feat: create chart for best practices for Dockerfile

charts/best-practices-dockerfile/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: best-practices-dockerfile
+description: Best practices Dockerfile policy set
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/

charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: detect-untrusted-flag
+  annotations:
+    policies.kyverno.io/title: Check for untrusted flag in Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag.
+spec:
+  rules:
+    - name: detect-untrusted-flag
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Dockerfile contains the '--allow-untrusted' which is not preferred
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               (contains(@, '--allow-untrusted') && (contains(@, 'apk'))): false

charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-curl
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command
+spec:
+  rules:
+    - name: check-certificate-validation-curl
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by not using `--insecure` option
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'curl ') || contains(@, ' curl ')) && (contains(@, ' --insecure'))): false

charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml

@@ -0,0 +1,26 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-nodejs-env-var
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js
+      to control TLS certificate verification behavior. This policy checks whether
+      this environment variable is set to 0. By default, it is set to 1, which enables
+      certificate verification.
+spec:
+  rules:
+    - name: check-certificate-validation-nodejs-env-var
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by using `NODE_TLS_REJECT_UNAUTHORIZED` env with value set to `1`
+          check:
+            (Stages[].Commands[].Env[?Key=='NODE_TLS_REJECT_UNAUTHORIZED' && Value=='1'][] | length(@) > `0`): true     

charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml

@@ -0,0 +1,29 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-pip3
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command
+spec:
+  rules:
+    - name: check-certificate-validation-pip3
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Ensure certificate validation is enabled by not using `--trusted-host` option with pip
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'pip ') || contains(@, ' pip '))  && contains(@, ' --trusted-host')): false
+        - message: Ensure certificate validation is enabled by not using `--trusted-host` option with pip3
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'pip3 ') || contains(@, ' pip3 '))  && contains(@, ' --trusted-host')): false
+

charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-python-env-var
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The PYTHONHTTPSVERIFY environment variable is used in Python to control
+      certificate verification when making HTTPS requests. This policy checks
+      whether this environment variable is set to 0. By default, it is set to 1,
+      which enables certificate verification.
+spec:
+  rules:
+    - name: check-certificate-validation-python-env-var
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1`
+          check:
+            (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true     
+

charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-wget
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command
+spec:
+  rules:
+    - name: check-certificate-validation-wget
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by not using `--no-check-certificate` option
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'wget ') || contains(@, ' wget ')) && (contains(@, ' --no-check-certificate'))): false

charts/best-practices-dockerfile/pols/check-last-user.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-last-user
+  annotations:
+    policies.kyverno.io/title: Check last USER
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy validates that the last USER is not root.
+spec:
+  rules:
+    - name: check-last-user
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='USER'][] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Default user for the container should not be root
+          check:
+            (Stages[].Commands[?Name=='USER'][]):
+                (@)->array:
+                    (subtract(length($array), `1`))->want:
+                        ~index.($array):
+                            (to_number($index) != $want || !(starts_with(User, '0:') || ends_with(User, ':0') || User == 'root' || User == '0' ) ): true

charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml

@@ -0,0 +1,38 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-missing-signature-options
+  annotations:
+    policies.kyverno.io/title: check for missing signature options via rpm
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+        This policy ensures that packages with untrusted or missing signatures
+        are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or
+        ‘–nofiledigest’ options
+spec:
+  rules:
+    - name: check-missing-signature-options
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nofiledigest` flag
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'rpm ') || contains(@, ' rpm '))  && contains(@, ' --nofiledigest')): false
+        - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--noverify` flag
+          check: 
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'rpm ') || contains(@, ' rpm '))  && contains(@, ' --noverify')): false
+        - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nosignature` flag
+          check: 
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'rpm ') || contains(@, ' rpm '))  && contains(@, ' --nosignature')): false
+        - message: Ensure that packages with untrusted or missing signatures are not used by rpm via `--nodigest` flag
+          check: 
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'rpm ') || contains(@, ' rpm '))  && contains(@, ' --nodigest')): false

charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml

@@ -0,0 +1,37 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-nogpgcheck
+  annotations:
+    policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+        GPG signature checking is a security feature that verifies
+        the authenticity and integrity of packages before they are
+        installed on a system. When nogpgcheck is enabled, dnf, tdnf,
+        or yum will not verify the GPG signatures associated with the packages,
+        potentially exposing the system to security risks if the packages have been
+        tampered with or are not from trusted sources.
+spec:
+  rules:
+    - name: check-nogpgcheck
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Enable GPG signature checking with yum by not using `--nogpgcheck` flag
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'yum ') || contains(@, ' yum '))  && contains(@, ' --nogpgcheck')): false
+        - message: Enable GPG signature checking with dnf by not using `--nogpgcheck` flag 
+          check: 
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'dnf ') || contains(@, ' dnf '))  && contains(@, ' --nogpgcheck')): false
+        - message: Enable GPG signature checking with tdnf by not using `--nogpgcheck` flag 
+          check: 
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               ((starts_with(@, 'tdnf ') || contains(@, ' tdnf '))  && contains(@, ' --nogpgcheck')): false       

charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml

@@ -0,0 +1,26 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-npm-config-strict-ssl
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL
+      certificate validation behavior in npm. This policy ensures that certificate
+      validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet
+      variable.
+spec:
+  rules:
+    - name: check-npm-config-strict-ssl
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by setting `NODE_TLS_REJECT_UNAUTHORIZED` env with value set to `true`
+          check:
+            (Stages[].Commands[].Env[?Key=='NPM_CONFIG_STRICT_SSL' && Value=='true'][] | length(@) > `0`): true

charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: detect-unauthenticated-flag
+  annotations:
+    policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag.
+spec:
+  rules:
+    - name: detect-unauthenticated-flag
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Dockerfile contains the '--allow-unauthenticated' which is not preferred
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               (contains(@, '--allow-unauthenticated') && (contains(@, 'apt-get') || contains(@, 'apt'))): false

charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: detect-multiple-instructions
+  annotations:
+    policies.kyverno.io/title: Detect Multiple Instructions in Single Line
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers
+spec:
+  rules:
+    - name: detect-multiple-instructions
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Found multiple instructions in a single line
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+              (contains(@, ' && ')): false

charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: disallow-sudo-operations
+  annotations:
+    policies.kyverno.io/title: Check for sudo operation existence
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Using sudo within a Dockerfile is not recommended to avoid privilege escalation.
+spec:
+  rules:
+    - name: detect-sudo-operations
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        any:
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Dockerfile contains the 'sudo' operation which is not preferred
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+               (starts_with(@, 'sudo ') || contains(@, ' sudo ')): false