Check Certificate Validation Curl

Description

The --insecure option with the curl command tells curl to bypass SSL certificate verification. This includes the risk of connecting to a server that is not who it claims to be, potentially exposing sensitive information or becoming vulnerable to man-in-the-middle attacks. This policy checks whether certificate validation is disabled in the Dockerfile using the --insecure option when running the curl command.

Kyverno policy

Refer to the Nirmata curated policies - check-certificate-validation-curl.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM alpine:latest

RUN apk --no-cache add curl

RUN curl -LO https://github.com/glasskube/glasskube/releases/download/v0.0.1/glasskube_v0.0.1_amd64.deb

ENTRYPOINT ["curl"]