github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego (about) 1 # METADATA 2 # title: "All container images must start with the *.azurecr.io domain" 3 # description: "Containers should only use images from trusted registries." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # custom: 8 # id: KSV032 9 # avd_id: AVD-KSV-0032 10 # severity: MEDIUM 11 # short_code: use-azure-image-prefix 12 # recommended_action: "Use images from trusted Azure registries." 13 # input: 14 # selector: 15 # - type: kubernetes 16 package builtin.kubernetes.KSV032 17 18 import data.lib.kubernetes 19 import data.lib.utils 20 21 default failTrustedAzureRegistry = false 22 23 # getContainersWithTrustedAzureRegistry returns a list of containers 24 # with image from a trusted Azure registry 25 getContainersWithTrustedAzureRegistry[name] { 26 container := kubernetes.containers[_] 27 image := container.image 28 29 # get image registry/repo parts 30 image_parts := split(image, "/") 31 32 # images with only one part do not specify a registry 33 count(image_parts) > 1 34 registry = image_parts[0] 35 endswith(registry, "azurecr.io") 36 name := container.name 37 } 38 39 # getContainersWithUntrustedAzureRegistry returns a list of containers 40 # with image from an untrusted Azure registry 41 getContainersWithUntrustedAzureRegistry[container] { 42 container := kubernetes.containers[_] 43 not getContainersWithTrustedAzureRegistry[container.name] 44 } 45 46 deny[res] { 47 container := getContainersWithUntrustedAzureRegistry[_] 48 msg := kubernetes.format(sprintf("container %s of %s %s in %s namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'", [container.name, lower(kubernetes.kind), kubernetes.name, kubernetes.namespace])) 49 res := result.new(msg, container) 50 }