To keep your machine secure, run third-party tools inside Docker
15 days ago
- #docker
- #security
- #linting
- Running a linter like HTMLhint involves installing 27 dependencies, any of which could be malicious, posing a significant risk.
- Even large companies like Amazon have fallen victim to such risks.
- Linters only need read-only access to files within the current directory, not Internet access or file modification permissions.
- Running linters inside Docker can mitigate risks by enforcing restrictions like no Internet access, no access to files outside the current directory, and read-only access within the directory.
- This technique reduces the attack surface and can be applied to various tools, including golangci-lint for Go.
- For formatting tools that need to modify files, a read/write mount can be used within Docker.
- This approach is recommended for GitHub Actions and is used in the GitHub Actions Boilerplate Generator.