---
title: "Check Certificate Validation pip3"
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/dockerfile_best_practices/check-certificate-validation-pip3/
---


### Description

In pip3, the `--trusted-host` flag allows you to mark a specific host as trusted, even if it's not included in the list of trusted hosts specified in the configuration files. This is typically used when packages are installed from custom repositories or when accessing repositories over insecure connections. This policy checks whether certificate validation is disabled in the Dockerfile using `--trusted-host` option when running the pip3 command.

### Kyverno policy

Refer to the Nirmata curated policies - [check-certificate-validation-pip3](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml).

### Resource example

Below is an example of a Dockerfile enforcing this policy.

```bash
FROM python

WORKDIR /app

RUN pip3 install numpy

CMD ["echo", "Installed successfully"]
```text