github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego (about)

     1  # METADATA
     2  # title: "All container images must start with an ECR domain"
     3  # description: "Container images from non-ECR registries should be forbidden."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # custom:
     8  #   id: KSV035
     9  #   avd_id: AVD-KSV-0035
    10  #   severity: MEDIUM
    11  #   short_code: no-untrusted-ecr-domain
    12  #   recommended_action: "Container image should be used from Amazon container Registry"
    13  #   input:
    14  #     selector:
    15  #     - type: kubernetes
    16  package builtin.kubernetes.KSV035
    17  
    18  import data.lib.kubernetes
    19  import data.lib.utils
    20  
    21  default failTrustedECRRegistry = false
    22  
    23  # list of trusted ECR registries
    24  trusted_ecr_registries = [
    25  	"ecr.us-east-2.amazonaws.com",
    26  	"ecr.us-east-1.amazonaws.com",
    27  	"ecr.us-west-1.amazonaws.com",
    28  	"ecr.us-west-2.amazonaws.com",
    29  	"ecr.af-south-1.amazonaws.com",
    30  	"ecr.ap-east-1.amazonaws.com",
    31  	"ecr.ap-south-1.amazonaws.com",
    32  	"ecr.ap-northeast-2.amazonaws.com",
    33  	"ecr.ap-southeast-1.amazonaws.com",
    34  	"ecr.ap-southeast-2.amazonaws.com",
    35  	"ecr.ap-northeast-1.amazonaws.com",
    36  	"ecr.ca-central-1.amazonaws.com",
    37  	"ecr.cn-north-1.amazonaws.com.cn",
    38  	"ecr.cn-northwest-1.amazonaws.com.cn",
    39  	"ecr.eu-central-1.amazonaws.com",
    40  	"ecr.eu-west-1.amazonaws.com",
    41  	"ecr.eu-west-2.amazonaws.com",
    42  	"ecr.eu-south-1.amazonaws.com",
    43  	"ecr.eu-west-3.amazonaws.com",
    44  	"ecr.eu-north-1.amazonaws.com",
    45  	"ecr.me-south-1.amazonaws.com",
    46  	"ecr.sa-east-1.amazonaws.com",
    47  	"ecr.us-gov-east-1.amazonaws.com",
    48  	"ecr.us-gov-west-1.amazonaws.com",
    49  ]
    50  
    51  # getContainersWithTrustedECRRegistry returns a list of containers
    52  # with image from a trusted ECR registry
    53  getContainersWithTrustedECRRegistry[name] {
    54  	container := kubernetes.containers[_]
    55  	image := container.image
    56  
    57  	# get image registry/repo parts
    58  	image_parts := split(image, "/")
    59  
    60  	# images with only one part do not specify a registry
    61  	count(image_parts) > 1
    62  	registry = image_parts[0]
    63  	trusted := trusted_ecr_registries[_]
    64  	endswith(registry, trusted)
    65  	name := container.name
    66  }
    67  
    68  # getContainersWithUntrustedECRRegistry returns a list of containers
    69  # with image from an untrusted ECR registry
    70  getContainersWithUntrustedECRRegistry[container] {
    71  	container := kubernetes.containers[_]
    72  	not getContainersWithTrustedECRRegistry[container.name]
    73  }
    74  
    75  deny[res] {
    76  	container := getContainersWithUntrustedECRRegistry[_]
    77  	msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html", [container.name, kubernetes.kind, kubernetes.name]))
    78  	res := result.new(msg, container)
    79  }