github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_apt_get_dist_upgrade.rego (about) 1 # METADATA 2 # title: "'apt-get dist-upgrade' used" 3 # description: "'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile." 4 # scope: package 5 # schemas: 6 # - input: schema["dockerfile"] 7 # custom: 8 # id: DS024 9 # avd_id: AVD-DS-0024 10 # severity: HIGH 11 # short_code: no-dist-upgrade 12 # recommended_action: "Just use different image" 13 # input: 14 # selector: 15 # - type: dockerfile 16 package builtin.dockerfile.DS024 17 18 import data.lib.docker 19 20 get_apt_get_dist_upgrade[run] { 21 run := docker.run[_] 22 regex.match(`apt-get .* dist-upgrade`, run.Value[0]) 23 } 24 25 deny[res] { 26 cmd := get_apt_get_dist_upgrade[_] 27 msg := "'apt-get dist-upgrade' should not be used in Dockerfile" 28 res := result.new(msg, cmd) 29 }