github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/copy_from_references_current_from_alias.rego (about) 1 # METADATA 2 # title: "COPY '--from' referring to the current image" 3 # description: "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself." 4 # scope: package 5 # schemas: 6 # - input: schema["dockerfile"] 7 # related_resources: 8 # - https://docs.docker.com/develop/develop-images/multistage-build/ 9 # custom: 10 # id: DS006 11 # avd_id: AVD-DS-0006 12 # severity: CRITICAL 13 # short_code: no-self-referencing-copy-from 14 # recommended_action: "Change the '--from' so that it will not refer to itself" 15 # input: 16 # selector: 17 # - type: dockerfile 18 package builtin.dockerfile.DS006 19 20 import data.lib.docker 21 22 get_alias_from_copy[output] { 23 copies := docker.stage_copies[stage] 24 25 copy := copies[_] 26 flag := copy.Flags[_] 27 contains(flag, "--from=") 28 parts := split(flag, "=") 29 30 is_alias_current_from_alias(stage.Name, parts[1]) 31 args := parts[1] 32 output := { 33 "args": args, 34 "cmd": copy, 35 } 36 } 37 38 is_alias_current_from_alias(current_name, current_alias) = allow { 39 current_name_lower := lower(current_name) 40 current_alias_lower := lower(current_alias) 41 42 #expecting stage name as "myimage:tag as dep" 43 [_, alias] := regex.split(`\s+as\s+`, current_name_lower) 44 45 alias == current_alias 46 47 allow = true 48 } 49 50 deny[res] { 51 output := get_alias_from_copy[_] 52 msg := sprintf("'COPY --from' should not mention current alias '%s' since it is impossible to copy from itself", [output.args]) 53 res := result.new(msg, output.cmd) 54 }