Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Security Hotspot15

Tags

Allowing shell scripts execution during package installation is security-sensitive

Security Hotspot

MajorSonarSource default severity
click to learn more

When installing dependencies, package managers like npm will automatically execute shell scripts distributed along with the source code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.

Ask Yourself Whether

The execution of dependency installation scripts is required for the application to function correctly.

There is a risk if you answered no to the question.

Recommended Secure Coding Practices

Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack surface and block a well-known supply chain attack vector.

Sensitive Code Example

# Sensitive
RUN npm install

# Sensitive
RUN yarn install

Compliant Solution

RUN npm install --ignore-scripts

RUN yarn install --ignore-scripts

See

MITRE, CWE-506 - Embedded Malicious Code
MITRE, CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
ESLint blog - Postmortem for Malicious Packages Published on July 12th, 2018

Available In:

SonarLint

Catch issues on the fly,
in your IDE

SonarCloud

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

SonarQube

Analyze code in your
on-premise CI