From c94a49ac4a713380f07a58913c64cfde82824fae Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Thu, 30 May 2024 20:17:01 +0200 Subject: [PATCH 1/4] Update Dockerfile policies - add rememdiation docs - add analyzer binding - add missing policies --- .../check-apt-command-force-yes/README.md | 73 ++++++++++++++ .../check-apt-command-force-yes.yaml | 33 +++++++ .../test/bad-test/Dockerfile | 7 ++ .../test/bad-test/bad-payload-02.json | 47 ++++++++++ .../test/bad-test/bad-payload.json | 47 ++++++++++ .../test/chainsaw-test.yaml | 94 +++++++++++++++++++ .../test/good-test/Dockerfile | 7 ++ .../test/good-test/good-payload.json | 47 ++++++++++ .../check-unauthentication-install.yaml | 4 +- .../check-certificate-validation-curl.yaml | 4 +- .../README.md | 74 +++++++++++++++ ...ck-certificate-validation-git-env-var.yaml | 25 +++++ ...certificate-validation-nodejs-env-var.yaml | 4 +- .../check-certificate-validation-pip3.yaml | 4 +- ...certificate-validation-python-env-var.yaml | 4 +- .../check-certificate-validation-wget.yaml | 4 +- .../README.md | 0 ...check-ceritificate-validation-yum-dnf.yaml | 0 .../test/good-test/Dockerfile | 6 -- .../check-label-maintainer/README.md | 27 ++++++ .../check-label-maintainer.yaml | 27 ++++++ .../check-last-user/check-last-user.yaml | 4 +- .../check-missing-signature-options.yaml | 4 +- .../check-nogpgcheck/check-nogpgcheck.yaml | 4 +- .../check-npm-config-strict-ssl.yaml | 4 +- .../check-allow-untrusted-flag.yaml | 4 +- .../detect-multiple-instructions.yaml | 4 +- .../disallow-sudo-operations.yaml | 4 +- .../prefer-copy-over-add.yaml | 4 +- .../validate-base-image-tag.yaml | 4 +- .../validate-expose-port-22.yaml | 4 +- .../validate-healthcheck-instruction.yaml | 4 +- .../validate-user-instruction.yaml | 4 +- 33 files changed, 562 insertions(+), 24 deletions(-) create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/README.md create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/check-apt-command-force-yes.yaml create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/Dockerfile create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload-02.json create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload.json create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/good-test/Dockerfile create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/good-test/good-payload.json create mode 100644 dockerfile-best-practices/check-certificate-validation-git-env-var/README.md create mode 100644 dockerfile-best-practices/check-certificate-validation-git-env-var/check-certificate-validation-git-env-var.yaml delete mode 100644 dockerfile-best-practices/check-certificate-validation-yum-dnf/README.md delete mode 100644 dockerfile-best-practices/check-certificate-validation-yum-dnf/test/check-ceritificate-validation-yum-dnf.yaml delete mode 100644 dockerfile-best-practices/check-certificate-validation-yum-dnf/test/good-test/Dockerfile create mode 100644 dockerfile-best-practices/check-label-maintainer/README.md create mode 100644 dockerfile-best-practices/check-label-maintainer/check-label-maintainer.yaml diff --git a/dockerfile-best-practices/check-apt-command-force-yes/README.md b/dockerfile-best-practices/check-apt-command-force-yes/README.md new file mode 100644 index 00000000..41ea2e26 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/README.md @@ -0,0 +1,73 @@ +Imagine you're setting up a Docker image for a web server using Ubuntu as the base image. You want to install the Apache web server and PHP to run your website. Here's a simplified Dockerfile without the `--force-yes` option: + +``` +FROM ubuntu:latest +RUN apt-get update && \ + apt-get install -y \ + apache2 \ + php +``` + +In this Dockerfile, we're updating the package index with apt-get update. We're then installing Apache (apache2) and PHP (php) using `apt-get install -y`, which automatically answers "yes" to any prompts. + +Now, let's say you encounter a situation where you want to install a package that requires additional confirmation or conflicts with existing packages. For instance, you decide to install a package called 'example-package' that requires manual confirmation: + +``` +FROM ubuntu:latest +RUN apt-get update && \ + apt-get install -y \ + apache2 \ + php \ + example-package +``` +Upon running the `docker build`, you might encounter a prompt asking for confirmation to install 'example-package'. This is where the `--force-yes` option comes into play. It allows you to bypass such prompts and force the installation without user confirmation. + +However, using `--force-yes` can lead to unforeseen consequences. For instance, 'example-package' might conflict with another package already installed on the system. Without proper validation, `--force-yes` could potentially downgrade or overwrite critical packages, resulting in system instability or unexpected behavior. + +This policy checks whether you're using the `--force-yes` option with the `apt-get` command. If you're using the option with `apt-get`, the policy will give you failing checks else passing checks. + +**In order to test this policy, use the following commands:** + +- Make sure you have `kyverno-json` installed on the machine +- Make sure you have [nctl `v3.4.0`](https://downloads.nirmata.io/nctl/downloads/) or above. + + +1. **Extract JSON equivalent of the dockerfile:** + ```bash + nctl scan dockerfile -r test/good-test/Dockerfile --show-json > payload.json + ``` + +2. **Test the Policy with Kyverno:** + ```bash + kyverno-json scan --payload payload.json --policy check-apt-command-force-yes.yaml + ``` + a. **Test Policy Against Valid Payload:** + ```bash + kyverno-json scan --policy check-apt-command-force-yes.yaml --payload test/good-test/good-payload.json + ``` + + This produces the output: + + ``` + Loading policies ... + Loading payload ... + Pre processing ... + Running ( evaluating 1 resource against 1 policy ) ... + - check-apt-command-force-yes / check-apt-command-force-yes / PASSED + Done + ``` + + b. **Test Policy Against Invalid Payload:** + ```bash + kyverno-json scan --policy check-at-command-force-yes.yaml --payload test/bad-test/bad-payload.json + ``` + + This produces the output: + ``` + Loading policies ... + Loading payload ... + Pre processing ... + Running ( evaluating 1 resource against 1 policy ) ... + - check-apt-command-force-yes / check-apt-command-force-yes / FAILED: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system.: all[0].check.~.(Stages[].Commands[?Name=='RUN'].CmdLine[][])[0].