fix(image): disable AVD-DS-0007 for history scanning (#8366)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-12 15:50:15 -08:00 · 2025-02-22 01:56:53 +06:00
parent a1c4bd746f
commit a3cd693a5e
2 changed files with 19 additions and 5 deletions
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -154,7 +154,15 @@ See https://avd.aquasec.com/misconfig/ds026
 !!! tip
    You can see how each layer is created with `docker history`.

-The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
+#### Disabled checks
+
+The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
+
+| Check ID | Reason | Issue |
+|----------|------------|--------|
+| [AVD-DS-0007](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0007/) | This check detects multiple `ENTRYPOINT` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#8364](https://github.com/aquasecurity/trivy/issues/8364) |
+| [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) | This check detects multiple `CMD` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#7368](https://github.com/aquasecurity/trivy/issues/7368) |
+

 ### Secrets
 Trivy detects secrets on the configuration of container images.
--- a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
+++ b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
@@ -15,12 +15,17 @@ import (
 	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/mapfs"
 	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/version/doc"
 )

 var disabledChecks = []misconf.DisabledCheck{
+	{
+		ID: "DS007", Scanner: string(analyzer.TypeHistoryDockerfile),
+		Reason: "See " + doc.URL("docs/target/container_image", "disabled-checks"),
+	},
 	{
 		ID: "DS016", Scanner: string(analyzer.TypeHistoryDockerfile),
-		Reason: "See https://github.com/aquasecurity/trivy/issues/7368",
+		Reason: "See " + doc.URL("docs/target/container_image", "disabled-checks"),
 	},
 }

@@ -101,9 +106,10 @@ func imageConfigToDockerfile(cfg *v1.ConfigFile) []byte {
 			createdBy = buildHealthcheckInstruction(cfg.Config.Healthcheck)
 		default:
 			for _, prefix := range []string{"ARG", "ENV", "ENTRYPOINT"} {
-				strings.HasPrefix(h.CreatedBy, prefix)
-				createdBy = h.CreatedBy
-				break
+				if strings.HasPrefix(h.CreatedBy, prefix) {
+					createdBy = h.CreatedBy
+					break
+				}
 			}
 		}
 		dockerfile.WriteString(strings.TrimSpace(createdBy) + "\n")