diff --git a/IaC_scan_output.json b/IaC_scan_output.json new file mode 100644 index 000000000..ce0da6f4b --- /dev/null +++ b/IaC_scan_output.json @@ -0,0 +1,46694 @@ +[ + { + "check_type": "dockerfile", + "results": { + "passed_checks": [ + { + "check_id": "CKV_DOCKER_11", + "bc_check_id": "BC_DKR_GENERAL_9", + "check_name": "Ensure From Alias are unique for multistage builds.", + "check_result": { + "result": "PASSED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.AliasIsUnique", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-from-alias-is-unique-for-multistage-builds", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_7", + "bc_check_id": "BC_DKR_7", + "check_name": "Ensure the base image uses a non latest version tag", + "check_result": { + "result": "PASSED", + "results_configuration": [ + { + "instruction": "FROM", + "startline": 41, + "endline": 41, + "content": "FROM ruby:3.0.0-alpine\n", + "value": "ruby:3.0.0-alpine" + } + ] + }, + "code_block": [ + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 42, + 42 + ], + "resource": "/Dockerfile.FROM", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.ReferenceLatestTag", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_1", + "bc_check_id": "BC_DKR_1", + "check_name": "Ensure port 22 is not exposed", + "check_result": { + "result": "PASSED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.ExposePort22", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-port-22-is-not-exposed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_9", + "bc_check_id": "BC_DKR_NETWORKING_1", + "check_name": "Ensure that APT isn't used", + "check_result": { + "result": "PASSED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.RunUsingAPT", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-is-not-used", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_5", + "bc_check_id": "BC_DKR_4", + "check_name": "Ensure update instructions are not use alone in the Dockerfile", + "check_result": { + "result": "PASSED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.UpdateNotAlone", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-update-instructions-are-not-used-alone-in-the-dockerfile", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_10", + "bc_check_id": "BC_DKR_GENERAL_10", + "check_name": "Ensure that WORKDIR values are absolute paths", + "check_result": { + "result": "PASSED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.WorkdirIsAbsolute", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-workdir-values-are-absolute-paths", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1, + "resource_type": "ARG", + "hash": "9a8bce05b48f25071056ccc6a9956360d30c42f97e87324da61589e4aa4d864a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 2, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 2, + 2 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2, + "resource_type": "ARG", + "hash": "4ab2138a146b2c82060e52756cd453b376cb475c77fc5d83cdb201d537423447" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 3, + 3 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3, + "resource_type": "ARG", + "hash": "0edd4b8868f846f42245db52cf35ce5c3a6c06de40041bc75c0bb58a28d0361a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 4, + 4 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4, + "resource_type": "ARG", + "hash": "7e96ae6a00e4c6c54d6b911bea3197a7ead8b5c6df3dcfff6e271c43f322f245" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 5, + 5 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42, + "resource_type": "ARG", + "hash": "d787efe43cfac4ba2849851575c40457142426552ec9e584440b59a42ec9ebda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 43, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 43, + 43 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5, + "resource_type": "ENV", + "hash": "bd752afa8731912b24bac39ef5e654d0ebf1de6e19e644049b5480957c83433d" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 6, + "ENV RAILS_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 6, + 6 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6, + "resource_type": "ENV", + "hash": "dbfca1e06b6008cfe53bd2841b39b0ca1906186c0026bc72e7de35ffdd3f7cda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 7, + "ENV NODE_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 7, + 7 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7, + "resource_type": "ENV", + "hash": "ff76e42903cf375790801965a9c123f2b5b74b5122f86fc8bdd3dff415a71f0f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 8, + 8 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44, + "resource_type": "ENV", + "hash": "a46ae3552b5b73b33ac855f9a6bafe9c7e4a854f71b285213cf66598f1a7eae3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 45, + "ENV RACK_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 45, + 45 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45, + "resource_type": "ENV", + "hash": "494af4e8355c9a44c6a766d331c0fff6f1398b7cb378897a00d3bb503451a6b3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 46, + "ENV RAILS_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 46, + 46 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46, + "resource_type": "ENV", + "hash": "eeed7f827024ea4ee4fd45eaaf674ee8e71d8e4a2855a191a85d7408d376c97f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 47, + 47 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47, + "resource_type": "ENV", + "hash": "fa5bc28a133c7cb5bf6d4a52ad8e96fb213926793c69468861c0620bbaf01f15" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 48, + 48 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48, + "resource_type": "ENV", + "hash": "6ba48ecb0bbff764de5d73f4a5d087db42a7cdff6d20e553b72dba69af95269c" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 49, + "ENV DISABLE_SSL 1\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 49, + 49 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49, + "resource_type": "ENV", + "hash": "404fa1812e34402f66880edbdb2caf32bd3bfab0cff590bbe2edd4a5e2fe14d7" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 50, + 50 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50, + "resource_type": "ENV", + "hash": "d701cb4847294aa52abac54d31dccfc6f85d596d6483c9c811a0634d558d9696" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 51, + 51 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52, + "resource_type": "ENV", + "hash": "0e165363bd5f092b264eaa846334559d5acf95c549917029bcb08312d131e4e4" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 53, + 53 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_14", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-git-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1, + "resource_type": "ARG", + "hash": "9a8bce05b48f25071056ccc6a9956360d30c42f97e87324da61589e4aa4d864a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 2, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 2, + 2 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2, + "resource_type": "ARG", + "hash": "4ab2138a146b2c82060e52756cd453b376cb475c77fc5d83cdb201d537423447" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 3, + 3 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3, + "resource_type": "ARG", + "hash": "0edd4b8868f846f42245db52cf35ce5c3a6c06de40041bc75c0bb58a28d0361a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 4, + 4 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4, + "resource_type": "ARG", + "hash": "7e96ae6a00e4c6c54d6b911bea3197a7ead8b5c6df3dcfff6e271c43f322f245" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 5, + 5 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42, + "resource_type": "ARG", + "hash": "d787efe43cfac4ba2849851575c40457142426552ec9e584440b59a42ec9ebda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 43, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 43, + 43 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5, + "resource_type": "ENV", + "hash": "bd752afa8731912b24bac39ef5e654d0ebf1de6e19e644049b5480957c83433d" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 6, + "ENV RAILS_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 6, + 6 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6, + "resource_type": "ENV", + "hash": "dbfca1e06b6008cfe53bd2841b39b0ca1906186c0026bc72e7de35ffdd3f7cda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 7, + "ENV NODE_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 7, + 7 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7, + "resource_type": "ENV", + "hash": "ff76e42903cf375790801965a9c123f2b5b74b5122f86fc8bdd3dff415a71f0f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 8, + 8 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44, + "resource_type": "ENV", + "hash": "a46ae3552b5b73b33ac855f9a6bafe9c7e4a854f71b285213cf66598f1a7eae3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 45, + "ENV RACK_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 45, + 45 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45, + "resource_type": "ENV", + "hash": "494af4e8355c9a44c6a766d331c0fff6f1398b7cb378897a00d3bb503451a6b3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 46, + "ENV RAILS_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 46, + 46 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46, + "resource_type": "ENV", + "hash": "eeed7f827024ea4ee4fd45eaaf674ee8e71d8e4a2855a191a85d7408d376c97f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 47, + 47 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47, + "resource_type": "ENV", + "hash": "fa5bc28a133c7cb5bf6d4a52ad8e96fb213926793c69468861c0620bbaf01f15" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 48, + 48 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48, + "resource_type": "ENV", + "hash": "6ba48ecb0bbff764de5d73f4a5d087db42a7cdff6d20e553b72dba69af95269c" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 49, + "ENV DISABLE_SSL 1\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 49, + 49 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49, + "resource_type": "ENV", + "hash": "404fa1812e34402f66880edbdb2caf32bd3bfab0cff590bbe2edd4a5e2fe14d7" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 50, + 50 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50, + "resource_type": "ENV", + "hash": "d701cb4847294aa52abac54d31dccfc6f85d596d6483c9c811a0634d558d9696" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 51, + 51 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52, + "resource_type": "ENV", + "hash": "0e165363bd5f092b264eaa846334559d5acf95c549917029bcb08312d131e4e4" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 53, + 53 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_6", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-node-tls-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1, + "resource_type": "ARG", + "hash": "9a8bce05b48f25071056ccc6a9956360d30c42f97e87324da61589e4aa4d864a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 2, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 2, + 2 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2, + "resource_type": "ARG", + "hash": "4ab2138a146b2c82060e52756cd453b376cb475c77fc5d83cdb201d537423447" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 3, + 3 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3, + "resource_type": "ARG", + "hash": "0edd4b8868f846f42245db52cf35ce5c3a6c06de40041bc75c0bb58a28d0361a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 4, + 4 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4, + "resource_type": "ARG", + "hash": "7e96ae6a00e4c6c54d6b911bea3197a7ead8b5c6df3dcfff6e271c43f322f245" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 5, + 5 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42, + "resource_type": "ARG", + "hash": "d787efe43cfac4ba2849851575c40457142426552ec9e584440b59a42ec9ebda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 43, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 43, + 43 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5, + "resource_type": "ENV", + "hash": "bd752afa8731912b24bac39ef5e654d0ebf1de6e19e644049b5480957c83433d" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 6, + "ENV RAILS_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 6, + 6 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6, + "resource_type": "ENV", + "hash": "dbfca1e06b6008cfe53bd2841b39b0ca1906186c0026bc72e7de35ffdd3f7cda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 7, + "ENV NODE_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 7, + 7 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7, + "resource_type": "ENV", + "hash": "ff76e42903cf375790801965a9c123f2b5b74b5122f86fc8bdd3dff415a71f0f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 8, + 8 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44, + "resource_type": "ENV", + "hash": "a46ae3552b5b73b33ac855f9a6bafe9c7e4a854f71b285213cf66598f1a7eae3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 45, + "ENV RACK_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 45, + 45 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45, + "resource_type": "ENV", + "hash": "494af4e8355c9a44c6a766d331c0fff6f1398b7cb378897a00d3bb503451a6b3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 46, + "ENV RAILS_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 46, + 46 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46, + "resource_type": "ENV", + "hash": "eeed7f827024ea4ee4fd45eaaf674ee8e71d8e4a2855a191a85d7408d376c97f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 47, + 47 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47, + "resource_type": "ENV", + "hash": "fa5bc28a133c7cb5bf6d4a52ad8e96fb213926793c69468861c0620bbaf01f15" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 48, + 48 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48, + "resource_type": "ENV", + "hash": "6ba48ecb0bbff764de5d73f4a5d087db42a7cdff6d20e553b72dba69af95269c" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 49, + "ENV DISABLE_SSL 1\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 49, + 49 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49, + "resource_type": "ENV", + "hash": "404fa1812e34402f66880edbdb2caf32bd3bfab0cff590bbe2edd4a5e2fe14d7" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 50, + 50 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50, + "resource_type": "ENV", + "hash": "d701cb4847294aa52abac54d31dccfc6f85d596d6483c9c811a0634d558d9696" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 51, + 51 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52, + "resource_type": "ENV", + "hash": "0e165363bd5f092b264eaa846334559d5acf95c549917029bcb08312d131e4e4" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 53, + 53 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_12", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1, + "resource_type": "ARG", + "hash": "9a8bce05b48f25071056ccc6a9956360d30c42f97e87324da61589e4aa4d864a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 2, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 2, + 2 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2, + "resource_type": "ARG", + "hash": "4ab2138a146b2c82060e52756cd453b376cb475c77fc5d83cdb201d537423447" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 3, + 3 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3, + "resource_type": "ARG", + "hash": "0edd4b8868f846f42245db52cf35ce5c3a6c06de40041bc75c0bb58a28d0361a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 4, + 4 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4, + "resource_type": "ARG", + "hash": "7e96ae6a00e4c6c54d6b911bea3197a7ead8b5c6df3dcfff6e271c43f322f245" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 5, + 5 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42, + "resource_type": "ARG", + "hash": "d787efe43cfac4ba2849851575c40457142426552ec9e584440b59a42ec9ebda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 43, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 43, + 43 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5, + "resource_type": "ENV", + "hash": "bd752afa8731912b24bac39ef5e654d0ebf1de6e19e644049b5480957c83433d" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 6, + "ENV