feat(analyzer): detect untrusted container image pull as SC7#224
Open
CharmingGroot wants to merge 1 commit into
Open
feat(analyzer): detect untrusted container image pull as SC7#224CharmingGroot wants to merge 1 commit into
CharmingGroot wants to merge 1 commit into
Conversation
supply_chain (SC1-SC6) covers package dependencies but not the container-image supply chain. A skill pulling images with verification disabled (--disable-content-trust, DOCKER_CONTENT_TRUST=0, --insecure-registry) accepts tampered images but scored 9/SAFE (NVIDIA#223). Add SC7_PATTERNS to the supply_chain analyzer (is_code_example filter) with pattern_defaults entries and 5 tests. --tls-verify=false is excluded since TM3's verify=False already covers it. Signed-off-by: CharmingGroot <ohyes9711@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
supply_chainanalyzer (SC1–SC6) covers package dependencies (PyPI/npm) but has no detection for the container-image supply chain. A skill that pulls images with verification turned off —--disable-content-trust,DOCKER_CONTENT_TRUST=0,--insecure-registry— accepts tampered or unverified images yet scored 9/100 SAFE (#223). This adds SC7, the image-layer counterpart of SC1 (unpinned) / SC6 (typosquatting).Changes
static_patterns_supply_chain.pygainsSC7_PATTERNS(three image-trust bypass flags) and an SC7 pass filtered through the sharedis_code_example()helper.pattern_defaults.pyregisters the SC7 explanation, category, message, and remediation alongside SC1–SC6.Before / After
A "fast image loader" skill that sets
DOCKER_CONTENT_TRUST=0and pulls with--disable-content-trust/--insecure-registry:9/100 SAFE— only the unrelated--tls-verify=falseline is caught (as a generic TM3verify=False); the image-trust bypass is invisible57/100 HIGH, SC7 ×3 on the content-trust and insecure-registry linesWith the LLM layer (Qwen3.6-35B-A3B-FP8 via vLLM) the same skill scores
78/HIGH(SDI-1: "disables Docker Content Trust, TLS verification …"), so--no-llm/ air-gapped deployments were the exposed surface this closes.Design Decisions
supply_chain(not new)--tls-verify=falseexcludedverify=Falsepattern already catches it. SC7 targets only the image-specific bypasses TM3 cannot see (--disable-content-trust,DOCKER_CONTENT_TRUST=0,--insecure-registry) — avoids duplicate findings on the same line.docker pull nginx:1.25does not fire.Testing
5 new tests: detection of
--disable-content-trust,DOCKER_CONTENT_TRUST=0, and--insecure-registry; a documentation-example exclusion (is_code_example); and a benign-pull negative.make formatandmake lintpass;uv run pytest -m "not integration and not provider"reports 1003 passed, 0 failed.Closes #223