github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/update_instruction_alone.rego (about) 1 # METADATA 2 # title: "'RUN <package-manager> update' instruction alone" 3 # description: "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement." 4 # scope: package 5 # schemas: 6 # - input: schema["dockerfile"] 7 # related_resources: 8 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 9 # custom: 10 # id: DS017 11 # avd_id: AVD-DS-0017 12 # severity: HIGH 13 # short_code: no-orphan-package-update 14 # recommended_action: "Combine '<package-manager> update' and '<package-manager> install' instructions to single one" 15 # input: 16 # selector: 17 # - type: dockerfile 18 package builtin.dockerfile.DS017 19 20 import data.lib.docker 21 22 deny[res] { 23 run := docker.run[_] 24 25 command = concat(" ", run.Value) 26 27 is_valid_update(command) 28 not update_followed_by_install(command) 29 30 msg := "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement." 31 res := result.new(msg, run) 32 } 33 34 is_valid_update(command) { 35 chained_parts := regex.split(`\s*&&\s*`, command) 36 37 array_split := split(chained_parts[_], " ") 38 39 len = count(array_split) 40 41 update := {"update", "--update"} 42 43 array_split[len - 1] == update[_] 44 } 45 46 update_followed_by_install(command) { 47 command_list = [ 48 "upgrade", 49 "install", 50 "source-install", 51 "reinstall", 52 "groupinstall", 53 "localinstall", 54 "apk add", 55 ] 56 57 update := indexof(command, "update") 58 update != -1 59 60 install := indexof(command, command_list[_]) 61 install != -1 62 63 update < install 64 }