github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/apt_get_missing_yes_flag_to_avoid_manual_input_test.rego (about) 1 package builtin.dockerfile.DS021 2 3 test_denied { 4 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 5 { 6 "Cmd": "from", 7 "Value": ["node:12"], 8 }, 9 { 10 "Cmd": "run", 11 "Value": ["apt-get install python=2.7"], 12 }, 13 ]}]} 14 15 count(r) == 1 16 r[_].msg == "'-y' flag is missed: 'apt-get install python=2.7'" 17 } 18 19 test_json_array_denied { 20 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 21 { 22 "Cmd": "from", 23 "Value": ["node:12"], 24 }, 25 { 26 "Cmd": "run", 27 "Value": [ 28 "apt-get", 29 "install", 30 "apt-utils", 31 ], 32 }, 33 ]}]} 34 35 count(r) == 1 36 r[_].msg == "'-y' flag is missed: 'apt-get install apt-utils'" 37 } 38 39 test_allowed { 40 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 41 { 42 "Cmd": "from", 43 "Value": ["node:12"], 44 }, 45 { 46 "Cmd": "run", 47 "Value": ["apt-get -fmy install apt-utils"], 48 }, 49 ]}]} 50 51 count(r) == 0 52 } 53 54 test_with_short_flags_behind_allowed { 55 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 56 { 57 "Cmd": "from", 58 "Value": ["node:12"], 59 }, 60 { 61 "Cmd": "run", 62 "Value": ["apt-get install -fmy apt-utils"], 63 }, 64 ]}]} 65 66 count(r) == 0 67 } 68 69 test_with_long_flags_behind_allowed { 70 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 71 { 72 "Cmd": "from", 73 "Value": ["node:12"], 74 }, 75 { 76 "Cmd": "run", 77 "Value": ["apt-get install --assume-yes apt-utils"], 78 }, 79 ]}]} 80 81 count(r) == 0 82 } 83 84 test_json_array_short_flag_allowed { 85 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 86 { 87 "Cmd": "from", 88 "Value": ["node:12"], 89 }, 90 { 91 "Cmd": "run", 92 "Value": [ 93 "apt-get", 94 "-fmy", 95 "install", 96 "apt-utils", 97 ], 98 }, 99 ]}]} 100 101 count(r) == 0 102 } 103 104 test_json_array_long_flag_allowed { 105 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 106 { 107 "Cmd": "from", 108 "Value": ["node:12"], 109 }, 110 { 111 "Cmd": "run", 112 "Value": [ 113 "apt-get", 114 "--yes", 115 "-q", 116 "install", 117 "apt-utils", 118 ], 119 }, 120 ]}]} 121 122 count(r) == 0 123 } 124 125 test_chained_allowed { 126 r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [ 127 { 128 "Cmd": "from", 129 "Value": ["node:12"], 130 }, 131 { 132 "Cmd": "run", 133 "Value": ["apt-get update && apt-get -y install apt-utils"], 134 }, 135 ]}]} 136 137 count(r) == 0 138 } 139 140 test_flags_after_pkgs_allowed { 141 r := deny with input as {"Stages": [{"Name": "debian:11-slim", "Commands": [ 142 { 143 "Cmd": "from", 144 "Value": ["debian:11-slim"], 145 }, 146 { 147 "Cmd": "run", 148 "Value": ["apt-get update && apt-get install tzdata postgresql-10 -y && rm -rf /var/lib/apt/lists/*"], 149 }, 150 ]}]} 151 count(r) == 0 152 }