github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/missing_zypper_clean_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/missing_zypper_clean_test.rego (about)

     1  package builtin.dockerfile.DS020
     2  
     3  test_denied {
     4  	r := deny with input as {"Stages": [{"Name": "busybox:1.0", "Commands": [
     5  		{
     6  			"Cmd": "from",
     7  			"Value": ["busybox:1.0"],
     8  		},
     9  		{
    10  			"Cmd": "run",
    11  			"Value": ["zypper install"],
    12  		},
    13  		{
    14  			"Cmd": "healthcheck",
    15  			"Value": [
    16  				"CMD",
    17  				"curl --fail http://localhost:3000 || exit 1",
    18  			],
    19  		},
    20  	]}]}
    21  
    22  	count(r) == 1
    23  	r[_].msg == "'zypper clean' is missed: 'zypper install'"
    24  }
    25  
    26  test_patch_denied {
    27  	r := deny with input as {"Stages": [{"Name": "busybox:1.0", "Commands": [
    28  		{
    29  			"Cmd": "from",
    30  			"Value": ["busybox:1.0"],
    31  		},
    32  		{
    33  			"Cmd": "run",
    34  			"Value": ["zypper patch bash"],
    35  		},
    36  		{
    37  			"Cmd": "healthcheck",
    38  			"Value": [
    39  				"CMD",
    40  				"curl --fail http://localhost:3000 || exit 1",
    41  			],
    42  		},
    43  	]}]}
    44  
    45  	count(r) == 1
    46  	r[_].msg == "'zypper clean' is missed: 'zypper patch bash'"
    47  }
    48  
    49  test_wrong_order_of_commands_denied {
    50  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    51  		{
    52  			"Cmd": "from",
    53  			"Value": ["alpine:3.5"],
    54  		},
    55  		{
    56  			"Cmd": "run",
    57  			"Value": ["zypper cc && zypper remove bash"],
    58  		},
    59  	]}]}
    60  
    61  	count(r) == 1
    62  	r[_].msg == "'zypper clean' is missed: 'zypper cc && zypper remove bash'"
    63  }
    64  
    65  test_multiple_install_denied {
    66  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    67  		{
    68  			"Cmd": "from",
    69  			"Value": ["alpine:3.5"],
    70  		},
    71  		{
    72  			"Cmd": "run",
    73  			"Value": ["zypper install bash && zypper clean && zypper remove bash"],
    74  		},
    75  	]}]}
    76  
    77  	count(r) == 1
    78  	r[_].msg == "'zypper clean' is missed: 'zypper install bash && zypper clean && zypper remove bash'"
    79  }
    80  
    81  test_multiple_install_allowed {
    82  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    83  		{
    84  			"Cmd": "from",
    85  			"Value": ["alpine:3.5"],
    86  		},
    87  		{
    88  			"Cmd": "run",
    89  			"Value": ["zypper install bash && zypper clean && zypper remove bash&& zypper cc"],
    90  		},
    91  	]}]}
    92  
    93  	count(r) == 0
    94  }
    95  
    96  test_basic_allowed {
    97  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    98  		{
    99  			"Cmd": "from",
   100  			"Value": ["alpine:3.5"],
   101  		},
   102  		{
   103  			"Cmd": "run",
   104  			"Value": ["zypper install bash && zypper clean"],
   105  		},
   106  		{
   107  			"Cmd": "run",
   108  			"Value": ["pip install --no-cache-dir -r /usr/src/app/requirements.txt"],
   109  		},
   110  		{
   111  			"Cmd": "cmd",
   112  			"Value": [
   113  				"python",
   114  				"/usr/src/app/app.py",
   115  			],
   116  		},
   117  	]}]}
   118  
   119  	count(r) == 0
   120  }