github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_command_cd_instead_of_workdir_test.rego (about) 1 package builtin.dockerfile.DS013 2 3 test_basic_denied { 4 r := deny with input as {"Stages": [{"Name": "nginx", "Commands": [ 5 { 6 "Cmd": "from", 7 "Value": ["nginx"], 8 }, 9 { 10 "Cmd": "run", 11 "Value": ["cd /usr/share/nginx/html"], 12 }, 13 { 14 "Cmd": "cmd", 15 "Value": ["cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'"], 16 }, 17 ]}]} 18 19 count(r) == 1 20 r[_].msg == "RUN should not be used to change directory: 'cd /usr/share/nginx/html'. Use 'WORKDIR' statement instead." 21 } 22 23 test_chaining_denied { 24 r := deny with input as {"Stages": [{"Name": "nginx", "Commands": [ 25 { 26 "Cmd": "from", 27 "Value": ["nginx"], 28 }, 29 { 30 "Cmd": "env", 31 "Value": [ 32 "AUTHOR", 33 "Docker", 34 ], 35 }, 36 { 37 "Cmd": "run", 38 "Value": ["apt-get install vim && cd /usr/share/nginx/html"], 39 }, 40 { 41 "Cmd": "cmd", 42 "Value": ["cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'"], 43 }, 44 ]}]} 45 46 count(r) == 1 47 r[_].msg == "RUN should not be used to change directory: 'apt-get install vim && cd /usr/share/nginx/html'. Use 'WORKDIR' statement instead." 48 } 49 50 test_basic_allowed { 51 r := deny with input as {"Stages": [{"Name": "nginx", "Commands": [ 52 { 53 "Cmd": "from", 54 "Value": ["nginx"], 55 }, 56 { 57 "Cmd": "workdir", 58 "Value": ["/usr/share/nginx/html"], 59 }, 60 { 61 "Cmd": "copy", 62 "Value": [ 63 "Hello_docker.html", 64 "/usr/share/nginx/html", 65 ], 66 }, 67 { 68 "Cmd": "cmd", 69 "Value": ["cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'"], 70 }, 71 ]}]} 72 73 count(r) == 0 74 }