github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/multiple_cmd_instructions_listed.rego (about) 1 # METADATA 2 # title: "Multiple CMD instructions listed" 3 # description: "There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect." 4 # scope: package 5 # schemas: 6 # - input: schema["dockerfile"] 7 # related_resources: 8 # - https://docs.docker.com/engine/reference/builder/#cmd 9 # custom: 10 # id: DS016 11 # avd_id: AVD-DS-0016 12 # severity: HIGH 13 # short_code: only-one-cmd 14 # recommended_action: "Dockerfile should only have one CMD instruction. Remove all the other CMD instructions" 15 # input: 16 # selector: 17 # - type: dockerfile 18 package builtin.dockerfile.DS016 19 20 import data.lib.docker 21 22 deny[res] { 23 cmds := docker.stage_cmd[name] 24 cnt := count(cmds) 25 cnt > 1 26 msg := sprintf("There are %d duplicate CMD instructions", [cnt]) 27 res := result.new(msg, cmds[1]) 28 }