Let’s say you are running a linter like
HTMLhint.
It has
27 dependencies, any of those could be malicious.
So, when you do npm install -g htmlhint
, you are taking a
huge risk.
And this is not a
theoretical risk.
Even big companies like Amazon are falling for it.
A linter, for example, needs just read-only access to the all the files that you want to lint.
- It does not need access to files outside the current directory
- It does not need Internet access
- It does not need to modify any files either, read-only access is sufficient
So, run it inside Docker to mitigate the risk.
Using Docker, you can enforce the following restrictions:
- β No ability to send data over the Internet
- β No access to any files outside the current directory
- β Read-only access to files inside the current directory
|
|
This drastically reduces the attack surface of the code.
You can do this with pretty much any tool.
Consider golangci-lint, the famous meta-linter for Go language.
You can run it inside docker with the following command.
|
|
Or you can do a read/write mount for a formatting tool to let it format/modify the files.
|
|
I even recommend this technique for running tools on GitHub Actions and have started using this extensively in GitHub Actions Boilerplate Generator.