RAILS_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 6, + 6 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6, + "resource_type": "ENV", + "hash": "dbfca1e06b6008cfe53bd2841b39b0ca1906186c0026bc72e7de35ffdd3f7cda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 7, + "ENV NODE_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 7, + 7 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7, + "resource_type": "ENV", + "hash": "ff76e42903cf375790801965a9c123f2b5b74b5122f86fc8bdd3dff415a71f0f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 8, + 8 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44, + "resource_type": "ENV", + "hash": "a46ae3552b5b73b33ac855f9a6bafe9c7e4a854f71b285213cf66598f1a7eae3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 45, + "ENV RACK_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 45, + 45 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45, + "resource_type": "ENV", + "hash": "494af4e8355c9a44c6a766d331c0fff6f1398b7cb378897a00d3bb503451a6b3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 46, + "ENV RAILS_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 46, + 46 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46, + "resource_type": "ENV", + "hash": "eeed7f827024ea4ee4fd45eaaf674ee8e71d8e4a2855a191a85d7408d376c97f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 47, + 47 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47, + "resource_type": "ENV", + "hash": "fa5bc28a133c7cb5bf6d4a52ad8e96fb213926793c69468861c0620bbaf01f15" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 48, + 48 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48, + "resource_type": "ENV", + "hash": "6ba48ecb0bbff764de5d73f4a5d087db42a7cdff6d20e553b72dba69af95269c" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 49, + "ENV DISABLE_SSL 1\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 49, + 49 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49, + "resource_type": "ENV", + "hash": "404fa1812e34402f66880edbdb2caf32bd3bfab0cff590bbe2edd4a5e2fe14d7" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 50, + 50 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50, + "resource_type": "ENV", + "hash": "d701cb4847294aa52abac54d31dccfc6f85d596d6483c9c811a0634d558d9696" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 51, + 51 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52, + "resource_type": "ENV", + "hash": "0e165363bd5f092b264eaa846334559d5acf95c549917029bcb08312d131e4e4" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 53, + 53 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_16", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-trusted-host", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 1, + "__endline__": 1, + "resource_type": "ARG", + "hash": "9a8bce05b48f25071056ccc6a9956360d30c42f97e87324da61589e4aa4d864a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 2, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 2, + 2 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n", + "value": "BUILD_PACKAGES=\"build-base curl-dev git bash\"", + "__startline__": 2, + "__endline__": 2, + "resource_type": "ARG", + "hash": "4ab2138a146b2c82060e52756cd453b376cb475c77fc5d83cdb201d537423447" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 3, + 3 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n", + "value": "DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"", + "__startline__": 3, + "__endline__": 3, + "resource_type": "ARG", + "hash": "0edd4b8868f846f42245db52cf35ce5c3a6c06de40041bc75c0bb58a28d0361a" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 4, + 4 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RUBY_PACKAGES=\"tzdata\"\n", + "value": "RUBY_PACKAGES=\"tzdata\"", + "__startline__": 4, + "__endline__": 4, + "resource_type": "ARG", + "hash": "7e96ae6a00e4c6c54d6b911bea3197a7ead8b5c6df3dcfff6e271c43f322f245" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 5, + 5 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ARG", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42 + }, + "label_": "resource: ARG", + "id_": "ARG", + "source_": "Dockerfile", + "content": "ARG RAILS_ROOT=/station\n", + "value": "RAILS_ROOT=/station", + "__startline__": 42, + "__endline__": 42, + "resource_type": "ARG", + "hash": "d787efe43cfac4ba2849851575c40457142426552ec9e584440b59a42ec9ebda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 43, + "ARG RAILS_ROOT=/station\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 43, + 43 + ], + "resource": "/Dockerfile.ARG", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV=production\n", + "value": "RAILS_ENV=production", + "__startline__": 5, + "__endline__": 5, + "resource_type": "ENV", + "hash": "bd752afa8731912b24bac39ef5e654d0ebf1de6e19e644049b5480957c83433d" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 6, + "ENV RAILS_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 6, + 6 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV NODE_ENV=production\n", + "value": "NODE_ENV=production", + "__startline__": 6, + "__endline__": 6, + "resource_type": "ENV", + "hash": "dbfca1e06b6008cfe53bd2841b39b0ca1906186c0026bc72e7de35ffdd3f7cda" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 7, + "ENV NODE_ENV=production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 7, + 7 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 7, + "__endline__": 7, + "resource_type": "ENV", + "hash": "ff76e42903cf375790801965a9c123f2b5b74b5122f86fc8bdd3dff415a71f0f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 8, + 8 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RACK_ENV production\n", + "value": "RACK_ENV production", + "__startline__": 44, + "__endline__": 44, + "resource_type": "ENV", + "hash": "a46ae3552b5b73b33ac855f9a6bafe9c7e4a854f71b285213cf66598f1a7eae3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 45, + "ENV RACK_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 45, + 45 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_ENV production\n", + "value": "RAILS_ENV production", + "__startline__": 45, + "__endline__": 45, + "resource_type": "ENV", + "hash": "494af4e8355c9a44c6a766d331c0fff6f1398b7cb378897a00d3bb503451a6b3" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 46, + "ENV RAILS_ENV production\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 46, + 46 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_SERVE_STATIC_FILES true\n", + "value": "RAILS_SERVE_STATIC_FILES true", + "__startline__": 46, + "__endline__": 46, + "resource_type": "ENV", + "hash": "eeed7f827024ea4ee4fd45eaaf674ee8e71d8e4a2855a191a85d7408d376c97f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 47, + 47 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV RAILS_LOG_TO_STDOUT true\n", + "value": "RAILS_LOG_TO_STDOUT true", + "__startline__": 47, + "__endline__": 47, + "resource_type": "ENV", + "hash": "fa5bc28a133c7cb5bf6d4a52ad8e96fb213926793c69468861c0620bbaf01f15" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 48, + 48 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DISABLE_SSL 1\n", + "value": "DISABLE_SSL 1", + "__startline__": 48, + "__endline__": 48, + "resource_type": "ENV", + "hash": "6ba48ecb0bbff764de5d73f4a5d087db42a7cdff6d20e553b72dba69af95269c" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 49, + "ENV DISABLE_SSL 1\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 49, + 49 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV DOCS_BASE_PATH /docs\n", + "value": "DOCS_BASE_PATH /docs", + "__startline__": 49, + "__endline__": 49, + "resource_type": "ENV", + "hash": "404fa1812e34402f66880edbdb2caf32bd3bfab0cff590bbe2edd4a5e2fe14d7" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 50, + 50 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n", + "value": "OAS_PATH /docs/_open_api/api_specs/definitions", + "__startline__": 50, + "__endline__": 50, + "resource_type": "ENV", + "hash": "d701cb4847294aa52abac54d31dccfc6f85d596d6483c9c811a0634d558d9696" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 51, + 51 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "ENV", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52 + }, + "label_": "resource: ENV", + "id_": "ENV", + "source_": "Dockerfile", + "content": "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n", + "value": "BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"", + "__startline__": 52, + "__endline__": 52, + "resource_type": "ENV", + "hash": "0e165363bd5f092b264eaa846334559d5acf95c549917029bcb08312d131e4e4" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 53, + 53 + ], + "resource": "/Dockerfile.ENV", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_5", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-PYTHONHTTPSVERIFY-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_17", + "bc_check_id": null, + "check_name": "Ensure that 'chpasswd' is not used to set or remove passwords", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/bc-docker-2-17", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_11", + "bc_check_id": null, + "check_name": "Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-force", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_7", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apk-trusted", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_1", + "bc_check_id": null, + "check_name": "Ensure that sudo isn't used", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_8", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-authenticated", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_13", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-npm-strict-ssl2", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_3", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with wget", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-wget-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_15", + "bc_check_id": null, + "check_name": "Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-ssl", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_9", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-yum-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_4", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with the pip '--trusted-host' option", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-pip-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_10", + "bc_check_id": null, + "check_name": "Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-rpm-signed", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n", + "value": "apk update && apk upgrade && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES", + "__startline__": 12, + "__endline__": 14, + "resource_type": "RUN", + "hash": "880c76b1f477866c9850c100e5417e1a1857c91b199a4f77dbb4303b468300b5" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 13, + 15 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 19, + "__endline__": 21, + "resource_type": "RUN", + "hash": "9237c8f5d216f0ff64b16cfb865cfa531456c016f6db01feaec953e8ac03ac17" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 20, + 22 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n", + "value": "bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete", + "__startline__": 23, + "__endline__": 27, + "resource_type": "RUN", + "hash": "5a4609a43d32ddabe804835d0d348df151cbb478f834262d4d13ac7040dbc2ae" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 24, + 28 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN yarn install --frozen-lockfile\n", + "value": "yarn install --frozen-lockfile", + "__startline__": 30, + "__endline__": 30, + "resource_type": "RUN", + "hash": "8f17ae1b1dc2c2452797648c349103e57727d303d88a40043be13895f817452f" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 31, + 31 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle exec rake assets:precompile\n", + "value": "bundle exec rake assets:precompile", + "__startline__": 35, + "__endline__": 35, + "resource_type": "RUN", + "hash": "51b7a91c7800a4c1c748ed7084c49280d63d87c496772f241ca81c831c73fec1" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 36, + 36 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN rm -rf node_modules tmp/cache vendor/assets spec\n", + "value": "rm -rf node_modules tmp/cache vendor/assets spec", + "__startline__": 38, + "__endline__": 38, + "resource_type": "RUN", + "hash": "c62011ed0135c91dea50853c1ceb2cb2bbbd147d09508dff311f993f36cbea0b" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 39, + 39 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN apk update \\\n && apk upgrade \\\n && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n", + "value": "apk update && apk upgrade && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info", + "__startline__": 56, + "__endline__": 58, + "resource_type": "RUN", + "hash": "851d51e8e715fbf3f5bfb4e0a58953ec795b48fd776402b440ded80573716c67" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 57, + 59 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV2_DOCKER_2", + "bc_check_id": null, + "check_name": "Ensure that certificate validation isn't disabled with curl", + "check_result": { + "result": "PASSED", + "entity": { + "block_name_": "RUN", + "block_type_": "resource", + "file_path_": "/Dockerfile", + "config_": { + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63 + }, + "label_": "resource: RUN", + "id_": "RUN", + "source_": "Dockerfile", + "content": "RUN bundle config --global frozen 1 \\\n && gem update --system \\\n && gem install bundler\n", + "value": "bundle config --global frozen 1 && gem update --system && gem install bundler", + "__startline__": 61, + "__endline__": 63, + "resource_type": "RUN", + "hash": "27805e3e735841989d06cc56023d3cb2693119e701bd8155bc80c1c75dabc729" + }, + "evaluated_keys": [ + "value" + ] + }, + "code_block": [ + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 62, + 64 + ], + "resource": "/Dockerfile.RUN", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-curl-secure", + "details": [], + "check_len": null, + "definition_context_file_path": null + } + ], + "failed_checks": [ + { + "check_id": "CKV_DOCKER_2", + "bc_check_id": "BC_DKR_2", + "check_name": "Ensure that HEALTHCHECK instructions have been added to container images", + "check_result": { + "result": "FAILED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.HealthcheckExists", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_DOCKER_3", + "bc_check_id": "BC_DKR_3", + "check_name": "Ensure that a user for the container has been created", + "check_result": { + "result": "FAILED", + "results_configuration": null + }, + "code_block": [ + [ + 1, + "FROM ruby:3.0.0-alpine AS build-env\n" + ], + [ + 2, + "ARG RAILS_ROOT=/station\n" + ], + [ + 3, + "ARG BUILD_PACKAGES=\"build-base curl-dev git bash\"\n" + ], + [ + 4, + "ARG DEV_PACKAGES=\"postgresql-dev yaml-dev zlib-dev nodejs yarn shared-mime-info\"\n" + ], + [ + 5, + "ARG RUBY_PACKAGES=\"tzdata\"\n" + ], + [ + 6, + "ENV RAILS_ENV=production\n" + ], + [ + 7, + "ENV NODE_ENV=production\n" + ], + [ + 8, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 11, + "\n" + ], + [ + 12, + "# Install build packages\n" + ], + [ + 13, + "RUN apk update \\\n" + ], + [ + 14, + " && apk upgrade \\\n" + ], + [ + 15, + " && apk add --update --no-cache $BUILD_PACKAGES $DEV_PACKAGES $RUBY_PACKAGES\n" + ], + [ + 16, + "\n" + ], + [ + 17, + "COPY lib/nexmo_developer/Gemfile* package.json yarn.lock $RAILS_ROOT/\n" + ], + [ + 18, + "\n" + ], + [ + 19, + "# Upgrade Bundler to version 2\n" + ], + [ + 20, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 21, + " && gem update --system \\\n" + ], + [ + 22, + " && gem install bundler\n" + ], + [ + 23, + "\n" + ], + [ + 24, + "RUN bundle install --without development:test:assets -j4 --retry 3 --path=vendor/bundle \\\n" + ], + [ + 25, + " # Remove unneeded files (cached *.gem, *.o, *.c)\n" + ], + [ + 26, + " && rm -rf vendor/bundle/ruby/3.0.0/cache/*.gem \\\n" + ], + [ + 27, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.c\" -delete \\\n" + ], + [ + 28, + " && find vendor/bundle/ruby/3.0.0/gems/ -name \"*.o\" -delete\n" + ], + [ + 29, + "\n" + ], + [ + 30, + "# Install node dependencies\n" + ], + [ + 31, + "RUN yarn install --frozen-lockfile\n" + ], + [ + 32, + "\n" + ], + [ + 33, + "# Copy the app in to /station and compile assets\n" + ], + [ + 34, + "COPY lib/nexmo_developer/ $RAILS_ROOT/\n" + ], + [ + 35, + "\n" + ], + [ + 36, + "RUN bundle exec rake assets:precompile\n" + ], + [ + 37, + "\n" + ], + [ + 38, + "## Remove folders not needed in resulting image\n" + ], + [ + 39, + "RUN rm -rf node_modules tmp/cache vendor/assets spec\n" + ], + [ + 40, + "\n" + ], + [ + 41, + "################ Build step done ###############\n" + ], + [ + 42, + "FROM ruby:3.0.0-alpine\n" + ], + [ + 43, + "ARG RAILS_ROOT=/station\n" + ], + [ + 44, + "\n" + ], + [ + 45, + "ENV RACK_ENV production\n" + ], + [ + 46, + "ENV RAILS_ENV production\n" + ], + [ + 47, + "ENV RAILS_SERVE_STATIC_FILES true\n" + ], + [ + 48, + "ENV RAILS_LOG_TO_STDOUT true\n" + ], + [ + 49, + "ENV DISABLE_SSL 1\n" + ], + [ + 50, + "ENV DOCS_BASE_PATH /docs\n" + ], + [ + 51, + "ENV OAS_PATH /docs/_open_api/api_specs/definitions\n" + ], + [ + 52, + "\n" + ], + [ + 53, + "ENV BUNDLE_APP_CONFIG=\"$RAILS_ROOT/.bundle\"\n" + ], + [ + 54, + "WORKDIR $RAILS_ROOT\n" + ], + [ + 55, + "\n" + ], + [ + 56, + "# Install packges needed at runtime\n" + ], + [ + 57, + "RUN apk update \\\n" + ], + [ + 58, + " && apk upgrade \\\n" + ], + [ + 59, + " && apk add --update --no-cache tzdata postgresql-client nodejs bash shared-mime-info\n" + ], + [ + 60, + "\n" + ], + [ + 61, + "# Upgrade Bundler to version 2\n" + ], + [ + 62, + "RUN bundle config --global frozen 1 \\\n" + ], + [ + 63, + " && gem update --system \\\n" + ], + [ + 64, + " && gem install bundler\n" + ], + [ + 65, + "\n" + ], + [ + 66, + "# Copy app with prebuilt assets\n" + ], + [ + 67, + "COPY --from=build-env $RAILS_ROOT $RAILS_ROOT\n" + ], + [ + 68, + "\n" + ], + [ + 69, + "# Run the app\n" + ], + [ + 70, + "EXPOSE 3000\n" + ], + [ + 71, + "CMD [\"./bin/rails\", \"server\", \"-b\", \"0.0.0.0\"]\n" + ] + ], + "file_path": "/Dockerfile", + "file_abs_path": "/tmp/ws-scm/station/Dockerfile", + "repo_file_path": "/Dockerfile", + "file_line_range": [ + 1, + 71 + ], + "resource": "/Dockerfile.", + "evaluations": null, + "check_class": "checkov.dockerfile.checks.UserExists", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created", + "details": [], + "check_len": null, + "definition_context_file_path": null + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 222, + "failed": 2, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 1, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + }, + { + "check_type": "secrets", + "results": { + "passed_checks": [], + "failed_checks": [ + { + "check_id": "CKV_SECRET_6", + "bc_check_id": "BC_GIT_6", + "check_name": "Base64 High Entropy String", + "check_result": { + "result": "FAILED" + }, + "code_block": [ + [ + 14, + " secret_key_base: 002ec3**********\n" + ] + ], + "file_path": "/lib/nexmo_developer/config/secrets.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/config/secrets.yml", + "repo_file_path": "/lib/nexmo_developer/config/secrets.yml", + "file_line_range": [ + 14, + 15 + ], + "resource": "54c4f0f2feadc662e53da9c1dbff450f851cf3c7", + "evaluations": null, + "check_class": "", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6", + "details": [], + "check_len": null, + "definition_context_file_path": null, + "validation_status": "Unavailable", + "added_commit_hash": "", + "removed_commit_hash": "", + "added_by": "", + "removed_date": "", + "added_date": "" + }, + { + "check_id": "CKV_SECRET_6", + "bc_check_id": "BC_GIT_6", + "check_name": "Base64 High Entropy String", + "check_result": { + "result": "FAILED" + }, + "code_block": [ + [ + 17, + " secret_key_base: 0a7339**********\n" + ] + ], + "file_path": "/lib/nexmo_developer/config/secrets.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/config/secrets.yml", + "repo_file_path": "/lib/nexmo_developer/config/secrets.yml", + "file_line_range": [ + 17, + 18 + ], + "resource": "95223ce10b5e30e3018e9ad0de81856c7a15f5de", + "evaluations": null, + "check_class": "", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6", + "details": [], + "check_len": null, + "definition_context_file_path": null, + "validation_status": "Unavailable", + "added_commit_hash": "", + "removed_commit_hash": "", + "added_by": "", + "removed_date": "", + "added_date": "" + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 0, + "failed": 2, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 2, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + }, + { + "check_type": "github_actions", + "results": { + "passed_checks": [ + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 9, + 153 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + }, + "__startline__": 8, + "__endline__": 152 + } + }, + "code_block": [ + [ + 8, + " build:\n" + ], + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 8, + 153 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + }, + "__startline__": 8, + "__endline__": 152 + } + }, + "code_block": [ + [ + 8, + " build:\n" + ], + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 8, + 153 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 9, + 153 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 9, + 153 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "services": { + "db": { + "env": { + "POSTGRES_USER": "postgres", + "POSTGRES_DB": "nexmo_developer_test", + "POSTGRES_HOST_AUTH_METHOD": "trust", + "__startline__": 13, + "__endline__": 16 + }, + "image": "postgres:11", + "ports": [ + "5432:5432" + ], + "options": "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5", + "__startline__": 12, + "__endline__": 24 + }, + "__startline__": 11, + "__endline__": 24 + }, + "steps": [ + { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + }, + { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + }, + { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + }, + { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + }, + { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + }, + { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + }, + { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + }, + { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + }, + { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + }, + { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + ], + "__startline__": 9, + "__endline__": 152 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + " services:\n" + ], + [ + 11, + " db:\n" + ], + [ + 12, + " env:\n" + ], + [ + 13, + " POSTGRES_USER: postgres\n" + ], + [ + 14, + " POSTGRES_DB: nexmo_developer_test\n" + ], + [ + 15, + " POSTGRES_HOST_AUTH_METHOD: trust\n" + ], + [ + 16, + " image: postgres:11\n" + ], + [ + 17, + " ports: ['5432:5432']\n" + ], + [ + 18, + " options: >-\n" + ], + [ + 19, + " --health-cmd pg_isready\n" + ], + [ + 20, + " --health-interval 10s\n" + ], + [ + 21, + " --health-timeout 5s\n" + ], + [ + 22, + " --health-retries 5\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " steps:\n" + ], + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 9, + 153 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": { + "__startline__": 3, + "__endline__": 3 + }, + "pull_request": { + "types": [ + "opened", + "synchronize" + ], + "__startline__": 5, + "__endline__": 7 + }, + "__startline__": 3, + "__endline__": 7 + } + }, + "code_block": [ + [ + 3, + " push: {}\n" + ], + [ + 4, + " pull_request:\n" + ], + [ + 5, + " types: [opened, synchronize]\n" + ], + [ + 6, + "\n" + ], + [ + 7, + "jobs:\n" + ], + [ + 8, + " build:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 3, + 8 + ], + "resource": "on(CI)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + } + }, + "code_block": [ + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 25, + 29 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + } + }, + "code_block": [ + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 28, + 32 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + } + }, + "code_block": [ + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 31, + 35 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + } + }, + "code_block": [ + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 41, + 45 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + } + }, + "code_block": [ + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 44, + 49 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + } + }, + "code_block": [ + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 48, + 56 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + } + }, + "code_block": [ + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 55, + 58 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + } + }, + "code_block": [ + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 57, + 64 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + } + }, + "code_block": [ + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 63, + 71 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + } + }, + "code_block": [ + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 70, + 81 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + } + }, + "code_block": [ + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 80, + 89 + ], + "resource": "jobs(build).steps[12](Fetch NDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + } + }, + "code_block": [ + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 88, + 97 + ], + "resource": "jobs(build).steps[13](Fetch VDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + } + }, + "code_block": [ + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 96, + 105 + ], + "resource": "jobs(build).steps[14](Precompile assets ENV=test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + } + }, + "code_block": [ + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 104, + 118 + ], + "resource": "jobs(build).steps[15](Run Platform Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + } + }, + "code_block": [ + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 117, + 132 + ], + "resource": "jobs(build).steps[16](Run NDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + } + }, + "code_block": [ + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 131, + 145 + ], + "resource": "jobs(build).steps[17](Run VDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + } + }, + "code_block": [ + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 144, + 148 + ], + "resource": "jobs(build).steps[18](Run Javascript Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + }, + "code_block": [ + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 147, + 153 + ], + "resource": "jobs(build).steps[19](Spell checker)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + } + }, + "code_block": [ + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 25, + 29 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + } + }, + "code_block": [ + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 28, + 32 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + } + }, + "code_block": [ + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 31, + 35 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + } + }, + "code_block": [ + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 41, + 45 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + } + }, + "code_block": [ + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 44, + 49 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + } + }, + "code_block": [ + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 48, + 56 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + } + }, + "code_block": [ + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 55, + 58 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + } + }, + "code_block": [ + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 57, + 64 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + } + }, + "code_block": [ + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 63, + 71 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + } + }, + "code_block": [ + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 70, + 81 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + } + }, + "code_block": [ + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 80, + 89 + ], + "resource": "jobs(build).steps[12](Fetch NDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + } + }, + "code_block": [ + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 88, + 97 + ], + "resource": "jobs(build).steps[13](Fetch VDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + } + }, + "code_block": [ + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 96, + 105 + ], + "resource": "jobs(build).steps[14](Precompile assets ENV=test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + } + }, + "code_block": [ + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 104, + 118 + ], + "resource": "jobs(build).steps[15](Run Platform Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + } + }, + "code_block": [ + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 117, + 132 + ], + "resource": "jobs(build).steps[16](Run NDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + } + }, + "code_block": [ + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 131, + 145 + ], + "resource": "jobs(build).steps[17](Run VDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + } + }, + "code_block": [ + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 144, + 148 + ], + "resource": "jobs(build).steps[18](Run Javascript Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + }, + "code_block": [ + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 147, + 153 + ], + "resource": "jobs(build).steps[19](Spell checker)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + } + }, + "code_block": [ + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 25, + 29 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + } + }, + "code_block": [ + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 28, + 32 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + } + }, + "code_block": [ + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 31, + 35 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + } + }, + "code_block": [ + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 41, + 45 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + } + }, + "code_block": [ + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 44, + 49 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + } + }, + "code_block": [ + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 48, + 56 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + } + }, + "code_block": [ + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 55, + 58 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + } + }, + "code_block": [ + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 57, + 64 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + } + }, + "code_block": [ + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 63, + 71 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + } + }, + "code_block": [ + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 70, + 81 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + } + }, + "code_block": [ + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 80, + 89 + ], + "resource": "jobs(build).steps[12](Fetch NDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + } + }, + "code_block": [ + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 88, + 97 + ], + "resource": "jobs(build).steps[13](Fetch VDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + } + }, + "code_block": [ + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 96, + 105 + ], + "resource": "jobs(build).steps[14](Precompile assets ENV=test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + } + }, + "code_block": [ + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 104, + 118 + ], + "resource": "jobs(build).steps[15](Run Platform Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + } + }, + "code_block": [ + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 117, + 132 + ], + "resource": "jobs(build).steps[16](Run NDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + } + }, + "code_block": [ + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 131, + 145 + ], + "resource": "jobs(build).steps[17](Run VDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + } + }, + "code_block": [ + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 144, + 148 + ], + "resource": "jobs(build).steps[18](Run Javascript Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + }, + "code_block": [ + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 147, + 153 + ], + "resource": "jobs(build).steps[19](Spell checker)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "with": { + "submodules": "recursive", + "__startline__": 27, + "__endline__": 28 + }, + "__startline__": 25, + "__endline__": 28 + } + }, + "code_block": [ + [ + 25, + " - uses: actions/checkout@v2\n" + ], + [ + 26, + " with:\n" + ], + [ + 27, + " submodules: recursive\n" + ], + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 25, + 29 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 30, + "__endline__": 31 + }, + "__startline__": 28, + "__endline__": 31 + } + }, + "code_block": [ + [ + 28, + " - uses: actions/setup-node@v1\n" + ], + [ + 29, + " with:\n" + ], + [ + 30, + " node-version: '12.x'\n" + ], + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 28, + 32 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 31, + "__endline__": 34 + } + }, + "code_block": [ + [ + 31, + " - name: Find yarn cache location\n" + ], + [ + 32, + " id: yarn-cache\n" + ], + [ + 33, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 31, + 35 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: JS package cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 38, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-yarn-\n" + ], + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 41, + "__endline__": 44 + } + }, + "code_block": [ + [ + 41, + " - name: Install packages\n" + ], + [ + 42, + " run: |\n" + ], + [ + 43, + " yarn install --pure-lockfile\n" + ], + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 41, + 45 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 44, + "__endline__": 48 + } + }, + "code_block": [ + [ + 44, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 45, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " ruby-version: 3.0.0\n" + ], + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 44, + 49 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 51, + "__endline__": 55 + }, + "__startline__": 48, + "__endline__": 55 + } + }, + "code_block": [ + [ + 48, + " - name: Ruby gem cache\n" + ], + [ + 49, + " uses: actions/cache@v2\n" + ], + [ + 50, + " with:\n" + ], + [ + 51, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 52, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 53, + " restore-keys: |\n" + ], + [ + 54, + " ${{ runner.os }}-gems-\n" + ], + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 48, + 56 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 55, + "__endline__": 57 + } + }, + "code_block": [ + [ + 55, + " - name: Install postgres headers\n" + ], + [ + 56, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 55, + 58 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 57, + "__endline__": 63 + } + }, + "code_block": [ + [ + 57, + " - name: Bundle Setup\n" + ], + [ + 58, + " run: |\n" + ], + [ + 59, + " gem update --system 3.1.4 -N\n" + ], + [ + 60, + " gem install --no-document bundler\n" + ], + [ + 61, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 62, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 57, + 64 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 65, + "__endline__": 66 + }, + "run": "bundle install --jobs 4 --retry 3 --deployment\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 63, + "__endline__": 70 + } + }, + "code_block": [ + [ + 63, + " - name: Bundle Install\n" + ], + [ + 64, + " env:\n" + ], + [ + 65, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " bundle install --jobs 4 --retry 3 --deployment\n" + ], + [ + 68, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 63, + 71 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "DOCS_BASE_PATH": "./spec/fixtures", + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 72, + "__endline__": 77 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 70, + "__endline__": 80 + } + }, + "code_block": [ + [ + 70, + " - name: Precompile assets\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 73, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 74, + " DISABLE_SSL: 1\n" + ], + [ + 75, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 76, + " RAILS_ENV: production\n" + ], + [ + 77, + " run: bundle exec rails assets:precompile\n" + ], + [ + 78, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 79, + "\n" + ], + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 70, + 81 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch NDP", + "uses": "actions/checkout@master", + "with": { + "ref": "main", + "repository": "nexmo/nexmo-developer", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "ndp", + "submodules": true, + "__startline__": 83, + "__endline__": 88 + }, + "__startline__": 80, + "__endline__": 88 + } + }, + "code_block": [ + [ + 80, + " - name: Fetch NDP\n" + ], + [ + 81, + " uses: actions/checkout@master\n" + ], + [ + 82, + " with:\n" + ], + [ + 83, + " ref: main\n" + ], + [ + 84, + " repository: nexmo/nexmo-developer\n" + ], + [ + 85, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 86, + " path: ndp\n" + ], + [ + 87, + " submodules: true\n" + ], + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 80, + 89 + ], + "resource": "jobs(build).steps[12](Fetch NDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Fetch VDP", + "uses": "actions/checkout@master", + "with": { + "ref": "master", + "repository": "VonageGarage/VDP", + "token": "${{ secrets.GITHUB_TOKEN }}", + "path": "vdp", + "submodules": true, + "__startline__": 91, + "__endline__": 96 + }, + "__startline__": 88, + "__endline__": 96 + } + }, + "code_block": [ + [ + 88, + " - name: Fetch VDP\n" + ], + [ + 89, + " uses: actions/checkout@master\n" + ], + [ + 90, + " with:\n" + ], + [ + 91, + " ref: master\n" + ], + [ + 92, + " repository: VonageGarage/VDP\n" + ], + [ + 93, + " token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 94, + " path: vdp\n" + ], + [ + 95, + " submodules: true\n" + ], + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 88, + 97 + ], + "resource": "jobs(build).steps[13](Fetch VDP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets ENV=test", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "test", + "__startline__": 98, + "__endline__": 102 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 96, + "__endline__": 104 + } + }, + "code_block": [ + [ + 96, + " - name: Precompile assets ENV=test\n" + ], + [ + 97, + " env:\n" + ], + [ + 98, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 99, + " DISABLE_SSL: 1\n" + ], + [ + 100, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 101, + " RAILS_ENV: test\n" + ], + [ + 102, + " run: bundle exec rails assets:precompile\n" + ], + [ + 103, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 96, + 105 + ], + "resource": "jobs(build).steps[14](Precompile assets ENV=test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Platform Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "./spec/fixtures", + "BLOG_PATH": "./spec/fixtures/_blog", + "OAS_PATH": "./spec/fixtures/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 106, + "__endline__": 111 + }, + "run": "bundle exec rails db:create\nbundle exec rails db:migrate\nbundle exec rake spec\nbundle exec rubocop\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 104, + "__endline__": 117 + } + }, + "code_block": [ + [ + 104, + " - name: Run Platform Tests\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 107, + " DOCS_BASE_PATH: ./spec/fixtures\n" + ], + [ + 108, + " BLOG_PATH: ./spec/fixtures/_blog\n" + ], + [ + 109, + " OAS_PATH: ./spec/fixtures/api_specs/definitions\n" + ], + [ + 110, + " FORCE_COLOR: true\n" + ], + [ + 111, + " run: |\n" + ], + [ + 112, + " bundle exec rails db:create\n" + ], + [ + 113, + " bundle exec rails db:migrate\n" + ], + [ + 114, + " bundle exec rake spec\n" + ], + [ + 115, + " bundle exec rubocop\n" + ], + [ + 116, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 104, + 118 + ], + "resource": "jobs(build).steps[15](Run Platform Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run NDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/ndp", + "OAS_PATH": "${{ github.workspace }}/ndp/_open_api/api_specs/definitions", + "FORCE_COLOR": true, + "__startline__": 119, + "__endline__": 123 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nRAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 117, + "__endline__": 131 + } + }, + "code_block": [ + [ + 117, + " - name: Run NDP Tests\n" + ], + [ + 118, + " env:\n" + ], + [ + 119, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 120, + " DOCS_BASE_PATH: ${{ github.workspace }}/ndp\n" + ], + [ + 121, + " OAS_PATH: ${{ github.workspace }}/ndp/_open_api/api_specs/definitions\n" + ], + [ + 122, + " FORCE_COLOR: true\n" + ], + [ + 123, + " run: |\n" + ], + [ + 124, + " bundle exec rake ci:verify_pages\n" + ], + [ + 125, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 126, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 127, + " RAILS_ENV=test bundle exec rake ci:verify_error_urls_resolve\n" + ], + [ + 128, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 129, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 130, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 117, + 132 + ], + "resource": "jobs(build).steps[16](Run NDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run VDP Tests", + "env": { + "POSTGRES_USERNAME": "postgres", + "DOCS_BASE_PATH": "${{ github.workspace }}/vdp", + "OAS_PATH": "${{ github.workspace }}/vdp/_open_api/definitions", + "FORCE_COLOR": true, + "__startline__": 133, + "__endline__": 137 + }, + "run": "bundle exec rake ci:verify_pages\nbundle exec rake ci:verify_navigation\nbundle exec rake ci:verify_oas_reference\nbundle exec rake ci:check_word_blocklist\nbundle exec rake ci:check_ruby_version\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 131, + "__endline__": 144 + } + }, + "code_block": [ + [ + 131, + " - name: Run VDP Tests\n" + ], + [ + 132, + " env:\n" + ], + [ + 133, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 134, + " DOCS_BASE_PATH: ${{ github.workspace }}/vdp\n" + ], + [ + 135, + " OAS_PATH: ${{ github.workspace }}/vdp/_open_api/definitions\n" + ], + [ + 136, + " FORCE_COLOR: true\n" + ], + [ + 137, + " run: |\n" + ], + [ + 138, + " bundle exec rake ci:verify_pages\n" + ], + [ + 139, + " bundle exec rake ci:verify_navigation\n" + ], + [ + 140, + " bundle exec rake ci:verify_oas_reference\n" + ], + [ + 141, + " bundle exec rake ci:check_word_blocklist\n" + ], + [ + 142, + " bundle exec rake ci:check_ruby_version\n" + ], + [ + 143, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 131, + 145 + ], + "resource": "jobs(build).steps[17](Run VDP Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Javascript Tests", + "run": "yarn test\n", + "__startline__": 144, + "__endline__": 147 + } + }, + "code_block": [ + [ + 144, + " - name: Run Javascript Tests\n" + ], + [ + 145, + " run: |\n" + ], + [ + 146, + " yarn test\n" + ], + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 144, + 148 + ], + "resource": "jobs(build).steps[18](Run Javascript Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Spell checker", + "env": { + "FORCE_COLOR": true, + "__startline__": 149, + "__endline__": 150 + }, + "run": "./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n", + "__startline__": 147, + "__endline__": 152 + } + }, + "code_block": [ + [ + 147, + " - name: Spell checker\n" + ], + [ + 148, + " env:\n" + ], + [ + 149, + " FORCE_COLOR: true\n" + ], + [ + 150, + " run: |\n" + ], + [ + 151, + " ./node_modules/.bin/mdspell -r -n -a --en-us '_documentation/en/**/*.md' '_partials/*.md' '_partials/**/*.md' '_modals/**/*.md' '_tutorials/**/*.md'\n" + ] + ], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 147, + 153 + ], + "resource": "jobs(build).steps[19](Spell checker)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + } + }, + "code_block": [ + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 6, + 24 + ], + "resource": "jobs(lighthouse-audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "lighthouse-audit": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + }, + "__startline__": 5, + "__endline__": 23 + } + }, + "code_block": [ + [ + 5, + " lighthouse-audit:\n" + ], + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 5, + 24 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "lighthouse-audit": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + }, + "__startline__": 5, + "__endline__": 23 + } + }, + "code_block": [ + [ + 5, + " lighthouse-audit:\n" + ], + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 5, + 24 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + } + }, + "code_block": [ + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 6, + 24 + ], + "resource": "jobs(lighthouse-audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + } + }, + "code_block": [ + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 6, + 24 + ], + "resource": "jobs(lighthouse-audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + }, + { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + }, + { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + }, + { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + ], + "__startline__": 6, + "__endline__": 23 + } + }, + "code_block": [ + [ + 6, + " runs-on: ubuntu-latest\n" + ], + [ + 7, + " steps:\n" + ], + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 6, + 24 + ], + "resource": "jobs(lighthouse-audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": "workflow_dispatch" + }, + "code_block": [], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + } + }, + "code_block": [ + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 8, + 10 + ], + "resource": "jobs(lighthouse-audit).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + } + }, + "code_block": [ + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 9, + 11 + ], + "resource": "jobs(lighthouse-audit).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + } + }, + "code_block": [ + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 10, + 19 + ], + "resource": "jobs(lighthouse-audit).steps[3](Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + }, + "code_block": [ + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 18, + 24 + ], + "resource": "jobs(lighthouse-audit).steps[4](Upload artifacts)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + } + }, + "code_block": [ + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 8, + 10 + ], + "resource": "jobs(lighthouse-audit).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + } + }, + "code_block": [ + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 9, + 11 + ], + "resource": "jobs(lighthouse-audit).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + } + }, + "code_block": [ + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 10, + 19 + ], + "resource": "jobs(lighthouse-audit).steps[3](Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + }, + "code_block": [ + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 18, + 24 + ], + "resource": "jobs(lighthouse-audit).steps[4](Upload artifacts)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + } + }, + "code_block": [ + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 8, + 10 + ], + "resource": "jobs(lighthouse-audit).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + } + }, + "code_block": [ + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 9, + 11 + ], + "resource": "jobs(lighthouse-audit).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + } + }, + "code_block": [ + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 10, + 19 + ], + "resource": "jobs(lighthouse-audit).steps[3](Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + }, + "code_block": [ + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 18, + 24 + ], + "resource": "jobs(lighthouse-audit).steps[4](Upload artifacts)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@master", + "__startline__": 8, + "__endline__": 9 + } + }, + "code_block": [ + [ + 8, + " - uses: actions/checkout@master\n" + ], + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 8, + 10 + ], + "resource": "jobs(lighthouse-audit).