((starts_with(@, 'apt-get ') || contains(@, ' apt-get ')) && contains(@, ' --force-yes')): Invalid value: true: Expected value: false + Done + ``` \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/check-apt-command-force-yes.yaml b/dockerfile-best-practices/check-apt-command-force-yes/check-apt-command-force-yes.yaml new file mode 100644 index 00000000..0cd4e3d2 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/check-apt-command-force-yes.yaml @@ -0,0 +1,33 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-apt-command-force-yes + annotations: + policies.kyverno.io/title: Check for overidding of safety checks in apt-get command + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-apt-command-force-yes/" + policies.kyverno.io/description: >- + The --force-yes option in apt-get is used to override some safety checks + and prompts, allowing the installation or upgrade of packages even if + they require additional user confirmation or if they conflict with other + packages. This can potentially lead to system instability or unexpected + behavior, as it bypasses certain safeguards put in place to ensure the stability + and consistency of the system. +spec: + rules: + - name: check-apt-command-force-yes + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt-get ') || contains(@, ' apt-get ')) && contains(@, ' --force-yes')): false + - message: refrain from using the '--force-yes' option with `apt` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt ') || contains(@, ' apt ')) && contains(@, ' --force-yes')): false \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/Dockerfile b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/Dockerfile new file mode 100644 index 00000000..43452693 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:latest + +RUN apt-get update && \ + apt-get install --force-yes \ + wget + +RUN echo "Hello world" \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload-02.json b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload-02.json new file mode 100644 index 00000000..7174c914 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload-02.json @@ -0,0 +1,47 @@ +{ + "MetaArgs": null, + "Stages": [ + { + "Name": "", + "BaseName": "ubuntu:latest", + "Platform": "", + "Comment": "", + "SourceCode": "FROM ubuntu:latest", + "Location": [ + { + "Start": { + "Line": 1, + "Character": 0 + }, + "End": { + "Line": 1, + "Character": 0 + } + } + ], + "From": { + "Image": "ubuntu:latest" + }, + "Commands": [ + { + "CmdLine": [ + "apt update && apt install --force-yes wget" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + }, + { + "CmdLine": [ + "echo \"Hello world\"" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + } + ] + } + ] +} \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload.json b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload.json new file mode 100644 index 00000000..16bad3c3 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/bad-test/bad-payload.json @@ -0,0 +1,47 @@ +{ + "MetaArgs": null, + "Stages": [ + { + "Name": "", + "BaseName": "ubuntu:latest", + "Platform": "", + "Comment": "", + "SourceCode": "FROM ubuntu:latest", + "Location": [ + { + "Start": { + "Line": 1, + "Character": 0 + }, + "End": { + "Line": 1, + "Character": 0 + } + } + ], + "From": { + "Image": "ubuntu:latest" + }, + "Commands": [ + { + "CmdLine": [ + "apt-get update && apt-get install --force-yes wget" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + }, + { + "CmdLine": [ + "echo \"Hello world\"" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + } + ] + } + ] +} \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml b/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml new file mode 100644 index 00000000..44d82ad3 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml @@ -0,0 +1,94 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: good-test +spec: + steps: + - name: kyverno-json + try: + - script: + content: | + set -e + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./good-test/good-payload.json --output json + check: + ($error): ~ + (json_parse($stdout)): + - results: + - policy: + apiVersion: json.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: check-apt-command-force-yes + rules: + - rule: + name: check-apt-command-force-yes + error: ~ + violations: ~ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: bad-test +spec: + steps: + - name: kyverno-json + try: + - script: + content: | + set -e + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload.json --output json + check: + ($error): ~ + (json_parse($stdout)): + - results: + - policy: + apiVersion: json.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: check-apt-command-force-yes + rules: + - rule: + name: check-apt-command-force-yes + error: ~ + violations: + - message: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + errors: + - type: FieldValueInvalid + value: true + detail: 'Expected value: false' +--- +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: bad-test-02 +spec: + steps: + - name: kyverno-json + try: + - script: + content: | + set -e + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload-02.json --output json + check: + ($error): ~ + (json_parse($stdout)): + - results: + - policy: + apiVersion: json.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: check-apt-command-force-yes + rules: + - rule: + name: check-apt-command-force-yes + error: ~ + violations: + - message: refrain from using the '--force-yes' option with `apt` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + errors: + - type: FieldValueInvalid + value: true + detail: 'Expected value: false' \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/Dockerfile b/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/Dockerfile new file mode 100644 index 00000000..a1c4df85 --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:latest + +RUN apt-get update && \ + apt-get install -y \ + wget + +RUN echo "Hello world" \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/good-payload.json b/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/good-payload.json new file mode 100644 index 00000000..bc05bd0d --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/good-test/good-payload.json @@ -0,0 +1,47 @@ +{ + "MetaArgs": null, + "Stages": [ + { + "Name": "", + "BaseName": "ubuntu:latest", + "Platform": "", + "Comment": "", + "SourceCode": "FROM ubuntu:latest", + "Location": [ + { + "Start": { + "Line": 1, + "Character": 0 + }, + "End": { + "Line": 1, + "Character": 0 + } + } + ], + "From": { + "Image": "ubuntu:latest" + }, + "Commands": [ + { + "CmdLine": [ + "apt-get update && apt-get install -y wget" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + }, + { + "CmdLine": [ + "echo \"Hello world\"" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + } + ] + } + ] +} \ No newline at end of file diff --git a/dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml b/dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml index 957e59d2..02c0d474 100644 --- a/dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml +++ b/dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-unauthentication/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag. spec: rules: - name: detect-unauthenticated-flag