github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_using_wget_and_curl_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_using_wget_and_curl_test.rego (about)

     1  package builtin.dockerfile.DS014
     2  
     3  test_basic_denied {
     4  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
     5  		{
     6  			"Cmd": "from",
     7  			"Value": ["debian"],
     8  		},
     9  		{
    10  			"Cmd": "run",
    11  			"Value": ["wget http://google.com"],
    12  		},
    13  		{
    14  			"Cmd": "run",
    15  			"Value": ["curl http://bing.com"],
    16  		},
    17  	]}]}
    18  
    19  	count(r) == 1
    20  	r[_].msg == "Shouldn't use both curl and wget"
    21  }
    22  
    23  test_json_array_denied {
    24  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    25  		{
    26  			"Cmd": "from",
    27  			"Value": ["baseImage"],
    28  		},
    29  		{
    30  			"Cmd": "run",
    31  			"Value": ["wget http://google.com"],
    32  		},
    33  		{
    34  			"Cmd": "run",
    35  			"Value": [
    36  				"curl",
    37  				"http://bing.com",
    38  			],
    39  		},
    40  	]}]}
    41  
    42  	count(r) == 1
    43  	r[_].msg == "Shouldn't use both curl and wget"
    44  }
    45  
    46  test_basic_allowed {
    47  	r := deny with input as {"Stages": [{
    48  		"Name": "alpine:3.5", "Commands": [
    49  			{
    50  				"Cmd": "from",
    51  				"Value": ["debian"],
    52  			},
    53  			{
    54  				"Cmd": "run",
    55  				"Value": ["curl http://bing.com"],
    56  			},
    57  			{
    58  				"Cmd": "run",
    59  				"Value": ["curl http://google.com"],
    60  			},
    61  		],
    62  		"baseimage:1.0": [
    63  			{
    64  				"Cmd": "from",
    65  				"Value": ["baseImage"],
    66  			},
    67  			{
    68  				"Cmd": "run",
    69  				"Value": [
    70  					"curl",
    71  					"http://bing.com",
    72  				],
    73  			},
    74  		],
    75  	}]}
    76  
    77  	count(r) == 0
    78  }
    79  
    80  test_json_array_allowed {
    81  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
    82  		{
    83  			"Cmd": "from",
    84  			"Value": ["debian"],
    85  		},
    86  		{
    87  			"Cmd": "run",
    88  			"Value": ["curl", "http://bing.com"],
    89  		},
    90  		{
    91  			"Cmd": "run",
    92  			"Value": [
    93  				"curl",
    94  				"http://google.com",
    95  			],
    96  		},
    97  	]}]}
    98  
    99  	count(r) == 0
   100  }
   101  
   102  test_install_allowed {
   103  	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
   104  		{
   105  			"Cmd": "from",
   106  			"Value": ["debian"],
   107  		},
   108  		{
   109  			"Cmd": "run",
   110  			"Value": ["curl http://bing.com"],
   111  		},
   112  		{
   113  			"Cmd": "run",
   114  			"Value": ["apt-get update && apt-get install wget"],
   115  		},
   116  	]}]}
   117  
   118  	count(r) == 0
   119  }