generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv

Author
unknown
Download Count*
License
This rule has been deprecated.
Run Locally
Run in CI
Defintion
rules:
- id: use-frozen-lockfile-pipenv
patterns:
- pattern: a()
- pattern: b()
message: This rule has been deprecated.
languages:
- generic
severity: INFO
metadata:
category: security
cwe:
- "CWE-494: Download of Code Without Integrity Check"
owasp:
- A08:2021 - Software and Data Integrity Failures
technology:
- dockerfile
- javascript
- typescript
references:
- https://semgrep.dev
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
use-frozen-lockfile.generic
# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# trailing space
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# ok: use-frozen-lockfile-yarn
RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress
# ok: use-frozen-lockfile-yarn
RUN yarn install --production --frozen-lockfile
# ok: use-frozen-lockfile-npm
# i am a comment, just to explain.. npm install
RUN yarn install --frozen-lockfile
RUN yarn install --immutable
# ruleid: use-frozen-lockfile-yarn
RUN yarn install some_package
RUN yarn install -g some_package
RUN yarn install --global some_package
RUN echo 'yarn installing foo'
RUN yarn install --frozen-lockfile
RUN yarn install --immutable
COPY . /app
RUN yarn build
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install foo
RUN npm install foo
# ruleid: use-frozen-lockfile-npm
RUN npm install
RUN npm install -g some_package
RUN npm install --global some_package
RUN npm ci
COPY . /app
RUN yarn build
RUN echo 'npm installing foo'
# ok: use-frozen-lockfile-npm
RUN pnpm install
Short Link: https://sg.run/OgAL