github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_apt_get_dist_upgrade.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_apt_get_dist_upgrade.rego (about)

     1  # METADATA
     2  # title: "'apt-get dist-upgrade' used"
     3  # description: "'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["dockerfile"]
     7  # custom:
     8  #   id: DS024
     9  #   avd_id: AVD-DS-0024
    10  #   severity: HIGH
    11  #   short_code: no-dist-upgrade
    12  #   recommended_action: "Just use different image"
    13  #   input:
    14  #     selector:
    15  #     - type: dockerfile
    16  package builtin.dockerfile.DS024
    17  
    18  import data.lib.docker
    19  
    20  get_apt_get_dist_upgrade[run] {
    21  	run := docker.run[_]
    22  	regex.match(`apt-get .* dist-upgrade`, run.Value[0])
    23  }
    24  
    25  deny[res] {
    26  	cmd := get_apt_get_dist_upgrade[_]
    27  	msg := "'apt-get dist-upgrade' should not be used in Dockerfile"
    28  	res := result.new(msg, cmd)
    29  }