github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_command_cd_instead_of_workdir.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_command_cd_instead_of_workdir.rego (about)

     1  # METADATA
     2  # title: "'RUN cd ...' to change directory"
     3  # description: "Use WORKDIR instead of proliferating instructions like 'RUN cd … && do-something', which are hard to read, troubleshoot, and maintain."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["dockerfile"]
     7  # related_resources:
     8  # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir
     9  # custom:
    10  #   id: DS013
    11  #   avd_id: AVD-DS-0013
    12  #   severity: MEDIUM
    13  #   short_code: use-workdir-over-cd
    14  #   recommended_action: "Use WORKDIR to change directory"
    15  #   input:
    16  #     selector:
    17  #     - type: dockerfile
    18  package builtin.dockerfile.DS013
    19  
    20  import data.lib.docker
    21  
    22  get_cd[output] {
    23  	run := docker.run[_]
    24  	parts = regex.split(`\s*&&\s*`, run.Value[_])
    25  	startswith(parts[_], "cd ")
    26  	args := concat(" ", run.Value)
    27  	output := {
    28  		"args": args,
    29  		"cmd": run,
    30  	}
    31  }
    32  
    33  deny[res] {
    34  	output := get_cd[_]
    35  	msg := sprintf("RUN should not be used to change directory: '%s'. Use 'WORKDIR' statement instead.", [output.args])
    36  	res := result.new(msg, output.cmd)
    37  }