github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_apt_get_dist_upgrade_test.rego (about) 1 package builtin.dockerfile.DS024 2 3 test_denied { 4 r := deny with input as {"Stages": [{"Name": "debian", "Commands": [ 5 { 6 "Cmd": "from", 7 "Value": ["debian"], 8 }, 9 { 10 "Cmd": "run", 11 "Value": ["apt-get update && apt-get dist-upgrade"], 12 }, 13 { 14 "Cmd": "cmd", 15 "Value": [ 16 "python", 17 "/usr/src/app/app.py", 18 ], 19 }, 20 ]}]} 21 22 count(r) == 1 23 r[_].msg == "'apt-get dist-upgrade' should not be used in Dockerfile" 24 } 25 26 test_shortflag_denied { 27 r := deny with input as {"Stages": [{"Name": "debian", "Commands": [ 28 { 29 "Cmd": "from", 30 "Value": ["debian"], 31 }, 32 { 33 "Cmd": "run", 34 "Value": ["apt-get update && apt-get -q dist-upgrade"], 35 }, 36 { 37 "Cmd": "cmd", 38 "Value": [ 39 "python", 40 "/usr/src/app/app.py", 41 ], 42 }, 43 ]}]} 44 45 count(r) == 1 46 r[_].msg == "'apt-get dist-upgrade' should not be used in Dockerfile" 47 } 48 49 test_longflag_denied { 50 r := deny with input as {"Stages": [{"Name": "debian", "Commands": [ 51 { 52 "Cmd": "from", 53 "Value": ["debian"], 54 }, 55 { 56 "Cmd": "run", 57 "Value": ["apt-get update && apt-get --quiet dist-upgrade"], 58 }, 59 { 60 "Cmd": "cmd", 61 "Value": [ 62 "python", 63 "/usr/src/app/app.py", 64 ], 65 }, 66 ]}]} 67 68 count(r) == 1 69 r[_].msg == "'apt-get dist-upgrade' should not be used in Dockerfile" 70 } 71 72 test_allowed { 73 r := deny with input as {"Stages": [{"Name": "debian", "Commands": [ 74 { 75 "Cmd": "from", 76 "Value": ["debian"], 77 }, 78 { 79 "Cmd": "run", 80 "Value": ["apt-get update && apt-get upgrade"], 81 }, 82 { 83 "Cmd": "cmd", 84 "Value": [ 85 "python", 86 "/usr/src/app/app.py", 87 ], 88 }, 89 ]}]} 90 91 count(r) == 0 92 }