03 Found security vulnerabilities and fixes - TIC4302/2022-group1-E-Commerce-Portal GitHub Wiki

**Container scan: Dockle report **

Dockle has identified the potential vulnerabilities for us in this report.

The original dockle scan report

The dockle scan report after fixes

We have observed both fatal and warning errors in the report.

Fatal error

  "code": "CIS-DI-0010",

  "title": "Do not store credential in environment variables/files",

  "level": "FATAL",

  "alerts": [

    "Suspicious filename found: bookshop/settings.py (You can suppress it with \"-af settings.py\")"

**Fix: This is a false positive as the codes contain keywords such as key. We have variables that are named key so we have updated it. **

Warning error

  "code": "CIS-DI-0001",

  "title": "Create a user for the container",

  "level": "WARN",

  "alerts": [

    "Last user should not be root"

**Fix: We have fixed this in dockerfile by adding a user as shown in the image below. **