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "run": "mkdir -p ./tmp/artifacts", + "__startline__": 9, + "__endline__": 10 + } + }, + "code_block": [ + [ + 9, + " - run: mkdir -p ./tmp/artifacts\n" + ], + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 9, + 11 + ], + "resource": "jobs(lighthouse-audit).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Lighthouse Audit", + "uses": "fabianrbz/github-action-lighthouse-heroku@master", + "with": { + "urls": "/,/concepts/overview,/api/verify", + "outputDirectory": "./tmp/artifacts", + "__startline__": 13, + "__endline__": 15 + }, + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 16, + "__endline__": 18 + }, + "__startline__": 10, + "__endline__": 18 + } + }, + "code_block": [ + [ + 10, + " - name: Lighthouse Audit\n" + ], + [ + 11, + " uses: fabianrbz/github-action-lighthouse-heroku@master\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " urls: '/,/concepts/overview,/api/verify'\n" + ], + [ + 14, + " outputDirectory: ./tmp/artifacts\n" + ], + [ + 15, + " env:\n" + ], + [ + 16, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 17, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ], + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 10, + 19 + ], + "resource": "jobs(lighthouse-audit).steps[3](Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload artifacts", + "uses": "actions/upload-artifact@master", + "with": { + "name": "Lighthouse reports", + "path": "./tmp/artifacts", + "__startline__": 21, + "__endline__": 23 + }, + "__startline__": 18, + "__endline__": 23 + } + }, + "code_block": [ + [ + 18, + " - name: Upload artifacts\n" + ], + [ + 19, + " uses: actions/upload-artifact@master\n" + ], + [ + 20, + " with:\n" + ], + [ + 21, + " name: Lighthouse reports\n" + ], + [ + 22, + " path: ./tmp/artifacts\n" + ] + ], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 18, + 24 + ], + "resource": "jobs(lighthouse-audit).steps[4](Upload artifacts)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "lighthouse-audit" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "append-heroku-logs": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + }, + "__startline__": 6, + "__endline__": 14 + } + }, + "code_block": [ + [ + 6, + " append-heroku-logs:\n" + ], + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 6, + 15 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "append-heroku-logs": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + }, + "__startline__": 6, + "__endline__": 14 + } + }, + "code_block": [ + [ + 6, + " append-heroku-logs:\n" + ], + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 6, + 15 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + ], + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "deployment_status": { + "types": [ + "failure" + ], + "__startline__": 4, + "__endline__": 5 + }, + "__startline__": 3, + "__endline__": 5 + } + }, + "code_block": [ + [ + 3, + " deployment_status:\n" + ], + [ + 4, + " types: [failure]\n" + ], + [ + 5, + "jobs:\n" + ], + [ + 6, + " append-heroku-logs:\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 3, + 6 + ], + "resource": "on(Append Heroku logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + }, + "code_block": [ + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 9, + 15 + ], + "resource": "jobs(append-heroku-logs).steps[1](append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + }, + "code_block": [ + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 9, + 15 + ], + "resource": "jobs(append-heroku-logs).steps[1](append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + }, + "code_block": [ + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 9, + 15 + ], + "resource": "jobs(append-heroku-logs).steps[1](append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "append-heroku-logs", + "uses": "mheap/github-action-heroku-logs@master", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_AUTH_TOKEN": "${{ secrets.HEROKU_AUTH_TOKEN }}", + "__startline__": 12, + "__endline__": 14 + }, + "__startline__": 9, + "__endline__": 14 + } + }, + "code_block": [ + [ + 9, + " - name: append-heroku-logs\n" + ], + [ + 10, + " uses: mheap/github-action-heroku-logs@master\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_AUTH_TOKEN: ${{ secrets.HEROKU_AUTH_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 9, + 15 + ], + "resource": "jobs(append-heroku-logs).steps[1](append-heroku-logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "append-heroku-logs" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 10, + 56 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + }, + "__startline__": 9, + "__endline__": 55 + } + }, + "code_block": [ + [ + 9, + " build:\n" + ], + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 9, + 56 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + }, + "__startline__": 9, + "__endline__": 55 + } + }, + "code_block": [ + [ + 9, + " build:\n" + ], + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 9, + 56 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 10, + 56 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 10, + 56 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + }, + { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + }, + { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + }, + { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + }, + { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + ], + "__startline__": 10, + "__endline__": 55 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " -\n" + ], + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 10, + 56 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": { + "branches": [ + "master" + ], + "tags": [ + "*" + ], + "__startline__": 4, + "__endline__": 8 + }, + "__startline__": 3, + "__endline__": 8 + } + }, + "code_block": [ + [ + 3, + " push:\n" + ], + [ + 4, + " branches:\n" + ], + [ + 5, + " - master\n" + ], + [ + 6, + " tags:\n" + ], + [ + 7, + " - \"*\"\n" + ], + [ + 8, + "jobs:\n" + ], + [ + 9, + " build:\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 3, + 9 + ], + "resource": "on(Publish Docker)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + } + }, + "code_block": [ + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 13, + 16 + ], + "resource": "jobs(build).steps[1](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + } + }, + "code_block": [ + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 16, + 36 + ], + "resource": "jobs(build).steps[2](Prepare)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + } + }, + "code_block": [ + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 36, + 39 + ], + "resource": "jobs(build).steps[3](Set up Docker Buildx)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + } + }, + "code_block": [ + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 39, + 45 + ], + "resource": "jobs(build).steps[4](Login to DockerHub)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + }, + "code_block": [ + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 44, + 56 + ], + "resource": "jobs(build).steps[5](Publish to Registry)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + } + }, + "code_block": [ + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 13, + 16 + ], + "resource": "jobs(build).steps[1](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + } + }, + "code_block": [ + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 16, + 36 + ], + "resource": "jobs(build).steps[2](Prepare)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + } + }, + "code_block": [ + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 36, + 39 + ], + "resource": "jobs(build).steps[3](Set up Docker Buildx)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + } + }, + "code_block": [ + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 39, + 45 + ], + "resource": "jobs(build).steps[4](Login to DockerHub)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + }, + "code_block": [ + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 44, + 56 + ], + "resource": "jobs(build).steps[5](Publish to Registry)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + } + }, + "code_block": [ + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 13, + 16 + ], + "resource": "jobs(build).steps[1](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + } + }, + "code_block": [ + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 16, + 36 + ], + "resource": "jobs(build).steps[2](Prepare)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + } + }, + "code_block": [ + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 36, + 39 + ], + "resource": "jobs(build).steps[3](Set up Docker Buildx)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + } + }, + "code_block": [ + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 39, + 45 + ], + "resource": "jobs(build).steps[4](Login to DockerHub)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + }, + "code_block": [ + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 44, + 56 + ], + "resource": "jobs(build).steps[5](Publish to Registry)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@master", + "__startline__": 13, + "__endline__": 15 + } + }, + "code_block": [ + [ + 13, + " name: Checkout\n" + ], + [ + 14, + " uses: actions/checkout@master\n" + ], + [ + 15, + " -\n" + ], + [ + 16, + " name: Prepare\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 13, + 16 + ], + "resource": "jobs(build).steps[1](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Prepare", + "id": "prep", + "run": "DOCKER_IMAGE=nexmodev/station\nVERSION=edge\nif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\nelif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\nelif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\nfi\nTAGS=\"${DOCKER_IMAGE}:${VERSION}\"\nif [ \"${{ github.event_name }}\" = \"push\" ]; then\n TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\nfi\necho ::set-output name=version::${VERSION}\necho ::set-output name=tags::${TAGS}\necho ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n", + "__startline__": 16, + "__endline__": 35 + } + }, + "code_block": [ + [ + 16, + " name: Prepare\n" + ], + [ + 17, + " id: prep\n" + ], + [ + 18, + " run: |\n" + ], + [ + 19, + " DOCKER_IMAGE=nexmodev/station\n" + ], + [ + 20, + " VERSION=edge\n" + ], + [ + 21, + " if [[ $GITHUB_REF == refs/tags/* ]]; then\n" + ], + [ + 22, + " VERSION=${GITHUB_REF#refs/tags/}\n" + ], + [ + 23, + " elif [[ $GITHUB_REF == refs/heads/* ]]; then\n" + ], + [ + 24, + " VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n" + ], + [ + 25, + " elif [[ $GITHUB_REF == refs/pull/* ]]; then\n" + ], + [ + 26, + " VERSION=pr-${{ github.event.number }}\n" + ], + [ + 27, + " fi\n" + ], + [ + 28, + " TAGS=\"${DOCKER_IMAGE}:${VERSION}\"\n" + ], + [ + 29, + " if [ \"${{ github.event_name }}\" = \"push\" ]; then\n" + ], + [ + 30, + " TAGS=\"$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}\"\n" + ], + [ + 31, + " fi\n" + ], + [ + 32, + " echo ::set-output name=version::${VERSION}\n" + ], + [ + 33, + " echo ::set-output name=tags::${TAGS}\n" + ], + [ + 34, + " echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')\n" + ], + [ + 35, + " -\n" + ], + [ + 36, + " name: Set up Docker Buildx\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 16, + 36 + ], + "resource": "jobs(build).steps[2](Prepare)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Docker Buildx", + "uses": "docker/setup-buildx-action@v1", + "__startline__": 36, + "__endline__": 38 + } + }, + "code_block": [ + [ + 36, + " name: Set up Docker Buildx\n" + ], + [ + 37, + " uses: docker/setup-buildx-action@v1\n" + ], + [ + 38, + " -\n" + ], + [ + 39, + " name: Login to DockerHub\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 36, + 39 + ], + "resource": "jobs(build).steps[3](Set up Docker Buildx)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Login to DockerHub", + "uses": "docker/login-action@v1", + "with": { + "username": "${{ secrets.DOCKER_USERNAME }}", + "password": "${{ secrets.DOCKER_PASSWORD }}", + "__startline__": 42, + "__endline__": 44 + }, + "__startline__": 39, + "__endline__": 44 + } + }, + "code_block": [ + [ + 39, + " name: Login to DockerHub\n" + ], + [ + 40, + " uses: docker/login-action@v1\n" + ], + [ + 41, + " with:\n" + ], + [ + 42, + " username: ${{ secrets.DOCKER_USERNAME }}\n" + ], + [ + 43, + " password: ${{ secrets.DOCKER_PASSWORD }}\n" + ], + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 39, + 45 + ], + "resource": "jobs(build).steps[4](Login to DockerHub)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to Registry", + "uses": "docker/build-push-action@v2", + "with": { + "context": ".", + "push": true, + "no-cache": true, + "tags": "${{ steps.prep.outputs.tags }}", + "labels": "org.opencontainers.image.source=${{ github.event.repository.html_url }}\norg.opencontainers.image.created=${{ steps.prep.outputs.created }}\norg.opencontainers.image.revision=${{ github.sha }}\n", + "__startline__": 47, + "__endline__": 55 + }, + "__startline__": 44, + "__endline__": 55 + } + }, + "code_block": [ + [ + 44, + " - name: Publish to Registry\n" + ], + [ + 45, + " uses: docker/build-push-action@v2\n" + ], + [ + 46, + " with:\n" + ], + [ + 47, + " context: .\n" + ], + [ + 48, + " push: true\n" + ], + [ + 49, + " no-cache: true\n" + ], + [ + 50, + " tags: ${{ steps.prep.outputs.tags }}\n" + ], + [ + 51, + " labels: |\n" + ], + [ + 52, + " org.opencontainers.image.source=${{ github.event.repository.html_url }}\n" + ], + [ + 53, + " org.opencontainers.image.created=${{ steps.prep.outputs.created }}\n" + ], + [ + 54, + " org.opencontainers.image.revision=${{ github.sha }}\n" + ] + ], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 44, + 56 + ], + "resource": "jobs(build).steps[5](Publish to Registry)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 7, + 16 + ], + "resource": "jobs(create-review-app)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "create-review-app": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + }, + "__startline__": 6, + "__endline__": 15 + } + }, + "code_block": [ + [ + 6, + " create-review-app:\n" + ], + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 6, + 16 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "create-review-app": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + }, + "__startline__": 6, + "__endline__": 15 + } + }, + "code_block": [ + [ + 6, + " create-review-app:\n" + ], + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 6, + 16 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 7, + 16 + ], + "resource": "jobs(create-review-app)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 7, + 16 + ], + "resource": "jobs(create-review-app)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + ], + "__startline__": 7, + "__endline__": 15 + } + }, + "code_block": [ + [ + 7, + " runs-on: ubuntu-latest\n" + ], + [ + 8, + " steps:\n" + ], + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 7, + 16 + ], + "resource": "jobs(create-review-app)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "pull_request_target": { + "types": [ + "opened", + "reopened", + "synchronize", + "labeled", + "closed" + ], + "__startline__": 4, + "__endline__": 5 + }, + "__startline__": 3, + "__endline__": 5 + } + }, + "code_block": [ + [ + 3, + " pull_request_target:\n" + ], + [ + 4, + " types: [opened, reopened, synchronize, labeled, closed]\n" + ], + [ + 5, + "jobs:\n" + ], + [ + 6, + " create-review-app:\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 3, + 6 + ], + "resource": "on(Review App)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + }, + "code_block": [ + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 9, + 16 + ], + "resource": "jobs(create-review-app).steps[1](Create Review App)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + }, + "code_block": [ + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 9, + 16 + ], + "resource": "jobs(create-review-app).steps[1](Create Review App)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + }, + "code_block": [ + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 9, + 16 + ], + "resource": "jobs(create-review-app).steps[1](Create Review App)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Create Review App", + "uses": "mheap/github-action-pr-heroku-review-app@v1", + "env": { + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "HEROKU_PIPELINE_ID": "${{ secrets.HEROKU_PIPELINE_ID }}", + "HEROKU_API_TOKEN": "${{ secrets.HEROKU_API_TOKEN }}", + "__startline__": 12, + "__endline__": 15 + }, + "__startline__": 9, + "__endline__": 15 + } + }, + "code_block": [ + [ + 9, + " - name: Create Review App\n" + ], + [ + 10, + " uses: mheap/github-action-pr-heroku-review-app@v1\n" + ], + [ + 11, + " env:\n" + ], + [ + 12, + " GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 13, + " HEROKU_PIPELINE_ID: ${{ secrets.HEROKU_PIPELINE_ID }}\n" + ], + [ + 14, + " HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}\n" + ] + ], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 9, + 16 + ], + "resource": "jobs(create-review-app).steps[1](Create Review App)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "create-review-app" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 9, + 82 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + }, + "__startline__": 8, + "__endline__": 81 + } + }, + "code_block": [ + [ + 8, + " build:\n" + ], + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 8, + 82 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + }, + "__startline__": 8, + "__endline__": 81 + } + }, + "code_block": [ + [ + 8, + " build:\n" + ], + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 8, + 82 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 9, + 82 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 9, + 82 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-18.04", + "steps": [ + { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + }, + { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + }, + { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + }, + { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + }, + { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + }, + { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + }, + { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + }, + { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + }, + { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + }, + { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + }, + { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + }, + { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + ], + "__startline__": 9, + "__endline__": 81 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-18.04\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " steps:\n" + ], + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 9, + 82 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": { + "tags": [ + "v*" + ], + "__startline__": 5, + "__endline__": 7 + }, + "__startline__": 4, + "__endline__": 7 + } + }, + "code_block": [ + [ + 4, + " push:\n" + ], + [ + 5, + " tags:\n" + ], + [ + 6, + " - \"v*\"\n" + ], + [ + 7, + "jobs:\n" + ], + [ + 8, + " build:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 4, + 8 + ], + "resource": "on(Publish Gem)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + } + }, + "code_block": [ + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 12, + 15 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + } + }, + "code_block": [ + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 14, + 18 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + } + }, + "code_block": [ + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 20, + 28 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + } + }, + "code_block": [ + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 27, + 31 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + } + }, + "code_block": [ + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 30, + 35 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + } + }, + "code_block": [ + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 41, + 44 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + } + }, + "code_block": [ + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 43, + 50 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + } + }, + "code_block": [ + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 49, + 57 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + } + }, + "code_block": [ + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 56, + 66 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + } + }, + "code_block": [ + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 65, + 76 + ], + "resource": "jobs(build).steps[12](Set Credentials)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + }, + "code_block": [ + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 75, + 82 + ], + "resource": "jobs(build).steps[13](Publish to GitHub Packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + } + }, + "code_block": [ + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 12, + 15 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + } + }, + "code_block": [ + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 14, + 18 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + } + }, + "code_block": [ + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 20, + 28 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + } + }, + "code_block": [ + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 27, + 31 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + } + }, + "code_block": [ + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 30, + 35 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + } + }, + "code_block": [ + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 41, + 44 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + } + }, + "code_block": [ + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 43, + 50 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + } + }, + "code_block": [ + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 49, + 57 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + } + }, + "code_block": [ + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 56, + 66 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + } + }, + "code_block": [ + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 65, + 76 + ], + "resource": "jobs(build).steps[12](Set Credentials)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + }, + "code_block": [ + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 75, + 82 + ], + "resource": "jobs(build).steps[13](Publish to GitHub Packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + } + }, + "code_block": [ + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 12, + 15 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + } + }, + "code_block": [ + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 14, + 18 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + } + }, + "code_block": [ + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 20, + 28 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + } + }, + "code_block": [ + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 27, + 31 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + } + }, + "code_block": [ + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 30, + 35 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + } + }, + "code_block": [ + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 41, + 44 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + } + }, + "code_block": [ + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 43, + 50 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + } + }, + "code_block": [ + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 49, + 57 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + } + }, + "code_block": [ + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 56, + 66 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + } + }, + "code_block": [ + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 65, + 76 + ], + "resource": "jobs(build).steps[12](Set Credentials)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + }, + "code_block": [ + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 75, + 82 + ], + "resource": "jobs(build).steps[13](Publish to GitHub Packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v2", + "__startline__": 12, + "__endline__": 14 + } + }, + "code_block": [ + [ + 12, + " - uses: actions/checkout@v2\n" + ], + [ + 13, + "\n" + ], + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 12, + 15 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/setup-node@v1", + "with": { + "node-version": "12.x", + "__startline__": 16, + "__endline__": 17 + }, + "__startline__": 14, + "__endline__": 17 + } + }, + "code_block": [ + [ + 14, + " - uses: actions/setup-node@v1\n" + ], + [ + 15, + " with:\n" + ], + [ + 16, + " node-version: \"12.x\"\n" + ], + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 14, + 18 + ], + "resource": "jobs(build).steps[2]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Find yarn cache location", + "id": "yarn-cache", + "run": "echo \"::set-output name=dir::$(yarn cache dir)\"", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Find yarn cache location\n" + ], + [ + 18, + " id: yarn-cache\n" + ], + [ + 19, + " run: echo \"::set-output name=dir::$(yarn cache dir)\"\n" + ], + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[3](Find yarn cache location)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "JS package cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.yarn-cache.outputs.dir }}", + "key": "${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}", + "restore-keys": "${{ runner.os }}-yarn-\n", + "__startline__": 23, + "__endline__": 27 + }, + "__startline__": 20, + "__endline__": 27 + } + }, + "code_block": [ + [ + 20, + " - name: JS package cache\n" + ], + [ + 21, + " uses: actions/cache@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " path: ${{ steps.yarn-cache.outputs.dir }}\n" + ], + [ + 24, + " key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}\n" + ], + [ + 25, + " restore-keys: |\n" + ], + [ + 26, + " ${{ runner.os }}-yarn-\n" + ], + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 20, + 28 + ], + "resource": "jobs(build).steps[4](JS package cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install packages", + "run": "yarn install --pure-lockfile\n", + "__startline__": 27, + "__endline__": 30 + } + }, + "code_block": [ + [ + 27, + " - name: Install packages\n" + ], + [ + 28, + " run: |\n" + ], + [ + 29, + " yarn install --pure-lockfile\n" + ], + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 27, + 31 + ], + "resource": "jobs(build).steps[5](Install packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set up Ruby 3.0.0", + "uses": "ruby/setup-ruby@v1", + "with": { + "ruby-version": "3.0.0", + "__startline__": 33, + "__endline__": 34 + }, + "__startline__": 30, + "__endline__": 34 + } + }, + "code_block": [ + [ + 30, + " - name: Set up Ruby 3.0.0\n" + ], + [ + 31, + " uses: ruby/setup-ruby@v1\n" + ], + [ + 32, + " with:\n" + ], + [ + 33, + " ruby-version: 3.0.0\n" + ], + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 30, + 35 + ], + "resource": "jobs(build).steps[6](Set up Ruby 3.0.0)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Ruby gem cache", + "uses": "actions/cache@v2", + "with": { + "path": "${{ github.workspace }}/vendor/bundle", + "key": "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}", + "restore-keys": "${{ runner.os }}-gems-\n", + "__startline__": 37, + "__endline__": 41 + }, + "__startline__": 34, + "__endline__": 41 + } + }, + "code_block": [ + [ + 34, + " - name: Ruby gem cache\n" + ], + [ + 35, + " uses: actions/cache@v2\n" + ], + [ + 36, + " with:\n" + ], + [ + 37, + " path: ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 38, + " key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}\n" + ], + [ + 39, + " restore-keys: |\n" + ], + [ + 40, + " ${{ runner.os }}-gems-\n" + ], + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 34, + 42 + ], + "resource": "jobs(build).steps[7](Ruby gem cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install postgres headers", + "run": "sudo apt-get -yqq install libpq-dev", + "__startline__": 41, + "__endline__": 43 + } + }, + "code_block": [ + [ + 41, + " - name: Install postgres headers\n" + ], + [ + 42, + " run: sudo apt-get -yqq install libpq-dev\n" + ], + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 41, + 44 + ], + "resource": "jobs(build).steps[8](Install postgres headers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Setup", + "run": "gem update --system 3.1.4 -N\ngem install --no-document bundler\nbundle config path ${{ github.workspace }}/vendor/bundle\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 43, + "__endline__": 49 + } + }, + "code_block": [ + [ + 43, + " - name: Bundle Setup\n" + ], + [ + 44, + " run: |\n" + ], + [ + 45, + " gem update --system 3.1.4 -N\n" + ], + [ + 46, + " gem install --no-document bundler\n" + ], + [ + 47, + " bundle config path ${{ github.workspace }}/vendor/bundle\n" + ], + [ + 48, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 43, + 50 + ], + "resource": "jobs(build).steps[9](Bundle Setup)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Bundle Install", + "env": { + "POSTGRES_USERNAME": "postgres", + "__startline__": 51, + "__endline__": 52 + }, + "run": "bundle install --jobs 4 --retry 3\n", + "working-directory": "./lib/nexmo_developer", + "__startline__": 49, + "__endline__": 56 + } + }, + "code_block": [ + [ + 49, + " - name: Bundle Install\n" + ], + [ + 50, + " env:\n" + ], + [ + 51, + " POSTGRES_USERNAME: postgres\n" + ], + [ + 52, + " run: |\n" + ], + [ + 53, + " bundle install --jobs 4 --retry 3\n" + ], + [ + 54, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 49, + 57 + ], + "resource": "jobs(build).steps[10](Bundle Install)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Precompile assets", + "env": { + "RAILS_SERVE_STATIC_FILES": 1, + "DISABLE_SSL": 1, + "RAILS_LOG_TO_STDOUT": 1, + "RAILS_ENV": "production", + "__startline__": 58, + "__endline__": 62 + }, + "run": "bundle exec rails assets:precompile", + "working-directory": "./lib/nexmo_developer", + "__startline__": 56, + "__endline__": 65 + } + }, + "code_block": [ + [ + 56, + " - name: Precompile assets\n" + ], + [ + 57, + " env:\n" + ], + [ + 58, + " RAILS_SERVE_STATIC_FILES: 1\n" + ], + [ + 59, + " DISABLE_SSL: 1\n" + ], + [ + 60, + " RAILS_LOG_TO_STDOUT: 1\n" + ], + [ + 61, + " RAILS_ENV: production\n" + ], + [ + 62, + " run: bundle exec rails assets:precompile\n" + ], + [ + 63, + " working-directory: ./lib/nexmo_developer\n" + ], + [ + 64, + "\n" + ], + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 56, + 66 + ], + "resource": "jobs(build).steps[11](Precompile assets)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Set Credentials", + "run": "mkdir -p $HOME/.gem\ntouch $HOME/.gem/credentials\nchmod 0600 $HOME/.gem/credentials\nprintf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n", + "env": { + "GITHUB_TOKEN": "${{secrets.GITHUB_TOKEN}}", + "RUBYGEMS_API_KEY": "${{secrets.RUBYGEMS_API_KEY}}", + "__startline__": 72, + "__endline__": 75 + }, + "__startline__": 65, + "__endline__": 75 + } + }, + "code_block": [ + [ + 65, + " - name: Set Credentials\n" + ], + [ + 66, + " run: |\n" + ], + [ + 67, + " mkdir -p $HOME/.gem\n" + ], + [ + 68, + " touch $HOME/.gem/credentials\n" + ], + [ + 69, + " chmod 0600 $HOME/.gem/credentials\n" + ], + [ + 70, + " printf -- \"---\\n:github: Bearer ${GITHUB_TOKEN}\\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\\n\" > $HOME/.gem/credentials\n" + ], + [ + 71, + " env:\n" + ], + [ + 72, + " GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" + ], + [ + 73, + " RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}\n" + ], + [ + 74, + "\n" + ], + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 65, + 76 + ], + "resource": "jobs(build).steps[12](Set Credentials)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Publish to GitHub Packages", + "run": "export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\ngem build station.gemspec\ngem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\ngem push *.gem\n", + "__startline__": 75, + "__endline__": 81 + } + }, + "code_block": [ + [ + 75, + " - name: Publish to GitHub Packages\n" + ], + [ + 76, + " run: |\n" + ], + [ + 77, + " export OWNER=$( echo ${{ github.repository }} | cut -d \"/\" -f 1 )\n" + ], + [ + 78, + " gem build station.gemspec\n" + ], + [ + 79, + " gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem\n" + ], + [ + 80, + " gem push *.gem\n" + ] + ], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 75, + 82 + ], + "resource": "jobs(build).steps[13](Publish to GitHub Packages)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Publish Gem" + } + ], + "failed_checks": [ + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/ci.