






















Let’s say you are running a linter like
HTMLhint.
It has
27 dependencies, any of those could be malicious.
So, when you do npm install -g htmlhint, you are taking a
huge risk.
And this is not a
theoretical risk.
Even big companies like Amazon are falling for it.
A linter, for example, needs just read-only access to the all the files that you want to lint.
So, run it inside Docker to mitigate the risk.
Using Docker, you can enforce the following restrictions:
| |
This drastically reduces the attack surface of the code.
You can do this with pretty much any tool.
Consider golangci-lint, the famous meta-linter for Go language.
You can run it inside docker with the following command.
| |
Or you can do a read/write mount for a formatting tool to let it format/modify the files.
| |
I even recommend this technique for running tools on GitHub Actions and have started using this extensively in GitHub Actions Boilerplate Generator.
After
multiple
publications of
malicious packages
on npm, I have switched to using Docker for running npm as well.
| |
I open-sourced my sandbox that runs tools inside Docker-based sandbox.
I use it to run linters and similar tools.
| |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。