From 3123d0f49a13548a16e70f0804d16dffedb70068 Mon Sep 17 00:00:00 2001 From: Anushka Mittal Date: Wed, 29 May 2024 19:49:02 +0530 Subject: [PATCH 1/3] feat: create chart for best practices for Dockerfile Signed-off-by: Anushka Mittal --- charts/best-practices-dockerfile/Chart.yaml | 14 ++++++++ .../pols/check-allow-untrusted-flag.yaml | 22 ++++++++++++ .../check-certificate-validation-curl.yaml | 22 ++++++++++++ ...certificate-validation-nodejs-env-var.yaml | 24 +++++++++++++ .../check-certificate-validation-pip3.yaml | 27 ++++++++++++++ ...certificate-validation-python-env-var.yaml | 25 +++++++++++++ .../check-certificate-validation-wget.yaml | 22 ++++++++++++ .../pols/check-last-user.yaml | 25 +++++++++++++ .../pols/check-missing-signature-options.yaml | 36 +++++++++++++++++++ .../pols/check-nogpgcheck.yaml | 35 ++++++++++++++++++ .../pols/check-npm-config-strict-ssl.yaml | 24 +++++++++++++ .../pols/check-unauthentication-install.yaml | 22 ++++++++++++ .../pols/detect-multiple-instructions.yaml | 22 ++++++++++++ .../pols/disallow-sudo-operations.yaml | 22 ++++++++++++ .../pols/prefer-copy-over-add.yaml | 21 +++++++++++ .../pols/validate-base-image-tag.yaml | 23 ++++++++++++ .../pols/validate-expose-port-22.yaml | 23 ++++++++++++ .../validate-healthcheck-instruction.yaml | 21 +++++++++++ .../pols/validate-user-instruction.yaml | 21 +++++++++++ .../templates/club-pols.yaml | 4 +++ charts/best-practices-dockerfile/values.yaml | 0 21 files changed, 455 insertions(+) create mode 100644 charts/best-practices-dockerfile/Chart.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-last-user.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml create mode 100644 charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml create mode 100644 charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml create mode 100644 charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml create mode 100644 charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml create mode 100644 charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml create mode 100644 charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml create mode 100644 charts/best-practices-dockerfile/pols/validate-user-instruction.yaml create mode 100644 charts/best-practices-dockerfile/templates/club-pols.yaml create mode 100644 charts/best-practices-dockerfile/values.yaml diff --git a/charts/best-practices-dockerfile/Chart.yaml b/charts/best-practices-dockerfile/Chart.yaml new file mode 100644 index 00000000..9364932c --- /dev/null +++ b/charts/best-practices-dockerfile/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: best-practices-dockerfile +description: Best practices Dockerfile policy set +type: application +version: 0.1.0 +appVersion: 0.1.0 +keywords: + - kubernetes + - nirmata + - kyverno + - policy +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml new file mode 100644 index 00000000..4524b663 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: detect-untrusted-flag + annotations: + policies.kyverno.io/title: Check for untrusted flag in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag. +spec: + rules: + - name: detect-untrusted-flag + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + any: + - message: Dockerfile contains the '--allow-untrusted' which is not preferred + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + (contains(@, '--allow-untrusted') && (contains(@, 'apk'))): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml new file mode 100644 index 00000000..580a5c50 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-curl + annotations: + policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command +spec: + rules: + - name: check-certificate-validation-curl + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by not using `--insecure` option + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'curl ') || contains(@, ' curl ')) && (contains(@, ' --insecure'))): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml new file mode 100644 index 00000000..77f8fdaa --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml @@ -0,0 +1,24 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-nodejs-env-var + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js + to control TLS certificate verification behavior. This policy checks whether + this environment variable is set to 0. By default, it is set to 1, which enables + certificate verification. +spec: + rules: + - name: check-certificate-validation-nodejs-env-var + match: + any: + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by using `NODE_TLS_REJECT_UNAUTHORIZED` env with value set to `1` + check: + (Stages[].Commands[].Env[?Key=='NODE_TLS_REJECT_UNAUTHORIZED' && Value=='1'][] | length(@) > `0`): true diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml new file mode 100644 index 00000000..abcd9799 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-pip3 + annotations: + policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command +spec: + rules: + - name: check-certificate-validation-pip3 + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: Ensure certificate validation is enabled by not using `--trusted-host` option with pip + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'pip ') || contains(@, ' pip ')) && contains(@, ' --trusted-host')): false + - message: Ensure certificate validation is enabled by not using `--trusted-host` option with pip3 + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'pip3 ') || contains(@, ' pip3 ')) && contains(@, ' --trusted-host')): false + diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml new file mode 100644 index 00000000..5e95fc9b --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-python-env-var + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + The PYTHONHTTPSVERIFY environment variable is used in Python to control + certificate verification when making HTTPS requests. This policy checks + whether this environment variable is set to 0. By default, it is set to 1, + which enables certificate verification. +spec: + rules: + - name: check-certificate-validation-python-env-var + match: + any: + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1` + check: + (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true + \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml new file mode 100644 index 00000000..86e2debc --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-wget + annotations: + policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command +spec: + rules: + - name: check-certificate-validation-wget + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by not using `--no-check-certificate` option + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'wget ') || contains(@, ' wget ')) && (contains(@, ' --no-check-certificate'))): false diff --git a/charts/best-practices-dockerfile/pols/check-last-user.yaml b/charts/best-practices-dockerfile/pols/check-last-user.yaml new file mode 100644 index 00000000..77f6302f --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-last-user.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-last-user + annotations: + policies.kyverno.io/title: Check last USER + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy validates that the last USER is not root. +spec: + rules: + - name: check-last-user + match: + any: + - (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true + assert: + any: + - message: Default user for the container should not be root + check: + (Stages[].Commands[?Name=='USER'][]): + (@)->array: + (subtract(length($array), `1`))->want: + ~index.($array): + (to_number($index) != $want || !(starts_with(User, '0:') || ends_with(User, ':0') || User == 'root' || User == '0' ) ): true diff --git a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml new file mode 100644 index 00000000..924de342 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml @@ -0,0 +1,36 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-missing-signature-options + annotations: + policies.kyverno.io/title: check for missing signature options via rpm + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that packages with untrusted or missing signatures + are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or + ‘–nofiledigest’ options +spec: + rules: + - name: check-missing-signature-options + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nofiledigest` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'rpm ') || contains(@, ' rpm ')) && contains(@, ' --nofiledigest')): false + - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--noverify` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'rpm ') || contains(@, ' rpm ')) && contains(@, ' --noverify')): false + - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nosignature` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'rpm ') || contains(@, ' rpm ')) && contains(@, ' --nosignature')): false + - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nodigest` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'rpm ') || contains(@, ' rpm ')) && contains(@, ' --nodigest')): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml new file mode 100644 index 00000000..17e86e0e --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml @@ -0,0 +1,35 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-nogpgcheck + annotations: + policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + GPG signature checking is a security feature that verifies + the authenticity and integrity of packages before they are + installed on a system. When nogpgcheck is enabled, dnf, tdnf, + or yum will not verify the GPG signatures associated with the packages, + potentially exposing the system to security risks if the packages have been + tampered with or are not from trusted sources. +spec: + rules: + - name: check-nogpgcheck + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: Enable GPG signature checking with yum by not using `--nogpgcheck` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'yum ') || contains(@, ' yum ')) && contains(@, ' --nogpgcheck')): false + - message: Enable GPG signature checking with dnf by not using `--nogpgcheck` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'dnf ') || contains(@, ' dnf ')) && contains(@, ' --nogpgcheck')): false + - message: Enable GPG signature checking with tdnf by not using `--nogpgcheck` flag + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'tdnf ') || contains(@, ' tdnf ')) && contains(@, ' --nogpgcheck')): false diff --git a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml new file mode 100644 index 00000000..63badf49 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml @@ -0,0 +1,24 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-npm-config-strict-ssl + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL + certificate validation behavior in npm. This policy ensures that certificate + validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet + variable. +spec: + rules: + - name: check-npm-config-strict-ssl + match: + any: + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by setting `NODE_TLS_REJECT_UNAUTHORIZED` env with value set to `true` + check: + (Stages[].Commands[].Env[?Key=='NPM_CONFIG_STRICT_SSL' && Value=='true'][] | length(@) > `0`): true \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml new file mode 100644 index 00000000..957e59d2 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: detect-unauthenticated-flag + annotations: + policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag. +spec: + rules: + - name: detect-unauthenticated-flag + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true + assert: + any: + - message: Dockerfile contains the '--allow-unauthenticated' which is not preferred + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + (contains(@, '--allow-unauthenticated') && (contains(@, 'apt-get') || contains(@, 'apt'))): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml new file mode 100644 index 00000000..8256db78 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: detect-multiple-instructions + annotations: + policies.kyverno.io/title: Detect Multiple Instructions in Single Line + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers +spec: + rules: + - name: detect-multiple-instructions + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: Found multiple instructions in a single line + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + (contains(@, ' && ')): false diff --git a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml new file mode 100644 index 00000000..a508f627 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-sudo-operations + annotations: + policies.kyverno.io/title: Check for sudo operation existence + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + Using sudo within a Dockerfile is not recommended to avoid privilege escalation. +spec: + rules: + - name: detect-sudo-operations + match: + any: + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + any: + - message: Dockerfile contains the 'sudo' operation which is not preferred + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + (starts_with(@, 'sudo ') || contains(@, ' sudo ')): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml new file mode 100644 index 00000000..d54eb771 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml @@ -0,0 +1,21 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: prefer-copy-over-add + annotations: + policies.kyverno.io/title: Prefer COPY over ADD in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that COPY instructions are used instead of ADD instructions in Dockerfiles. +spec: + rules: + - name: prefer-copy-over-add + match: + any: + - (Stages[].Commands[] | length(@) > `0`): true + assert: + any: + - message: Avoid the use of ADD instructions in Dockerfiles + check: + (Stages[].Commands[?Name=='ADD'].Link[] | length(@) > `0`): false diff --git a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml new file mode 100644 index 00000000..b3c60eba --- /dev/null +++ b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml @@ -0,0 +1,23 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-base-image-tag + annotations: + policies.kyverno.io/title: Validate base image tag + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile. +spec: + rules: + - name: validate-base-image-tag + match: + any: + - (Stages[].From | length(@) > `0`): true + assert: + any: + - message: Base Image is missing version tags/digests + check: + ~.(Stages[].From.Image): + (contains(@, ':') || contains(@, '@sha')): true + (contains(@, ':latest')): false diff --git a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml new file mode 100644 index 00000000..23b82ed3 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml @@ -0,0 +1,23 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-expose-port-22 + annotations: + policies.kyverno.io/title: Validating Exposed Port 22 in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether Dockerfiles exposes port 22. +spec: + rules: + - name: prefer-copy-over-add + match: + any: + - (Stages[].Commands[?Name=='EXPOSE'][] | length(@) > `0`): true + assert: + any: + - message: Port 22 should not be exposed + check: + (Stages[].Commands[?Name=='EXPOSE'].Ports[][]): + (contains(@, '22')): false + (contains(@, '22/tcp')): false diff --git a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml new file mode 100644 index 00000000..4da628b6 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml @@ -0,0 +1,21 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-healthcheck-instruction + annotations: + policies.kyverno.io/title: Validate Healthcheck Instruction + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if the HEALTHCHECK instruction is defined in the Dockerfile. +spec: + rules: + - name: validate-healthcheck-instruction + match: + any: + - (Stages[].Commands[] | length(@) > `0`): true + assert: + any: + - message: HEALTHCHECK instruction is not defined + check: + (Stages[].Commands[?Name=='HEALTHCHECK'][] | length(@) > `0`): true diff --git a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml new file mode 100644 index 00000000..4354b502 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml @@ -0,0 +1,21 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-user-instruction + annotations: + policies.kyverno.io/title: Validate USER instruction in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if the Dockerfile contains a USER instruction. If the USER instruction is not present, the policy fails. +spec: + rules: + - name: validate-user-instruction + match: + any: + - (Stages[].Commands[] | length(@) > `0`): true + assert: + any: + - message: USER instruction is not present in the Dockerfile + check: + (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true