github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/missing_zypper_clean_test.rego (about) 1 package builtin.dockerfile.DS020 2 3 test_denied { 4 r := deny with input as {"Stages": [{"Name": "busybox:1.0", "Commands": [ 5 { 6 "Cmd": "from", 7 "Value": ["busybox:1.0"], 8 }, 9 { 10 "Cmd": "run", 11 "Value": ["zypper install"], 12 }, 13 { 14 "Cmd": "healthcheck", 15 "Value": [ 16 "CMD", 17 "curl --fail http://localhost:3000 || exit 1", 18 ], 19 }, 20 ]}]} 21 22 count(r) == 1 23 r[_].msg == "'zypper clean' is missed: 'zypper install'" 24 } 25 26 test_patch_denied { 27 r := deny with input as {"Stages": [{"Name": "busybox:1.0", "Commands": [ 28 { 29 "Cmd": "from", 30 "Value": ["busybox:1.0"], 31 }, 32 { 33 "Cmd": "run", 34 "Value": ["zypper patch bash"], 35 }, 36 { 37 "Cmd": "healthcheck", 38 "Value": [ 39 "CMD", 40 "curl --fail http://localhost:3000 || exit 1", 41 ], 42 }, 43 ]}]} 44 45 count(r) == 1 46 r[_].msg == "'zypper clean' is missed: 'zypper patch bash'" 47 } 48 49 test_wrong_order_of_commands_denied { 50 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 51 { 52 "Cmd": "from", 53 "Value": ["alpine:3.5"], 54 }, 55 { 56 "Cmd": "run", 57 "Value": ["zypper cc && zypper remove bash"], 58 }, 59 ]}]} 60 61 count(r) == 1 62 r[_].msg == "'zypper clean' is missed: 'zypper cc && zypper remove bash'" 63 } 64 65 test_multiple_install_denied { 66 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 67 { 68 "Cmd": "from", 69 "Value": ["alpine:3.5"], 70 }, 71 { 72 "Cmd": "run", 73 "Value": ["zypper install bash && zypper clean && zypper remove bash"], 74 }, 75 ]}]} 76 77 count(r) == 1 78 r[_].msg == "'zypper clean' is missed: 'zypper install bash && zypper clean && zypper remove bash'" 79 } 80 81 test_multiple_install_allowed { 82 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 83 { 84 "Cmd": "from", 85 "Value": ["alpine:3.5"], 86 }, 87 { 88 "Cmd": "run", 89 "Value": ["zypper install bash && zypper clean && zypper remove bash&& zypper cc"], 90 }, 91 ]}]} 92 93 count(r) == 0 94 } 95 96 test_basic_allowed { 97 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 98 { 99 "Cmd": "from", 100 "Value": ["alpine:3.5"], 101 }, 102 { 103 "Cmd": "run", 104 "Value": ["zypper install bash && zypper clean"], 105 }, 106 { 107 "Cmd": "run", 108 "Value": ["pip install --no-cache-dir -r /usr/src/app/requirements.txt"], 109 }, 110 { 111 "Cmd": "cmd", 112 "Value": [ 113 "python", 114 "/usr/src/app/app.py", 115 ], 116 }, 117 ]}]} 118 119 count(r) == 0 120 }