match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml b/dockerfile-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml index 580a5c50..e7d4198d 100644 --- a/dockerfile-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml +++ b/dockerfile-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-curl/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command spec: rules: - name: check-certificate-validation-curl match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-certificate-validation-git-env-var/README.md b/dockerfile-best-practices/check-certificate-validation-git-env-var/README.md new file mode 100644 index 00000000..fa2ee667 --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-git-env-var/README.md @@ -0,0 +1,74 @@ +To control SSL certificate validation in Git operations within a Docker container, you can use the `GIT_SSL_NO_VERIFY` environment variable. Setting this variable to true or 1 tells Git to bypass SSL certificate validation, which can be useful in certain situations, such as working with self-signed certificates or in a development environment. However, it's important to understand that disabling SSL certificate validation poses security risks and should be avoided in production environments. + +Here's how you can enable or disable SSL certificate validation in a Dockerfile by setting the `GIT_SSL_NO_VERIFY` environment variable: + +If you want to **disable SSL certificate validation** (not recommended for production), you can set `GIT_SSL_NO_VERIFY` to true in your Dockerfile: + +``` +FROM debian:bullseye + +RUN apt-get update && \ + apt-get install -y git + +ENV GIT_SSL_NO_VERIFY=true +``` + +**To ensure SSL certificate validation is enabled** (which is the default and recommended setting), you can explicitly set GIT_SSL_NO_VERIFY to false in your Dockerfile. This step is generally not necessary unless you have a specific reason to ensure that the environment variable is explicitly set, as Git will validate SSL certificates by default: + +``` +FROM debian:bullseye + +RUN apt-get update && \ + apt-get install -y git + +ENV GIT_SSL_NO_VERIFY=false +``` +This policy checks whether you're using the `GIT_SSL_NO_VERIFY` env variable in the Dockerfile whose value is set to either *false* or *0*. This will give you passing checks else for every other scenario, you'll get failing checks. Please note that be default, the certificate validation is enabled. + +**In order to test this policy, use the following commands:** + +- Make sure you have `kyverno-json` installed on the machine +- Make sure you have [nctl `v3.4.0`](https://downloads.nirmata.io/nctl/downloads/) or above. + + +1. **Extract JSON equivalent of the dockerfile:** + ```bash + nctl scan dockerfile -r test/good-test/Dockerfile --show-json > payload.json + ``` + +2. **Test the Policy with Kyverno:** + ```bash + kyverno-json scan --payload payload.json --policy check-certificate-validation-git-env-var.yaml + ``` + a. **Test Policy Against Valid Payload:** + ```bash + kyverno-json scan --policy check-certificate-validation-git-env-var.yaml --payload test/good-test/good-payload.json + ``` + + This produces the output: + + ``` + Loading policies ... + Loading payload ... + Pre processing ... + Running ( evaluating 1 resource against 1 policy ) ... + - check-certificate-validation-git-env-var / check-certificate-validation-git-env-var / PASSED + Done + ``` + + b. **Test Policy Against Invalid Payload:** + ```bash + kyverno-json scan --policy check-certificate-validation-git-env-var.yaml --payload test/bad-test/bad-payload.json + ``` + + This produces the output: + ``` + Loading policies ... + Loading payload ... + Pre processing ... + Running ( evaluating 1 resource against 1 policy ) ... + - check-certificate-validation-git-env-var / check-certificate-validation-git-env-var / FAILED + -> Ensure certificate validation is enabled by using `GIT_SSL_NO_VERIFY` env with value set to '0' or 'false' + -> any[0].check.(Stages[].Commands[].Env[?Key=='GIT_SSL_NO_VERIFY' && (Value=='0' || Value=='false')][] | length(@) > `0`): Invalid value: false: Expected value: true + Done + ``` \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-git-env-var/check-certificate-validation-git-env-var.yaml b/dockerfile-best-practices/check-certificate-validation-git-env-var/check-certificate-validation-git-env-var.yaml new file mode 100644 index 00000000..4ff6fced --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-git-env-var/check-certificate-validation-git-env-var.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-git-env-var + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-git-env-var/" + policies.kyverno.io/description: >- + To control SSL certificate validation in Git operations within a Docker container, + you can use the GIT_SSL_NO_VERIFY environment variable. Setting this variable to true + or 1 tells Git to bypass SSL certificate validation. +spec: + rules: + - name: check-certificate-validation-git-env-var + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by using `GIT_SSL_NO_VERIFY` env with value set to '0' or 'false' + check: + (Stages[].Commands[].Env[?Key=='GIT_SSL_NO_VERIFY' && (Value=='1' || Value=='true')][] | length(@) > `0`): false \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/check-certificate-validation-nodejs-env-var.yaml b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/check-certificate-validation-nodejs-env-var.yaml index 77f8fdaa..1f8fbf60 100644 --- a/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/check-certificate-validation-nodejs-env-var.yaml +++ b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/check-certificate-validation-nodejs-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-nodejs-env-var/" policies.kyverno.io/description: >- NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js to control TLS certificate verification behavior. This policy checks whether @@ -15,7 +16,8 @@ spec: rules: - name: check-certificate-validation-nodejs-env-var match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml b/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml index abcd9799..f156d4d0 100644 --- a/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml +++ b/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-pip3/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command spec: rules: - name: check-certificate-validation-pip3 match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml index 5e95fc9b..1f924d29 100644 --- a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml +++ b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-python-env-var/" policies.kyverno.io/description: >- The PYTHONHTTPSVERIFY environment variable is used in Python to control certificate verification when making HTTPS requests. This policy checks @@ -15,7 +16,8 @@ spec: rules: - name: check-certificate-validation-python-env-var match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-certificate-validation-wget/check-certificate-validation-wget.yaml b/dockerfile-best-practices/check-certificate-validation-wget/check-certificate-validation-wget.yaml index 86e2debc..7061ad0a 100644 --- a/dockerfile-best-practices/check-certificate-validation-wget/check-certificate-validation-wget.yaml +++ b/dockerfile-best-practices/check-certificate-validation-wget/check-certificate-validation-wget.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-wget/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command spec: rules: - name: check-certificate-validation-wget match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-certificate-validation-yum-dnf/README.md b/dockerfile-best-practices/check-certificate-validation-yum-dnf/README.md deleted file mode 100644 index e69de29b..00000000 diff --git a/dockerfile-best-practices/check-certificate-validation-yum-dnf/test/check-ceritificate-validation-yum-dnf.yaml b/dockerfile-best-practices/check-certificate-validation-yum-dnf/test/check-ceritificate-validation-yum-dnf.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/dockerfile-best-practices/check-certificate-validation-yum-dnf/test/good-test/Dockerfile b/dockerfile-best-practices/check-certificate-validation-yum-dnf/test/good-test/Dockerfile deleted file mode 100644 index 54b8f5ea..00000000 --- a/dockerfile-best-practices/check-certificate-validation-yum-dnf/test/good-test/Dockerfile +++ /dev/null @@ -1,6 +0,0 @@ -FROM centos:latest - -RUN dnf -y update --setopt=sslverify=true && \ - dnf -y install wget\ - -CMD [ "echo", "Hello world" ] \ No newline at end of file diff --git a/dockerfile-best-practices/check-label-maintainer/README.md b/dockerfile-best-practices/check-label-maintainer/README.md new file mode 100644 index 00000000..2a424c99 --- /dev/null +++ b/dockerfile-best-practices/check-label-maintainer/README.md @@ -0,0 +1,27 @@ +The MAINTAINER instruction was historically used in Dockerfiles to specify the name and contact details of the person or team responsible for maintaining the Docker image. It was typically placed at the beginning of the Dockerfile. For example: + +``` +MAINTAINER John Doe +``` + +However, starting from Docker 19.03, the MAINTAINER instruction has been deprecated. Although it still functions, its use is discouraged in favor of the more flexible and powerful LABEL instruction. + +The LABEL instruction allows you to add metadata to an image, including details about the maintainer, version, description, and more. The LABEL instruction can be used to define multiple key-value pairs, making it versatile for annotating images with various metadata. For example: + +``` +LABEL maintainer="John Doe " +``` + +This line achieves the same purpose as the MAINTAINER instruction, but it leverages the more general-purpose LABEL instruction. This change aligns with Docker's efforts to standardize and enhance the Dockerfile syntax. + +Using LABEL for the maintainer information also makes it consistent with other metadata annotations that you might want to add to your Docker image, such as version numbers, descriptions, and licensing information. It provides a more structured and extensible approach to defining metadata for Docker images. + +This policy checks if the LABEL instruction has been used followed up by maintainer/author/owner. If you've not used the LABEL instruction, this policy will give you failing checks. + +**In order to test this Policy, you can use the following commands:** + + Run the `kyverno-json scan` command for the `good-payload.json` file that is present in the `test/good-test` directory. + ``` + kyverno-json scan --payload test/good-test/good-payload.json --policy check-label-maintainer.yaml + ``` + Since the Dockerfile contain the LABEL instruction followed by MAINTAINER, it'll give you passing checks. In order to test this policy for failing scenario, run the same command for `bad-payload.json` present in `test/bad-test` directory. \ No newline at end of file diff --git a/dockerfile-best-practices/check-label-maintainer/check-label-maintainer.yaml b/dockerfile-best-practices/check-label-maintainer/check-label-maintainer.yaml new file mode 100644 index 00000000..36be93b3 --- /dev/null +++ b/dockerfile-best-practices/check-label-maintainer/check-label-maintainer.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-label-maintainer + annotations: + policies.kyverno.io/title: Validating LABEL maintainer instruction in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-label-maintainer/" + policies.kyverno.io/description: >- + MAINTAINER instruction is deprecated for the Dockerfile. Instead, you can use the + LABEL instruction to provide the maintainer name in the Dockerfile. This policy checks + if LABEL instruction has been specified with maintainer name. +spec: + rules: + - assert: + all: + - check: + (Stages[].Commands[?Name=='MAINTAINER'][] | length(@) > `0`): false + message: MAINTAINER instruction is deprecated, use LABELS instruction to mention maintainer name + - check: + (Stages[].Commands[].Labels[?Key=='maintainer' || Key=='owner' || Key=='author'][] | length(@) > `0`): true + message: Use the LABELS instruction to set the MAINTAINER name + name: dockerfile-allow-label-maintainer-instruction + match: + all: + - ($analyzer.resource.type): dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-last-user/check-last-user.yaml b/dockerfile-best-practices/check-last-user/check-last-user.yaml index 77f6302f..e0e8efda 100644 --- a/dockerfile-best-practices/check-last-user/check-last-user.yaml +++ b/dockerfile-best-practices/check-last-user/check-last-user.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check last USER policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-last-user/" policies.kyverno.io/description: >- This policy validates that the last USER is not root. spec: rules: - name: check-last-user match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-missing-signature-options/check-missing-signature-options.yaml b/dockerfile-best-practices/check-missing-signature-options/check-missing-signature-options.yaml index 924de342..84eefba3 100644 --- a/dockerfile-best-practices/check-missing-signature-options/check-missing-signature-options.yaml +++ b/dockerfile-best-practices/check-missing-signature-options/check-missing-signature-options.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: check for missing signature options via rpm policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-missing-signature-options/" policies.kyverno.io/description: >- This policy ensures that packages with untrusted or missing signatures are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or @@ -14,7 +15,8 @@ spec: rules: - name: check-missing-signature-options match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/dockerfile-best-practices/check-nogpgcheck/check-nogpgcheck.yaml b/dockerfile-best-practices/check-nogpgcheck/check-nogpgcheck.yaml index 17e86e0e..490209c8 100644 --- a/dockerfile-best-practices/check-nogpgcheck/check-nogpgcheck.yaml +++ b/dockerfile-best-practices/check-nogpgcheck/check-nogpgcheck.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-nogpgcheck/" policies.kyverno.io/description: >- GPG signature checking is a security feature that verifies the authenticity and integrity of packages before they are @@ -17,7 +18,8 @@ spec: rules: - name: check-nogpgcheck match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/dockerfile-best-practices/check-npm-config-strict-ssl/check-npm-config-strict-ssl.yaml b/dockerfile-best-practices/check-npm-config-strict-ssl/check-npm-config-strict-ssl.yaml index 63badf49..f304d5b4 100644 --- a/dockerfile-best-practices/check-npm-config-strict-ssl/check-npm-config-strict-ssl.yaml +++ b/dockerfile-best-practices/check-npm-config-strict-ssl/check-npm-config-strict-ssl.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-npm-config-strict-ssl/" policies.kyverno.io/description: >- The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL certificate validation behavior in npm. This policy ensures that certificate @@ -15,7 +16,8 @@ spec: rules: - name: check-npm-config-strict-ssl match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml b/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml index 4524b663..23a74b68 100644 --- a/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml +++ b/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for untrusted flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-untrust-flag/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag. spec: rules: - name: detect-untrusted-flag match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/detect-multiple-instructions/detect-multiple-instructions.yaml b/dockerfile-best-practices/detect-multiple-instructions/detect-multiple-instructions.yaml index 8256db78..18ef12a8 100644 --- a/dockerfile-best-practices/detect-multiple-instructions/detect-multiple-instructions.yaml +++ b/dockerfile-best-practices/detect-multiple-instructions/detect-multiple-instructions.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Detect Multiple Instructions in Single Line policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/detect-multiple-instructions/" policies.kyverno.io/description: >- This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers spec: rules: - name: detect-multiple-instructions match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/dockerfile-best-practices/disallow-sudo-operations/disallow-sudo-operations.yaml b/dockerfile-best-practices/disallow-sudo-operations/disallow-sudo-operations.yaml index a508f627..4f8c374b 100644 --- a/dockerfile-best-practices/disallow-sudo-operations/disallow-sudo-operations.yaml +++ b/dockerfile-best-practices/disallow-sudo-operations/disallow-sudo-operations.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Check for sudo operation existence policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/disallow-sudo-operations/" policies.kyverno.io/description: >- Using sudo within a Dockerfile is not recommended to avoid privilege escalation. spec: rules: - name: detect-sudo-operations match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/prefer-copy-over-add/prefer-copy-over-add.yaml b/dockerfile-best-practices/prefer-copy-over-add/prefer-copy-over-add.yaml index d54eb771..40329fa8 100644 --- a/dockerfile-best-practices/prefer-copy-over-add/prefer-copy-over-add.yaml +++ b/dockerfile-best-practices/prefer-copy-over-add/prefer-copy-over-add.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Prefer COPY over ADD in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/prefer-copy-over-add/" policies.kyverno.io/description: >- This policy ensures that COPY instructions are used instead of ADD instructions in Dockerfiles. spec: rules: - name: prefer-copy-over-add match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml b/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml index b3c60eba..4c746a39 100644 --- a/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml +++ b/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Validate base image tag policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-base-image-tag/" policies.kyverno.io/description: >- This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile. spec: rules: - name: validate-base-image-tag match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].From | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/validate-expose-port-22/validate-expose-port-22.yaml b/dockerfile-best-practices/validate-expose-port-22/validate-expose-port-22.yaml index 23b82ed3..393cd0cf 100644 --- a/dockerfile-best-practices/validate-expose-port-22/validate-expose-port-22.yaml +++ b/dockerfile-best-practices/validate-expose-port-22/validate-expose-port-22.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Validating Exposed Port 22 in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-expose-port-22/" policies.kyverno.io/description: >- This policy checks whether Dockerfiles exposes port 22. spec: rules: - name: prefer-copy-over-add match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[?Name=='EXPOSE'][] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/validate-healthcheck-instruction/validate-healthcheck-instruction.yaml b/dockerfile-best-practices/validate-healthcheck-instruction/validate-healthcheck-instruction.yaml index 4da628b6..5f8c42ac 100644 --- a/dockerfile-best-practices/validate-healthcheck-instruction/validate-healthcheck-instruction.yaml +++ b/dockerfile-best-practices/validate-healthcheck-instruction/validate-healthcheck-instruction.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Validate Healthcheck Instruction policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-healthcheck-instruction/" policies.kyverno.io/description: >- This policy checks if the HEALTHCHECK instruction is defined in the Dockerfile. spec: rules: - name: validate-healthcheck-instruction match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[] | length(@) > `0`): true assert: any: diff --git a/dockerfile-best-practices/validate-user-instruction/validate-user-instruction.yaml b/dockerfile-best-practices/validate-user-instruction/validate-user-instruction.yaml index 4354b502..8ed37b69 100644 --- a/dockerfile-best-practices/validate-user-instruction/validate-user-instruction.yaml +++ b/dockerfile-best-practices/validate-user-instruction/validate-user-instruction.yaml @@ -6,13 +6,15 @@ metadata: policies.kyverno.io/title: Validate USER instruction in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-user-instruction/" policies.kyverno.io/description: >- This policy checks if the Dockerfile contains a USER instruction. If the USER instruction is not present, the policy fails. spec: rules: - name: validate-user-instruction match: - any: + all: + - ($analyzer.resource.type): dockerfile - (Stages[].Commands[] | length(@) > `0`): true assert: any: From 5e03dbc320bfb19e5efd1925c70de039aa730697 Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Fri, 14 Jun 2024 20:42:32 +0200 Subject: [PATCH 2/4] Add bindings support Update kyverno-json to main --- .github/workflows/chainsaw-e2e.yaml | 2 +- .../check-apt-command-force-yes/test/binding.yaml | 3 +++ .../check-apt-command-force-yes/test/chainsaw-test.yaml | 6 +++--- 3 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 dockerfile-best-practices/check-apt-command-force-yes/test/binding.yaml diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index f64208cf..0b9fa181 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -25,7 +25,7 @@ jobs: - name: Install kyverno-json uses: kyverno/action-install-kyverno-json@4ac28215fd015ff6aa5525afc67f119f9f758957 # v0.0.1 with: - release: v0.0.3-alpha.2 + release: main - name: Prepare environment run: | diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/binding.yaml b/dockerfile-best-practices/check-apt-command-force-yes/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml b/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml index 44d82ad3..0cb7c7e8 100644 --- a/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-apt-command-force-yes/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -72,7 +72,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload-02.json --output json + kyverno-json scan --policy ../check-apt-command-force-yes.yaml --payload ./bad-test/bad-payload-02.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): From a81f914bc92c2d35561982757b402e46d2d145b8 Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Fri, 14 Jun 2024 21:01:09 +0200 Subject: [PATCH 3/4] Add binding for dockerfile policies --- .../check-authentication/test/binding.yaml | 3 +++ .../check-authentication/test/chainsaw-test.yaml | 4 ++-- .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../test/binding.yaml | 3 +++ .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 6 +++--- .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../check-label-maintainer/test/binding.yaml | 3 +++ .../check-last-user/test/binding.yaml | 3 +++ .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 10 +++++----- .../check-nogpgcheck/test/binding.yaml | 3 +++ .../check-nogpgcheck/test/chainsaw-test.yaml | 12 ++++++------ .../check-npm-config-strict-ssl/test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../check-untrust-flag/test/binding.yaml | 3 +++ .../check-untrust-flag/test/chainsaw-test.yaml | 4 ++-- .../detect-multiple-instructions/test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../disallow-sudo-operations/test/binding.yaml | 3 +++ .../disallow-sudo-operations/test/chainsaw-test.yaml | 4 ++-- .../prefer-copy-over-add/test/binding.yaml | 3 +++ .../prefer-copy-over-add/test/chainsaw-test.yaml | 4 ++-- .../validate-base-image-tag/test/binding.yaml | 3 +++ .../validate-expose-port-22/test/binding.yaml | 3 +++ .../test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- .../validate-user-instruction/test/binding.yaml | 3 +++ .../test/chainsaw-test.yaml | 4 ++-- 35 files changed, 98 insertions(+), 38 deletions(-) create mode 100644 dockerfile-best-practices/check-authentication/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-curl/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-git-env-var/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-pip3/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-python-env-var/test/binding.yaml create mode 100644 dockerfile-best-practices/check-certificate-validation-wget/test/binding.yaml create mode 100644 dockerfile-best-practices/check-label-maintainer/test/binding.yaml create mode 100644 dockerfile-best-practices/check-last-user/test/binding.yaml create mode 100644 dockerfile-best-practices/check-missing-signature-options/test/binding.yaml create mode 100644 dockerfile-best-practices/check-nogpgcheck/test/binding.yaml create mode 100644 dockerfile-best-practices/check-npm-config-strict-ssl/test/binding.yaml create mode 100644 dockerfile-best-practices/check-untrust-flag/test/binding.yaml create mode 100644 dockerfile-best-practices/detect-multiple-instructions/test/binding.yaml create mode 100644 dockerfile-best-practices/disallow-sudo-operations/test/binding.yaml create mode 100644 dockerfile-best-practices/prefer-copy-over-add/test/binding.yaml create mode 100644 dockerfile-best-practices/validate-base-image-tag/test/binding.yaml create mode 100644 dockerfile-best-practices/validate-expose-port-22/test/binding.yaml create mode 100644 dockerfile-best-practices/validate-healthcheck-instruction/test/binding.yaml create mode 100644 dockerfile-best-practices/validate-user-instruction/test/binding.yaml diff --git a/dockerfile-best-practices/check-authentication/test/binding.yaml b/dockerfile-best-practices/check-authentication/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-authentication/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml b/dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml index 9591542d..e4856d84 100644 --- a/dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-certificate-validation-curl/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-curl/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-curl/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-curl/test/chainsaw-test.yaml b/dockerfile-best-practices/check-certificate-validation-curl/test/chainsaw-test.yaml index d68c3fe4..c9e0934f 100644 --- a/dockerfile-best-practices/check-certificate-validation-curl/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-certificate-validation-curl/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-curl.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-curl.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-curl.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-curl.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-certificate-validation-git-env-var/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-git-env-var/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-git-env-var/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/chainsaw-test.yaml b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/chainsaw-test.yaml index 918e2f21..7e130f86 100644 --- a/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-nodejs-env-var.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-nodejs-env-var.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-nodejs-env-var.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-nodejs-env-var.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-certificate-validation-pip3/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-pip3/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-pip3/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-pip3/test/chainsaw-test.yaml b/dockerfile-best-practices/check-certificate-validation-pip3/test/chainsaw-test.yaml index b1f4c5ee..67019566 100644 --- a/dockerfile-best-practices/check-certificate-validation-pip3/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-certificate-validation-pip3/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -71,7 +71,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./bad-test/bad-payload-02.json --output json + kyverno-json scan --policy ../check-certificate-validation-pip3.yaml --payload ./bad-test/bad-payload-02.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-certificate-validation-python-env-var/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-python-env-var/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-python-env-var/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-python-env-var/test/chainsaw-test.yaml b/dockerfile-best-practices/check-certificate-validation-python-env-var/test/chainsaw-test.yaml index dc958913..a813a85c 100644 --- a/dockerfile-best-practices/check-certificate-validation-python-env-var/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-certificate-validation-python-env-var/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-python-env-var.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-python-env-var.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-python-env-var.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-python-env-var.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-certificate-validation-wget/test/binding.yaml b/dockerfile-best-practices/check-certificate-validation-wget/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-certificate-validation-wget/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-certificate-validation-wget/test/chainsaw-test.yaml b/dockerfile-best-practices/check-certificate-validation-wget/test/chainsaw-test.yaml index 0104402d..d4802176 100644 --- a/dockerfile-best-practices/check-certificate-validation-wget/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-certificate-validation-wget/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-wget.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-wget.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-certificate-validation-wget.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-certificate-validation-wget.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-label-maintainer/test/binding.yaml b/dockerfile-best-practices/check-label-maintainer/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-label-maintainer/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-last-user/test/binding.yaml b/dockerfile-best-practices/check-last-user/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-last-user/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-missing-signature-options/test/binding.yaml b/dockerfile-best-practices/check-missing-signature-options/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-missing-signature-options/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-missing-signature-options/test/chainsaw-test.yaml b/dockerfile-best-practices/check-missing-signature-options/test/chainsaw-test.yaml index bd667b6f..4ea66f15 100644 --- a/dockerfile-best-practices/check-missing-signature-options/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-missing-signature-options/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/01-digest/bad-payload.json --output json + kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/01-digest/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -71,7 +71,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/02-signature/bad-payload.json --output json + kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/02-signature/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -104,7 +104,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/03-verify/bad-payload.json --output json + kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/03-verify/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -137,7 +137,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/04-filedigest/bad-payload.json --output json + kyverno-json scan --policy ../check-missing-signature-options.yaml --payload ./bad-test/04-filedigest/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-nogpgcheck/test/binding.yaml b/dockerfile-best-practices/check-nogpgcheck/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-nogpgcheck/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-nogpgcheck/test/chainsaw-test.yaml b/dockerfile-best-practices/check-nogpgcheck/test/chainsaw-test.yaml index fca4deb8..33031609 100644 --- a/dockerfile-best-practices/check-nogpgcheck/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-nogpgcheck/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/01-yum/good-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/01-yum/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/02-dnf/good-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/02-dnf/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -66,7 +66,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/03-tdnf/good-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./good-test/03-tdnf/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -94,7 +94,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/01-yum/bad-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/01-yum/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -127,7 +127,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/02-dnf/bad-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/02-dnf/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -160,7 +160,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/03-tdnf/bad-payload.json --output json + kyverno-json scan --policy ../check-nogpgcheck.yaml --payload ./bad-test/03-tdnf/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-npm-config-strict-ssl/test/binding.yaml b/dockerfile-best-practices/check-npm-config-strict-ssl/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-npm-config-strict-ssl/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-npm-config-strict-ssl/test/chainsaw-test.yaml b/dockerfile-best-practices/check-npm-config-strict-ssl/test/chainsaw-test.yaml index ecfa61b4..5db0d480 100644 --- a/dockerfile-best-practices/check-npm-config-strict-ssl/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-npm-config-strict-ssl/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-npm-config-strict-ssl.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-npm-config-strict-ssl.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-npm-config-strict-ssl.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-npm-config-strict-ssl.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/check-untrust-flag/test/binding.yaml b/dockerfile-best-practices/check-untrust-flag/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/check-untrust-flag/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/check-untrust-flag/test/chainsaw-test.yaml b/dockerfile-best-practices/check-untrust-flag/test/chainsaw-test.yaml index 7639db86..2e405ff5 100644 --- a/dockerfile-best-practices/check-untrust-flag/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/check-untrust-flag/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-allow-untrusted-flag.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../check-allow-untrusted-flag.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../check-allow-untrusted-flag.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../check-allow-untrusted-flag.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/detect-multiple-instructions/test/binding.yaml b/dockerfile-best-practices/detect-multiple-instructions/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/detect-multiple-instructions/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/detect-multiple-instructions/test/chainsaw-test.yaml b/dockerfile-best-practices/detect-multiple-instructions/test/chainsaw-test.yaml index 8f2dc4b2..82bb3da3 100644 --- a/dockerfile-best-practices/detect-multiple-instructions/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/detect-multiple-instructions/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../detect-multiple-instructions.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../detect-multiple-instructions.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../detect-multiple-instructions.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../detect-multiple-instructions.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/disallow-sudo-operations/test/binding.yaml b/dockerfile-best-practices/disallow-sudo-operations/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/disallow-sudo-operations/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/disallow-sudo-operations/test/chainsaw-test.yaml b/dockerfile-best-practices/disallow-sudo-operations/test/chainsaw-test.yaml index 2e8c5134..c3688904 100644 --- a/dockerfile-best-practices/disallow-sudo-operations/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/disallow-sudo-operations/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../disallow-sudo-operations.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../disallow-sudo-operations.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../disallow-sudo-operations.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../disallow-sudo-operations.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/prefer-copy-over-add/test/binding.yaml b/dockerfile-best-practices/prefer-copy-over-add/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/prefer-copy-over-add/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/prefer-copy-over-add/test/chainsaw-test.yaml b/dockerfile-best-practices/prefer-copy-over-add/test/chainsaw-test.yaml index f20b77c6..85ae7d8e 100644 --- a/dockerfile-best-practices/prefer-copy-over-add/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/prefer-copy-over-add/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../prefer-copy-over-add.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../prefer-copy-over-add.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../prefer-copy-over-add.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../prefer-copy-over-add.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/validate-base-image-tag/test/binding.yaml b/dockerfile-best-practices/validate-base-image-tag/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/validate-base-image-tag/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/validate-expose-port-22/test/binding.yaml b/dockerfile-best-practices/validate-expose-port-22/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/validate-expose-port-22/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/validate-healthcheck-instruction/test/binding.yaml b/dockerfile-best-practices/validate-healthcheck-instruction/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/validate-healthcheck-instruction/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/validate-healthcheck-instruction/test/chainsaw-test.yaml b/dockerfile-best-practices/validate-healthcheck-instruction/test/chainsaw-test.yaml index cc71c04f..0a8f076b 100644 --- a/dockerfile-best-practices/validate-healthcheck-instruction/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/validate-healthcheck-instruction/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../validate-healthcheck-instruction.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../validate-healthcheck-instruction.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../validate-healthcheck-instruction.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../validate-healthcheck-instruction.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): diff --git a/dockerfile-best-practices/validate-user-instruction/test/binding.yaml b/dockerfile-best-practices/validate-user-instruction/test/binding.yaml new file mode 100644 index 00000000..4a78623f --- /dev/null +++ b/dockerfile-best-practices/validate-user-instruction/test/binding.yaml @@ -0,0 +1,3 @@ +analyzer: + resource: + type: dockerfile \ No newline at end of file diff --git a/dockerfile-best-practices/validate-user-instruction/test/chainsaw-test.yaml b/dockerfile-best-practices/validate-user-instruction/test/chainsaw-test.yaml index 497572ec..e1b98a1f 100644 --- a/dockerfile-best-practices/validate-user-instruction/test/chainsaw-test.yaml +++ b/dockerfile-best-practices/validate-user-instruction/test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../validate-user-instruction.yaml --payload ./good-test/good-payload.json --output json + kyverno-json scan --policy ../validate-user-instruction.yaml --payload ./good-test/good-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): @@ -38,7 +38,7 @@ spec: - script: content: | set -e - kyverno-json scan --policy ../validate-user-instruction.yaml --payload ./bad-test/bad-payload.json --output json + kyverno-json scan --policy ../validate-user-instruction.yaml --payload ./bad-test/bad-payload.json --output json --bindings ./binding.yaml check: ($error): ~ (json_parse($stdout)): From 85ea85b0f828119353bd380225e2810165b7fb80 Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Sat, 15 Jun 2024 20:03:47 +0200 Subject: [PATCH 4/4] Change kyverno-json action version to main --- .github/workflows/chainsaw-e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index 0b9fa181..df25e49c 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -63,7 +63,7 @@ jobs: - name: Install kyverno-json uses: kyverno/action-install-kyverno-json@4ac28215fd015ff6aa5525afc67f119f9f758957 # v0.0.1 with: - release: v0.0.3-alpha.2 + release: main - name: Prepare environment run: |