diff --git a/charts/best-practices-dockerfile/templates/club-pols.yaml b/charts/best-practices-dockerfile/templates/club-pols.yaml new file mode 100644 index 00000000..c3c51aa7 --- /dev/null +++ b/charts/best-practices-dockerfile/templates/club-pols.yaml @@ -0,0 +1,4 @@ +{{ range $path, $_ := .Files.Glob "pols/**.yaml" }} +{{ $.Files.Get $path }} +--- +{{ end }} diff --git a/charts/best-practices-dockerfile/values.yaml b/charts/best-practices-dockerfile/values.yaml new file mode 100644 index 00000000..e69de29b From 7ff4338f18004338f2d3ec52b1a39d8714df63dc Mon Sep 17 00:00:00 2001 From: Anushka Mittal Date: Wed, 29 May 2024 20:43:07 +0530 Subject: [PATCH 2/3] fix: add binding Signed-off-by: Anushka Mittal --- .../pols/check-allow-untrusted-flag.yaml | 2 ++ .../pols/check-certificate-validation-curl.yaml | 2 ++ .../pols/check-certificate-validation-nodejs-env-var.yaml | 2 ++ .../pols/check-certificate-validation-pip3.yaml | 2 ++ .../pols/check-certificate-validation-python-env-var.yaml | 2 ++ .../pols/check-certificate-validation-wget.yaml | 2 ++ charts/best-practices-dockerfile/pols/check-last-user.yaml | 2 ++ .../pols/check-missing-signature-options.yaml | 2 ++ charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml | 2 ++ .../pols/check-npm-config-strict-ssl.yaml | 2 ++ .../pols/check-unauthentication-install.yaml | 2 ++ .../pols/detect-multiple-instructions.yaml | 2 ++ .../pols/disallow-sudo-operations.yaml | 2 ++ charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml | 2 ++ .../best-practices-dockerfile/pols/validate-base-image-tag.yaml | 2 ++ .../best-practices-dockerfile/pols/validate-expose-port-22.yaml | 2 ++ .../pols/validate-user-instruction.yaml | 2 ++ 17 files changed, 34 insertions(+) diff --git a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml index 4524b663..03e9fc67 100644 --- a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml +++ b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml @@ -12,6 +12,8 @@ spec: rules: - name: detect-untrusted-flag match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml index 580a5c50..7ae9453e 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml @@ -12,6 +12,8 @@ spec: rules: - name: check-certificate-validation-curl match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml index 77f8fdaa..5794d7ce 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml @@ -15,6 +15,8 @@ spec: rules: - name: check-certificate-validation-nodejs-env-var match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml index abcd9799..4391081b 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml @@ -12,6 +12,8 @@ spec: rules: - name: check-certificate-validation-pip3 match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml index 5e95fc9b..23d68533 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml @@ -15,6 +15,8 @@ spec: rules: - name: check-certificate-validation-python-env-var match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml index 86e2debc..86500994 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml @@ -12,6 +12,8 @@ spec: rules: - name: check-certificate-validation-wget match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-last-user.yaml b/charts/best-practices-dockerfile/pols/check-last-user.yaml index 77f6302f..49879cb8 100644 --- a/charts/best-practices-dockerfile/pols/check-last-user.yaml +++ b/charts/best-practices-dockerfile/pols/check-last-user.yaml @@ -12,6 +12,8 @@ spec: rules: - name: check-last-user match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml index 924de342..dee5ae84 100644 --- a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml +++ b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml @@ -14,6 +14,8 @@ spec: rules: - name: check-missing-signature-options match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml index 17e86e0e..20328a99 100644 --- a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml +++ b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml @@ -17,6 +17,8 @@ spec: rules: - name: check-nogpgcheck match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml index 63badf49..1542d787 100644 --- a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml +++ b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml @@ -15,6 +15,8 @@ spec: rules: - name: check-npm-config-strict-ssl match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml index 957e59d2..685696ec 100644 --- a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml +++ b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml @@ -12,6 +12,8 @@ spec: rules: - name: detect-unauthenticated-flag match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml index 8256db78..80637679 100644 --- a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml +++ b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml @@ -12,6 +12,8 @@ spec: rules: - name: detect-multiple-instructions match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml index a508f627..815cb173 100644 --- a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml +++ b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml @@ -12,6 +12,8 @@ spec: rules: - name: detect-sudo-operations match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml index d54eb771..02a519fb 100644 --- a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml +++ b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml @@ -12,6 +12,8 @@ spec: rules: - name: prefer-copy-over-add match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml index b3c60eba..e5cc3d54 100644 --- a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml +++ b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml @@ -12,6 +12,8 @@ spec: rules: - name: validate-base-image-tag match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].From | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml index 23b82ed3..d6642308 100644 --- a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml +++ b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml @@ -12,6 +12,8 @@ spec: rules: - name: prefer-copy-over-add match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[?Name=='EXPOSE'][] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml index 4354b502..620decdf 100644 --- a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml @@ -12,6 +12,8 @@ spec: rules: - name: validate-user-instruction match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[] | length(@) > `0`): true assert: From 02e8b7711ac0d6e524e245810d1919da15234e89 Mon Sep 17 00:00:00 2001 From: Anushka Mittal Date: Thu, 30 May 2024 11:10:15 +0530 Subject: [PATCH 3/3] fix: match block in dockerfile pset Signed-off-by: Anushka Mittal --- .../pols/check-allow-untrusted-flag.yaml | 1 - .../pols/check-certificate-validation-curl.yaml | 1 - .../pols/check-certificate-validation-nodejs-env-var.yaml | 1 - .../pols/check-certificate-validation-pip3.yaml | 1 - .../pols/check-certificate-validation-python-env-var.yaml | 1 - .../pols/check-certificate-validation-wget.yaml | 1 - charts/best-practices-dockerfile/pols/check-last-user.yaml | 1 - .../pols/check-missing-signature-options.yaml | 1 - charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml | 1 - .../pols/check-npm-config-strict-ssl.yaml | 1 - .../pols/check-unauthentication-install.yaml | 1 - .../pols/detect-multiple-instructions.yaml | 1 - .../pols/disallow-sudo-operations.yaml | 1 - charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml | 1 - .../best-practices-dockerfile/pols/validate-base-image-tag.yaml | 1 - .../best-practices-dockerfile/pols/validate-expose-port-22.yaml | 1 - .../pols/validate-healthcheck-instruction.yaml | 2 ++ .../pols/validate-user-instruction.yaml | 1 - 18 files changed, 2 insertions(+), 17 deletions(-) diff --git a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml index 03e9fc67..1f73c101 100644 --- a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml +++ b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml index 7ae9453e..00884167 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml index 5794d7ce..8c5b3b8e 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml @@ -17,7 +17,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml index 4391081b..a7e6c59e 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml index 23d68533..96206d13 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml @@ -17,7 +17,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml index 86500994..f5ab4c7a 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-last-user.yaml b/charts/best-practices-dockerfile/pols/check-last-user.yaml index 49879cb8..c8bbf16b 100644 --- a/charts/best-practices-dockerfile/pols/check-last-user.yaml +++ b/charts/best-practices-dockerfile/pols/check-last-user.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml index dee5ae84..54637cad 100644 --- a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml +++ b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml @@ -16,7 +16,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml index 20328a99..d4bb450e 100644 --- a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml +++ b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml @@ -19,7 +19,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml index 1542d787..faff2f1a 100644 --- a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml +++ b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml @@ -17,7 +17,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml index 685696ec..9b703cda 100644 --- a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml +++ b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml index 80637679..1c1bd3a9 100644 --- a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml +++ b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: all: diff --git a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml index 815cb173..c8df1493 100644 --- a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml +++ b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml index 02a519fb..a6d83802 100644 --- a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml +++ b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml index e5cc3d54..68d3f58a 100644 --- a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml +++ b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].From | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml index d6642308..935c7460 100644 --- a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml +++ b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[?Name=='EXPOSE'][] | length(@) > `0`): true assert: any: diff --git a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml index 4da628b6..123f6af4 100644 --- a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml @@ -12,6 +12,8 @@ spec: rules: - name: validate-healthcheck-instruction match: + all: + - ($analyzer.resource.type): dockerfile any: - (Stages[].Commands[] | length(@) > `0`): true assert: diff --git a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml index 620decdf..589e061a 100644 --- a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml @@ -14,7 +14,6 @@ spec: match: all: - ($analyzer.resource.type): dockerfile - any: - (Stages[].Commands[] | length(@) > `0`): true assert: any: