github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_using_wget_and_curl_test.rego (about) 1 package builtin.dockerfile.DS014 2 3 test_basic_denied { 4 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 5 { 6 "Cmd": "from", 7 "Value": ["debian"], 8 }, 9 { 10 "Cmd": "run", 11 "Value": ["wget http://google.com"], 12 }, 13 { 14 "Cmd": "run", 15 "Value": ["curl http://bing.com"], 16 }, 17 ]}]} 18 19 count(r) == 1 20 r[_].msg == "Shouldn't use both curl and wget" 21 } 22 23 test_json_array_denied { 24 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 25 { 26 "Cmd": "from", 27 "Value": ["baseImage"], 28 }, 29 { 30 "Cmd": "run", 31 "Value": ["wget http://google.com"], 32 }, 33 { 34 "Cmd": "run", 35 "Value": [ 36 "curl", 37 "http://bing.com", 38 ], 39 }, 40 ]}]} 41 42 count(r) == 1 43 r[_].msg == "Shouldn't use both curl and wget" 44 } 45 46 test_basic_allowed { 47 r := deny with input as {"Stages": [{ 48 "Name": "alpine:3.5", "Commands": [ 49 { 50 "Cmd": "from", 51 "Value": ["debian"], 52 }, 53 { 54 "Cmd": "run", 55 "Value": ["curl http://bing.com"], 56 }, 57 { 58 "Cmd": "run", 59 "Value": ["curl http://google.com"], 60 }, 61 ], 62 "baseimage:1.0": [ 63 { 64 "Cmd": "from", 65 "Value": ["baseImage"], 66 }, 67 { 68 "Cmd": "run", 69 "Value": [ 70 "curl", 71 "http://bing.com", 72 ], 73 }, 74 ], 75 }]} 76 77 count(r) == 0 78 } 79 80 test_json_array_allowed { 81 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 82 { 83 "Cmd": "from", 84 "Value": ["debian"], 85 }, 86 { 87 "Cmd": "run", 88 "Value": ["curl", "http://bing.com"], 89 }, 90 { 91 "Cmd": "run", 92 "Value": [ 93 "curl", 94 "http://google.com", 95 ], 96 }, 97 ]}]} 98 99 count(r) == 0 100 } 101 102 test_install_allowed { 103 r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [ 104 { 105 "Cmd": "from", 106 "Value": ["debian"], 107 }, 108 { 109 "Cmd": "run", 110 "Value": ["curl http://bing.com"], 111 }, 112 { 113 "Cmd": "run", 114 "Value": ["apt-get update && apt-get install wget"], 115 }, 116 ]}]} 117 118 count(r) == 0 119 }