github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego (about) 1 # METADATA 2 # title: "Container images from public registries used" 3 # description: "Container images must not start with an empty prefix or a defined public registry domain." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # custom: 8 # id: KSV034 9 # avd_id: AVD-KSV-0034 10 # severity: MEDIUM 11 # short_code: no-public-registries 12 # recommended_action: "Use images from private registries." 13 # input: 14 # selector: 15 # - type: kubernetes 16 package builtin.kubernetes.KSV034 17 18 import data.lib.kubernetes 19 import data.lib.utils 20 21 default failPublicRegistry = false 22 23 # list of untrusted public registries 24 untrusted_public_registries = [ 25 "docker.io", 26 "ghcr.io", 27 ] 28 29 # getContainersWithPublicRegistries returns a list of containers 30 # with public registry prefixes 31 getContainersWithPublicRegistries[container] { 32 container := kubernetes.containers[_] 33 image := container.image 34 untrusted := untrusted_public_registries[_] 35 startswith(image, untrusted) 36 } 37 38 # getContainersWithPublicRegistries returns a list of containers 39 # with image without registry prefix 40 getContainersWithPublicRegistries[container] { 41 container := kubernetes.containers[_] 42 image := container.image 43 image_parts := split(image, "/") # get image registry/repo parts 44 count(image_parts) > 0 45 not contains(image_parts[0], ".") # check if first part is a url (assuming we have "." in url) 46 } 47 48 deny[res] { 49 container := getContainersWithPublicRegistries[_] 50 msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should restrict container image to use private registries", [container.name, kubernetes.kind, kubernetes.name])) 51 res := result.new(msg, container) 52 }