implemented:

  1. Read-only file permissions: All copied files use --chmod=444
  2. Selective file copying: Only necessary source files are copied
  3. Non-root execution: Nginx runs as the nginx user
  4. Secure npm install: Uses --ignore-scripts flag
  5. Proper script permissions: Entrypoint script has minimal required permissions (755)
  6. Enhanced healthcheck: Tries HTTPS first, falls back to HTTP

Best Practices Summary

File Permissions

  • Use --chmod=444 for read-only files (source code, configs)
  • Use --chmod=755 only for executable files (scripts, binaries)
  • Use --chmod=644 for files that need to be modified at runtime

User Management

  • Always create and use non-root users
  • Use specific UIDs (e.g., 1001) for consistency
  • Ensure proper ownership with --chown=user:group

Dependency Management

  • Always use --ignore-scripts with npm commands
  • Use npm ci instead of npm install for reproducible builds
  • Pin dependency versions in package-lock.json

File Copying

  • Never use COPY . . in production Dockerfiles
  • Explicitly copy only required files and directories
  • Use .dockerignore to exclude sensitive files
  • Consider multi-stage builds to minimize final image size

Network Security

  • Use HTTPS when possible
  • Implement proper health checks with fallbacks
  • Avoid exposing unnecessary ports
  • Use secure protocols for inter-service communication

Verification

To verify these fixes resolve SonarQube issues:

  1. Build the containers:
docker compose build tracker-frontend tracker-admin
  1. Run SonarQube analysis:
# Run your SonarQube scanner
sonar-scanner
  1. Check for remaining issues:
  2. Log into SonarQube dashboard
  3. Navigate to Security Hotspots
  4. Verify Docker-related issues are resolved

Additional Security Considerations

Runtime Security

  • Use read-only root filesystem when possible
  • Drop unnecessary capabilities
  • Use security profiles (AppArmor, SELinux)
  • Implement proper logging and monitoring

Image Security

  • Use minimal base images (alpine, distroless)
  • Regularly update base images
  • Scan images for vulnerabilities
  • Sign images for integrity verification

Secrets Management

  • Never embed secrets in images
  • Use external secret management systems
  • Mount secrets at runtime
  • Rotate secrets regularly

Troubleshooting

Common Issues After Implementing Fixes

  1. Permission denied errors:
  2. Check file ownership and permissions
  3. Ensure nginx user has access to required directories

  4. Verify entrypoint scripts are executable

  5. Build failures:

  6. Check if all required files are explicitly copied
  7. Verify npm scripts work with --ignore-scripts

  8. Ensure all dependencies are properly declared

  9. Runtime errors:

  10. Check nginx configuration for user directive
  11. Verify all required directories exist with proper permissions
  12. Test health checks manually

Testing the Fixes

# Test build process
docker build -t test-frontend -f tracker-frontend/Dockerfile .
docker build -t test-admin -f tracker-admin/Dockerfile .

# Test runtime
docker run -d --name test-frontend-container test-frontend
docker run -d --name test-admin-container test-admin

# Check processes are running as non-root
docker exec test-frontend-container ps aux
docker exec test-admin-container ps aux

# Cleanup
docker stop test-frontend-container test-admin-container
docker rm test-frontend-container test-admin-container

This comprehensive approach addresses all major SonarQube Docker security concerns while maintaining functionality and performance.