Skip to main content

SQ41101

Detected container images that lack HEALTHCHECK instructions.

priorityCI/CD statusseverityeffortRL levelRL assessment
passlowmediumNoneNone

About the issueโ€‹

Containers typically run in one of two modes, as executables or as services. Regardless of how they are used, it's important to monitor the availability of a container, and executables or services running within it. This is also referred to as checking the container's health. The Dockerfile is a sequence of instructions that defines how an image should be built, and the HEALTHCHECK instruction can be used to define such periodic checks. In other words, depending on how the container is used, it should be possible to check that the container environment and applications within it are still running, and behaving as expected. It is important to check and monitor both, because in some situations, the running executable or service may stop working, while the container environment remains active. By failing to monitor availability, service outages may go unnoticed, which can have a significant business impact.

How to resolve the issueโ€‹

  • Make use of the HEALTHCHECK instruction in your Dockerfile, and define a set of checks to verify at regular intervals that both the container and all business-critical services within the container are running.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.

For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.

The percentages are calculated from the total amount of packages analyzed:

  • RubyGems: 174K
  • Nuget: 189K
  • PyPi: 403K
  • NPM: 2.1M