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/ci.yml", + "repo_file_path": "/.github/workflows/ci.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(CI)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "CI" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status-lighthouse.yml", + "repo_file_path": "/.github/workflows/deployment_status-lighthouse.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Lighthouse Audit)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "" + ], + "workflow_name": "Lighthouse Audit" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/deployment_status.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/deployment_status.yml", + "repo_file_path": "/.github/workflows/deployment_status.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Append Heroku logs)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "deployment_status" + ] + ], + "job": [ + "" + ], + "workflow_name": "Append Heroku logs" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/publish-docker.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/publish-docker.yml", + "repo_file_path": "/.github/workflows/publish-docker.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Publish Docker)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "Publish Docker" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/pull_request-review.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/pull_request-review.yml", + "repo_file_path": "/.github/workflows/pull_request-review.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Review App)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request_target" + ] + ], + "job": [ + "" + ], + "workflow_name": "Review App" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/release.yml", + "file_abs_path": "/tmp/ws-scm/station/.github/workflows/release.yml", + "repo_file_path": "/.github/workflows/release.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Publish Gem)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "push" + ] + ], + "job": [ + "" + ], + "workflow_name": "Publish Gem" + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 214, + "failed": 6, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 0, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + }, + { + "check_type": "openapi", + "results": { + "passed_checks": [ + { + "check_id": "CKV_OPENAPI_20", + "bc_check_id": "BC_OPENAPI_20", + "check_name": "Ensure that API keys are not sent over cleartext", + "check_result": { + "result": "PASSED", + "results_configuration": {} + }, + "code_block": [], + "file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "repo_file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "paths", + "evaluations": null, + "check_class": "checkov.openapi.checks.resource.generic.ClearTextAPIKey", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/bc-openapi-20", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_OPENAPI_21", + "bc_check_id": "BC_OPENAPI_21", + "check_name": "Ensure that arrays have a maximum number of items", + "check_result": { + "result": "PASSED", + "results_configuration": { + "openapi": "3.0.0", + "servers": [ + { + "url": "http://petstore.swagger.io/api", + "__startline__": 3, + "__endline__": 4 + } + ], + "info": { + "version": "1.0.0", + "title": "Swagger Petstore", + "description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification", + "termsOfService": "http://swagger.io/terms/", + "contact": { + "name": "Swagger API Team", + "__startline__": 12, + "__endline__": 13 + }, + "license": { + "name": "MIT", + "__startline__": 14, + "__endline__": 15 + }, + "__startline__": 5, + "__endline__": 15 + }, + "paths": { + "/pets/{id}": { + "get": { + "description": "Returns a user based on a single ID, if the user does not have access to the pet", + "operationId": "findPetById", + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to fetch", + "required": true, + "schema": { + "type": "integer", + "format": "int64", + "__startline__": 28, + "__endline__": 30 + }, + "__startline__": 23, + "__endline__": 30 + } + ], + "responses": { + "200": { + "description": "pet response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 36, + "__endline__": 37 + }, + "__startline__": 35, + "__endline__": 37 + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 39, + "__endline__": 40 + }, + "__startline__": 38, + "__endline__": 40 + }, + "text/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 42, + "__endline__": 43 + }, + "__startline__": 41, + "__endline__": 43 + }, + "text/html": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 45, + "__endline__": 46 + }, + "__startline__": 44, + "__endline__": 46 + }, + "__startline__": 34, + "__endline__": 46 + }, + "__startline__": 32, + "__endline__": 46 + }, + "401": { + "$ref": "#/components/responses/UnauthorizedError", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 31, + "__endline__": 48 + }, + "__startline__": 18, + "__endline__": 48 + }, + "__startline__": 17, + "__endline__": 48 + }, + "__startline__": 16, + "__endline__": 48 + }, + "components": { + "responses": { + "UnauthorizedError": { + "description": "Access token is missing or invalid", + "__startline__": 51, + "__endline__": 52 + }, + "__startline__": 50, + "__endline__": 52 + }, + "schemas": { + "Pet": { + "type": "object", + "allOf": [ + { + "$ref": "#/components/schemas/NewPet", + "__startline__": 56, + "__endline__": 57 + }, + { + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 60, + "__endline__": 63 + }, + "__startline__": 57, + "__endline__": 63 + } + ], + "__startline__": 54, + "__endline__": 63 + }, + "NewPet": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "__startline__": 69, + "__endline__": 70 + }, + "tag": { + "type": "string", + "__startline__": 71, + "__endline__": 72 + }, + "__startline__": 68, + "__endline__": 72 + }, + "__startline__": 64, + "__endline__": 72 + }, + "ErrorModel": { + "type": "object", + "required": [ + "code", + "message" + ], + "properties": { + "code": { + "type": "integer", + "format": "int32", + "__startline__": 79, + "__endline__": 81 + }, + "message": { + "type": "string", + "__startline__": 82, + "__endline__": 83 + }, + "__startline__": 78, + "__endline__": 83 + }, + "__startline__": 73, + "__endline__": 83 + }, + "__startline__": 53, + "__endline__": 83 + }, + "__startline__": 49, + "__endline__": 83 + }, + "__startline__": 1, + "__endline__": 83 + } + }, + "code_block": [ + [ + 1, + "openapi: 3.0.0\n" + ], + [ + 2, + "servers:\n" + ], + [ + 3, + " - url: 'http://petstore.swagger.io/api'\n" + ], + [ + 4, + "info:\n" + ], + [ + 5, + " version: 1.0.0\n" + ], + [ + 6, + " title: Swagger Petstore\n" + ], + [ + 7, + " description: >-\n" + ], + [ + 8, + " A sample API that uses a petstore as an example to demonstrate features in\n" + ], + [ + 9, + " the swagger-2.0 specification\n" + ], + [ + 10, + " termsOfService: 'http://swagger.io/terms/'\n" + ], + [ + 11, + " contact:\n" + ], + [ + 12, + " name: Swagger API Team\n" + ], + [ + 13, + " license:\n" + ], + [ + 14, + " name: MIT\n" + ], + [ + 15, + "paths:\n" + ], + [ + 16, + " '/pets/{id}':\n" + ], + [ + 17, + " get:\n" + ], + [ + 18, + " description: >-\n" + ], + [ + 19, + " Returns a user based on a single ID, if the user does not have access to\n" + ], + [ + 20, + " the pet\n" + ], + [ + 21, + " operationId: findPetById\n" + ], + [ + 22, + " parameters:\n" + ], + [ + 23, + " - name: id\n" + ], + [ + 24, + " in: path\n" + ], + [ + 25, + " description: ID of pet to fetch\n" + ], + [ + 26, + " required: true\n" + ], + [ + 27, + " schema:\n" + ], + [ + 28, + " type: integer\n" + ], + [ + 29, + " format: int64\n" + ], + [ + 30, + " responses:\n" + ], + [ + 31, + " '200':\n" + ], + [ + 32, + " description: pet response\n" + ], + [ + 33, + " content:\n" + ], + [ + 34, + " application/json:\n" + ], + [ + 35, + " schema:\n" + ], + [ + 36, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 37, + " application/xml:\n" + ], + [ + 38, + " schema:\n" + ], + [ + 39, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 40, + " text/xml:\n" + ], + [ + 41, + " schema:\n" + ], + [ + 42, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 43, + " text/html:\n" + ], + [ + 44, + " schema:\n" + ], + [ + 45, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 46, + " '401':\n" + ], + [ + 47, + " $ref: '#/components/responses/UnauthorizedError'\n" + ], + [ + 48, + "components:\n" + ], + [ + 49, + " responses:\n" + ], + [ + 50, + " UnauthorizedError:\n" + ], + [ + 51, + " description: Access token is missing or invalid\n" + ], + [ + 52, + " schemas:\n" + ], + [ + 53, + " Pet:\n" + ], + [ + 54, + " type: object\n" + ], + [ + 55, + " allOf:\n" + ], + [ + 56, + " - $ref: '#/components/schemas/NewPet'\n" + ], + [ + 57, + " - required:\n" + ], + [ + 58, + " - id\n" + ], + [ + 59, + " properties:\n" + ], + [ + 60, + " id:\n" + ], + [ + 61, + " type: integer\n" + ], + [ + 62, + " format: int64\n" + ], + [ + 63, + " NewPet:\n" + ], + [ + 64, + " type: object\n" + ], + [ + 65, + " required:\n" + ], + [ + 66, + " - name\n" + ], + [ + 67, + " properties:\n" + ], + [ + 68, + " name:\n" + ], + [ + 69, + " type: string\n" + ], + [ + 70, + " tag:\n" + ], + [ + 71, + " type: string\n" + ], + [ + 72, + " ErrorModel:\n" + ], + [ + 73, + " type: object\n" + ], + [ + 74, + " required:\n" + ], + [ + 75, + " - code\n" + ], + [ + 76, + " - message\n" + ], + [ + 77, + " properties:\n" + ], + [ + 78, + " code:\n" + ], + [ + 79, + " type: integer\n" + ], + [ + 80, + " format: int32\n" + ], + [ + 81, + " message:\n" + ], + [ + 82, + " type: string\n" + ] + ], + "file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "repo_file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_line_range": [ + 1, + 84 + ], + "resource": "paths", + "evaluations": null, + "check_class": "checkov.openapi.checks.resource.generic.NoMaximumNumberItems", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/bc-openapi-21", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_OPENAPI_3", + "bc_check_id": "BC_OPENAPI_3", + "check_name": "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files", + "check_result": { + "result": "PASSED", + "results_configuration": { + "openapi": "3.0.0", + "servers": [ + { + "url": "http://petstore.swagger.io/api", + "__startline__": 3, + "__endline__": 4 + } + ], + "info": { + "version": "1.0.0", + "title": "Swagger Petstore", + "description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification", + "termsOfService": "http://swagger.io/terms/", + "contact": { + "name": "Swagger API Team", + "__startline__": 12, + "__endline__": 13 + }, + "license": { + "name": "MIT", + "__startline__": 14, + "__endline__": 15 + }, + "__startline__": 5, + "__endline__": 15 + }, + "paths": { + "/pets/{id}": { + "get": { + "description": "Returns a user based on a single ID, if the user does not have access to the pet", + "operationId": "findPetById", + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to fetch", + "required": true, + "schema": { + "type": "integer", + "format": "int64", + "__startline__": 28, + "__endline__": 30 + }, + "__startline__": 23, + "__endline__": 30 + } + ], + "responses": { + "200": { + "description": "pet response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 36, + "__endline__": 37 + }, + "__startline__": 35, + "__endline__": 37 + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 39, + "__endline__": 40 + }, + "__startline__": 38, + "__endline__": 40 + }, + "text/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 42, + "__endline__": 43 + }, + "__startline__": 41, + "__endline__": 43 + }, + "text/html": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 45, + "__endline__": 46 + }, + "__startline__": 44, + "__endline__": 46 + }, + "__startline__": 34, + "__endline__": 46 + }, + "__startline__": 32, + "__endline__": 46 + }, + "401": { + "$ref": "#/components/responses/UnauthorizedError", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 31, + "__endline__": 48 + }, + "__startline__": 18, + "__endline__": 48 + }, + "__startline__": 17, + "__endline__": 48 + }, + "__startline__": 16, + "__endline__": 48 + }, + "components": { + "responses": { + "UnauthorizedError": { + "description": "Access token is missing or invalid", + "__startline__": 51, + "__endline__": 52 + }, + "__startline__": 50, + "__endline__": 52 + }, + "schemas": { + "Pet": { + "type": "object", + "allOf": [ + { + "$ref": "#/components/schemas/NewPet", + "__startline__": 56, + "__endline__": 57 + }, + { + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 60, + "__endline__": 63 + }, + "__startline__": 57, + "__endline__": 63 + } + ], + "__startline__": 54, + "__endline__": 63 + }, + "NewPet": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "__startline__": 69, + "__endline__": 70 + }, + "tag": { + "type": "string", + "__startline__": 71, + "__endline__": 72 + }, + "__startline__": 68, + "__endline__": 72 + }, + "__startline__": 64, + "__endline__": 72 + }, + "ErrorModel": { + "type": "object", + "required": [ + "code", + "message" + ], + "properties": { + "code": { + "type": "integer", + "format": "int32", + "__startline__": 79, + "__endline__": 81 + }, + "message": { + "type": "string", + "__startline__": 82, + "__endline__": 83 + }, + "__startline__": 78, + "__endline__": 83 + }, + "__startline__": 73, + "__endline__": 83 + }, + "__startline__": 53, + "__endline__": 83 + }, + "__startline__": 49, + "__endline__": 83 + }, + "__startline__": 1, + "__endline__": 83 + } + }, + "code_block": [ + [ + 1, + "openapi: 3.0.0\n" + ], + [ + 2, + "servers:\n" + ], + [ + 3, + " - url: 'http://petstore.swagger.io/api'\n" + ], + [ + 4, + "info:\n" + ], + [ + 5, + " version: 1.0.0\n" + ], + [ + 6, + " title: Swagger Petstore\n" + ], + [ + 7, + " description: >-\n" + ], + [ + 8, + " A sample API that uses a petstore as an example to demonstrate features in\n" + ], + [ + 9, + " the swagger-2.0 specification\n" + ], + [ + 10, + " termsOfService: 'http://swagger.io/terms/'\n" + ], + [ + 11, + " contact:\n" + ], + [ + 12, + " name: Swagger API Team\n" + ], + [ + 13, + " license:\n" + ], + [ + 14, + " name: MIT\n" + ], + [ + 15, + "paths:\n" + ], + [ + 16, + " '/pets/{id}':\n" + ], + [ + 17, + " get:\n" + ], + [ + 18, + " description: >-\n" + ], + [ + 19, + " Returns a user based on a single ID, if the user does not have access to\n" + ], + [ + 20, + " the pet\n" + ], + [ + 21, + " operationId: findPetById\n" + ], + [ + 22, + " parameters:\n" + ], + [ + 23, + " - name: id\n" + ], + [ + 24, + " in: path\n" + ], + [ + 25, + " description: ID of pet to fetch\n" + ], + [ + 26, + " required: true\n" + ], + [ + 27, + " schema:\n" + ], + [ + 28, + " type: integer\n" + ], + [ + 29, + " format: int64\n" + ], + [ + 30, + " responses:\n" + ], + [ + 31, + " '200':\n" + ], + [ + 32, + " description: pet response\n" + ], + [ + 33, + " content:\n" + ], + [ + 34, + " application/json:\n" + ], + [ + 35, + " schema:\n" + ], + [ + 36, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 37, + " application/xml:\n" + ], + [ + 38, + " schema:\n" + ], + [ + 39, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 40, + " text/xml:\n" + ], + [ + 41, + " schema:\n" + ], + [ + 42, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 43, + " text/html:\n" + ], + [ + 44, + " schema:\n" + ], + [ + 45, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 46, + " '401':\n" + ], + [ + 47, + " $ref: '#/components/responses/UnauthorizedError'\n" + ], + [ + 48, + "components:\n" + ], + [ + 49, + " responses:\n" + ], + [ + 50, + " UnauthorizedError:\n" + ], + [ + 51, + " description: Access