github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/multiple_entrypoint_instructions_listed.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/multiple_entrypoint_instructions_listed.rego (about)

     1  # METADATA
     2  # title: "Multiple ENTRYPOINT instructions listed"
     3  # description: "There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["dockerfile"]
     7  # related_resources:
     8  # - https://docs.docker.com/engine/reference/builder/#entrypoint
     9  # custom:
    10  #   id: DS007
    11  #   avd_id: AVD-DS-0007
    12  #   severity: CRITICAL
    13  #   short_code: only-one-entrypoint
    14  #   recommended_action: "Remove unnecessary ENTRYPOINT instruction."
    15  #   input:
    16  #     selector:
    17  #     - type: dockerfile
    18  package builtin.dockerfile.DS007
    19  
    20  import data.lib.docker
    21  
    22  deny[res] {
    23  	entrypoints := docker.stage_entrypoints[stage]
    24  	count(entrypoints) > 1
    25  	msg := sprintf("There are %d duplicate ENTRYPOINT instructions", [count(entrypoints)])
    26  	res := result.new(msg, entrypoints[1])
    27  }