token is missing or invalid\n" + ], + [ + 52, + " schemas:\n" + ], + [ + 53, + " Pet:\n" + ], + [ + 54, + " type: object\n" + ], + [ + 55, + " allOf:\n" + ], + [ + 56, + " - $ref: '#/components/schemas/NewPet'\n" + ], + [ + 57, + " - required:\n" + ], + [ + 58, + " - id\n" + ], + [ + 59, + " properties:\n" + ], + [ + 60, + " id:\n" + ], + [ + 61, + " type: integer\n" + ], + [ + 62, + " format: int64\n" + ], + [ + 63, + " NewPet:\n" + ], + [ + 64, + " type: object\n" + ], + [ + 65, + " required:\n" + ], + [ + 66, + " - name\n" + ], + [ + 67, + " properties:\n" + ], + [ + 68, + " name:\n" + ], + [ + 69, + " type: string\n" + ], + [ + 70, + " tag:\n" + ], + [ + 71, + " type: string\n" + ], + [ + 72, + " ErrorModel:\n" + ], + [ + 73, + " type: object\n" + ], + [ + 74, + " required:\n" + ], + [ + 75, + " - code\n" + ], + [ + 76, + " - message\n" + ], + [ + 77, + " properties:\n" + ], + [ + 78, + " code:\n" + ], + [ + 79, + " type: integer\n" + ], + [ + 80, + " format: int32\n" + ], + [ + 81, + " message:\n" + ], + [ + 82, + " type: string\n" + ] + ], + "file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "repo_file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_line_range": [ + 1, + 84 + ], + "resource": "components", + "evaluations": null, + "check_class": "checkov.openapi.checks.resource.v3.CleartextOverUnencryptedChannel", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/ensure-that-security-schemes-dont-allow-cleartext-credentials-over-unencrypted-channel", + "details": [], + "check_len": null, + "definition_context_file_path": null + } + ], + "failed_checks": [ + { + "check_id": "CKV_OPENAPI_4", + "bc_check_id": "BC_OPENAPI_4", + "check_name": "Ensure that the global security field has rules defined", + "check_result": { + "result": "FAILED", + "results_configuration": { + "openapi": "3.0.0", + "servers": [ + { + "url": "http://petstore.swagger.io/api", + "__startline__": 3, + "__endline__": 4 + } + ], + "info": { + "version": "1.0.0", + "title": "Swagger Petstore", + "description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification", + "termsOfService": "http://swagger.io/terms/", + "contact": { + "name": "Swagger API Team", + "__startline__": 12, + "__endline__": 13 + }, + "license": { + "name": "MIT", + "__startline__": 14, + "__endline__": 15 + }, + "__startline__": 5, + "__endline__": 15 + }, + "paths": { + "/pets/{id}": { + "get": { + "description": "Returns a user based on a single ID, if the user does not have access to the pet", + "operationId": "findPetById", + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to fetch", + "required": true, + "schema": { + "type": "integer", + "format": "int64", + "__startline__": 28, + "__endline__": 30 + }, + "__startline__": 23, + "__endline__": 30 + } + ], + "responses": { + "200": { + "description": "pet response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 36, + "__endline__": 37 + }, + "__startline__": 35, + "__endline__": 37 + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 39, + "__endline__": 40 + }, + "__startline__": 38, + "__endline__": 40 + }, + "text/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 42, + "__endline__": 43 + }, + "__startline__": 41, + "__endline__": 43 + }, + "text/html": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 45, + "__endline__": 46 + }, + "__startline__": 44, + "__endline__": 46 + }, + "__startline__": 34, + "__endline__": 46 + }, + "__startline__": 32, + "__endline__": 46 + }, + "401": { + "$ref": "#/components/responses/UnauthorizedError", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 31, + "__endline__": 48 + }, + "__startline__": 18, + "__endline__": 48 + }, + "__startline__": 17, + "__endline__": 48 + }, + "__startline__": 16, + "__endline__": 48 + }, + "components": { + "responses": { + "UnauthorizedError": { + "description": "Access token is missing or invalid", + "__startline__": 51, + "__endline__": 52 + }, + "__startline__": 50, + "__endline__": 52 + }, + "schemas": { + "Pet": { + "type": "object", + "allOf": [ + { + "$ref": "#/components/schemas/NewPet", + "__startline__": 56, + "__endline__": 57 + }, + { + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 60, + "__endline__": 63 + }, + "__startline__": 57, + "__endline__": 63 + } + ], + "__startline__": 54, + "__endline__": 63 + }, + "NewPet": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "__startline__": 69, + "__endline__": 70 + }, + "tag": { + "type": "string", + "__startline__": 71, + "__endline__": 72 + }, + "__startline__": 68, + "__endline__": 72 + }, + "__startline__": 64, + "__endline__": 72 + }, + "ErrorModel": { + "type": "object", + "required": [ + "code", + "message" + ], + "properties": { + "code": { + "type": "integer", + "format": "int32", + "__startline__": 79, + "__endline__": 81 + }, + "message": { + "type": "string", + "__startline__": 82, + "__endline__": 83 + }, + "__startline__": 78, + "__endline__": 83 + }, + "__startline__": 73, + "__endline__": 83 + }, + "__startline__": 53, + "__endline__": 83 + }, + "__startline__": 49, + "__endline__": 83 + }, + "__startline__": 1, + "__endline__": 83 + } + }, + "code_block": [ + [ + 1, + "openapi: 3.0.0\n" + ], + [ + 2, + "servers:\n" + ], + [ + 3, + " - url: 'http://petstore.swagger.io/api'\n" + ], + [ + 4, + "info:\n" + ], + [ + 5, + " version: 1.0.0\n" + ], + [ + 6, + " title: Swagger Petstore\n" + ], + [ + 7, + " description: >-\n" + ], + [ + 8, + " A sample API that uses a petstore as an example to demonstrate features in\n" + ], + [ + 9, + " the swagger-2.0 specification\n" + ], + [ + 10, + " termsOfService: 'http://swagger.io/terms/'\n" + ], + [ + 11, + " contact:\n" + ], + [ + 12, + " name: Swagger API Team\n" + ], + [ + 13, + " license:\n" + ], + [ + 14, + " name: MIT\n" + ], + [ + 15, + "paths:\n" + ], + [ + 16, + " '/pets/{id}':\n" + ], + [ + 17, + " get:\n" + ], + [ + 18, + " description: >-\n" + ], + [ + 19, + " Returns a user based on a single ID, if the user does not have access to\n" + ], + [ + 20, + " the pet\n" + ], + [ + 21, + " operationId: findPetById\n" + ], + [ + 22, + " parameters:\n" + ], + [ + 23, + " - name: id\n" + ], + [ + 24, + " in: path\n" + ], + [ + 25, + " description: ID of pet to fetch\n" + ], + [ + 26, + " required: true\n" + ], + [ + 27, + " schema:\n" + ], + [ + 28, + " type: integer\n" + ], + [ + 29, + " format: int64\n" + ], + [ + 30, + " responses:\n" + ], + [ + 31, + " '200':\n" + ], + [ + 32, + " description: pet response\n" + ], + [ + 33, + " content:\n" + ], + [ + 34, + " application/json:\n" + ], + [ + 35, + " schema:\n" + ], + [ + 36, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 37, + " application/xml:\n" + ], + [ + 38, + " schema:\n" + ], + [ + 39, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 40, + " text/xml:\n" + ], + [ + 41, + " schema:\n" + ], + [ + 42, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 43, + " text/html:\n" + ], + [ + 44, + " schema:\n" + ], + [ + 45, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 46, + " '401':\n" + ], + [ + 47, + " $ref: '#/components/responses/UnauthorizedError'\n" + ], + [ + 48, + "components:\n" + ], + [ + 49, + " responses:\n" + ], + [ + 50, + " UnauthorizedError:\n" + ], + [ + 51, + " description: Access token is missing or invalid\n" + ], + [ + 52, + " schemas:\n" + ], + [ + 53, + " Pet:\n" + ], + [ + 54, + " type: object\n" + ], + [ + 55, + " allOf:\n" + ], + [ + 56, + " - $ref: '#/components/schemas/NewPet'\n" + ], + [ + 57, + " - required:\n" + ], + [ + 58, + " - id\n" + ], + [ + 59, + " properties:\n" + ], + [ + 60, + " id:\n" + ], + [ + 61, + " type: integer\n" + ], + [ + 62, + " format: int64\n" + ], + [ + 63, + " NewPet:\n" + ], + [ + 64, + " type: object\n" + ], + [ + 65, + " required:\n" + ], + [ + 66, + " - name\n" + ], + [ + 67, + " properties:\n" + ], + [ + 68, + " name:\n" + ], + [ + 69, + " type: string\n" + ], + [ + 70, + " tag:\n" + ], + [ + 71, + " type: string\n" + ], + [ + 72, + " ErrorModel:\n" + ], + [ + 73, + " type: object\n" + ], + [ + 74, + " required:\n" + ], + [ + 75, + " - code\n" + ], + [ + 76, + " - message\n" + ], + [ + 77, + " properties:\n" + ], + [ + 78, + " code:\n" + ], + [ + 79, + " type: integer\n" + ], + [ + 80, + " format: int32\n" + ], + [ + 81, + " message:\n" + ], + [ + 82, + " type: string\n" + ] + ], + "file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "repo_file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_line_range": [ + 1, + 84 + ], + "resource": "security", + "evaluations": null, + "check_class": "checkov.openapi.checks.resource.generic.GlobalSecurityFieldIsEmpty", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/ensure-that-the-global-security-field-has-rules-defined", + "details": [], + "check_len": null, + "definition_context_file_path": null + }, + { + "check_id": "CKV_OPENAPI_5", + "bc_check_id": "BC_OPENAPI_5", + "check_name": "Ensure that security operations is not empty.", + "check_result": { + "result": "FAILED", + "results_configuration": { + "openapi": "3.0.0", + "servers": [ + { + "url": "http://petstore.swagger.io/api", + "__startline__": 3, + "__endline__": 4 + } + ], + "info": { + "version": "1.0.0", + "title": "Swagger Petstore", + "description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification", + "termsOfService": "http://swagger.io/terms/", + "contact": { + "name": "Swagger API Team", + "__startline__": 12, + "__endline__": 13 + }, + "license": { + "name": "MIT", + "__startline__": 14, + "__endline__": 15 + }, + "__startline__": 5, + "__endline__": 15 + }, + "paths": { + "/pets/{id}": { + "get": { + "description": "Returns a user based on a single ID, if the user does not have access to the pet", + "operationId": "findPetById", + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to fetch", + "required": true, + "schema": { + "type": "integer", + "format": "int64", + "__startline__": 28, + "__endline__": 30 + }, + "__startline__": 23, + "__endline__": 30 + } + ], + "responses": { + "200": { + "description": "pet response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 36, + "__endline__": 37 + }, + "__startline__": 35, + "__endline__": 37 + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 39, + "__endline__": 40 + }, + "__startline__": 38, + "__endline__": 40 + }, + "text/xml": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 42, + "__endline__": 43 + }, + "__startline__": 41, + "__endline__": 43 + }, + "text/html": { + "schema": { + "$ref": "#/components/schemas/Pet", + "__startline__": 45, + "__endline__": 46 + }, + "__startline__": 44, + "__endline__": 46 + }, + "__startline__": 34, + "__endline__": 46 + }, + "__startline__": 32, + "__endline__": 46 + }, + "401": { + "$ref": "#/components/responses/UnauthorizedError", + "__startline__": 47, + "__endline__": 48 + }, + "__startline__": 31, + "__endline__": 48 + }, + "__startline__": 18, + "__endline__": 48 + }, + "__startline__": 17, + "__endline__": 48 + }, + "__startline__": 16, + "__endline__": 48 + }, + "components": { + "responses": { + "UnauthorizedError": { + "description": "Access token is missing or invalid", + "__startline__": 51, + "__endline__": 52 + }, + "__startline__": 50, + "__endline__": 52 + }, + "schemas": { + "Pet": { + "type": "object", + "allOf": [ + { + "$ref": "#/components/schemas/NewPet", + "__startline__": 56, + "__endline__": 57 + }, + { + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 60, + "__endline__": 63 + }, + "__startline__": 57, + "__endline__": 63 + } + ], + "__startline__": 54, + "__endline__": 63 + }, + "NewPet": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "__startline__": 69, + "__endline__": 70 + }, + "tag": { + "type": "string", + "__startline__": 71, + "__endline__": 72 + }, + "__startline__": 68, + "__endline__": 72 + }, + "__startline__": 64, + "__endline__": 72 + }, + "ErrorModel": { + "type": "object", + "required": [ + "code", + "message" + ], + "properties": { + "code": { + "type": "integer", + "format": "int32", + "__startline__": 79, + "__endline__": 81 + }, + "message": { + "type": "string", + "__startline__": 82, + "__endline__": 83 + }, + "__startline__": 78, + "__endline__": 83 + }, + "__startline__": 73, + "__endline__": 83 + }, + "__startline__": 53, + "__endline__": 83 + }, + "__startline__": 49, + "__endline__": 83 + }, + "__startline__": 1, + "__endline__": 83 + } + }, + "code_block": [ + [ + 1, + "openapi: 3.0.0\n" + ], + [ + 2, + "servers:\n" + ], + [ + 3, + " - url: 'http://petstore.swagger.io/api'\n" + ], + [ + 4, + "info:\n" + ], + [ + 5, + " version: 1.0.0\n" + ], + [ + 6, + " title: Swagger Petstore\n" + ], + [ + 7, + " description: >-\n" + ], + [ + 8, + " A sample API that uses a petstore as an example to demonstrate features in\n" + ], + [ + 9, + " the swagger-2.0 specification\n" + ], + [ + 10, + " termsOfService: 'http://swagger.io/terms/'\n" + ], + [ + 11, + " contact:\n" + ], + [ + 12, + " name: Swagger API Team\n" + ], + [ + 13, + " license:\n" + ], + [ + 14, + " name: MIT\n" + ], + [ + 15, + "paths:\n" + ], + [ + 16, + " '/pets/{id}':\n" + ], + [ + 17, + " get:\n" + ], + [ + 18, + " description: >-\n" + ], + [ + 19, + " Returns a user based on a single ID, if the user does not have access to\n" + ], + [ + 20, + " the pet\n" + ], + [ + 21, + " operationId: findPetById\n" + ], + [ + 22, + " parameters:\n" + ], + [ + 23, + " - name: id\n" + ], + [ + 24, + " in: path\n" + ], + [ + 25, + " description: ID of pet to fetch\n" + ], + [ + 26, + " required: true\n" + ], + [ + 27, + " schema:\n" + ], + [ + 28, + " type: integer\n" + ], + [ + 29, + " format: int64\n" + ], + [ + 30, + " responses:\n" + ], + [ + 31, + " '200':\n" + ], + [ + 32, + " description: pet response\n" + ], + [ + 33, + " content:\n" + ], + [ + 34, + " application/json:\n" + ], + [ + 35, + " schema:\n" + ], + [ + 36, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 37, + " application/xml:\n" + ], + [ + 38, + " schema:\n" + ], + [ + 39, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 40, + " text/xml:\n" + ], + [ + 41, + " schema:\n" + ], + [ + 42, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 43, + " text/html:\n" + ], + [ + 44, + " schema:\n" + ], + [ + 45, + " $ref: '#/components/schemas/Pet'\n" + ], + [ + 46, + " '401':\n" + ], + [ + 47, + " $ref: '#/components/responses/UnauthorizedError'\n" + ], + [ + 48, + "components:\n" + ], + [ + 49, + " responses:\n" + ], + [ + 50, + " UnauthorizedError:\n" + ], + [ + 51, + " description: Access token is missing or invalid\n" + ], + [ + 52, + " schemas:\n" + ], + [ + 53, + " Pet:\n" + ], + [ + 54, + " type: object\n" + ], + [ + 55, + " allOf:\n" + ], + [ + 56, + " - $ref: '#/components/schemas/NewPet'\n" + ], + [ + 57, + " - required:\n" + ], + [ + 58, + " - id\n" + ], + [ + 59, + " properties:\n" + ], + [ + 60, + " id:\n" + ], + [ + 61, + " type: integer\n" + ], + [ + 62, + " format: int64\n" + ], + [ + 63, + " NewPet:\n" + ], + [ + 64, + " type: object\n" + ], + [ + 65, + " required:\n" + ], + [ + 66, + " - name\n" + ], + [ + 67, + " properties:\n" + ], + [ + 68, + " name:\n" + ], + [ + 69, + " type: string\n" + ], + [ + 70, + " tag:\n" + ], + [ + 71, + " type: string\n" + ], + [ + 72, + " ErrorModel:\n" + ], + [ + 73, + " type: object\n" + ], + [ + 74, + " required:\n" + ], + [ + 75, + " - code\n" + ], + [ + 76, + " - message\n" + ], + [ + 77, + " properties:\n" + ], + [ + 78, + " code:\n" + ], + [ + 79, + " type: integer\n" + ], + [ + 80, + " format: int32\n" + ], + [ + 81, + " message:\n" + ], + [ + 82, + " type: string\n" + ] + ], + "file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_abs_path": "/tmp/ws-scm/station/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "repo_file_path": "/lib/nexmo_developer/spec/fixtures/open_api/petstore-multiple-response.yml", + "file_line_range": [ + 1, + 84 + ], + "resource": "security", + "evaluations": null, + "check_class": "checkov.openapi.checks.resource.generic.SecurityOperations", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/ensure-that-security-operations-is-not-empty", + "details": [], + "check_len": null, + "definition_context_file_path": null + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 3, + "failed": 2, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 0, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + } +]