chore(policies): Update policy schema on all policies (#1237)

* chore(policies): Update policy schema on all policies

Signed-off-by: Simar <[email protected]>

* fix tests

Signed-off-by: Simar <[email protected]>

---------

Signed-off-by: Simar <[email protected]>

rules/cloud/policies/aws/rds/disable_public_access.rego

@@ -3,7 +3,7 @@
 # description: "Ensures RDS instances are not launched into the public cloud."
 # scope: package
 # schemas:
-# - input: schema.input
+# - input: schema["cloud"]
 # related_resources:
 # - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html
 # custom:

rules/cloud/policies/aws/rds/enable_deletion_protection.rego

@@ -3,7 +3,7 @@
 # description: "Ensure deletion protection is enabled for RDS database instances."
 # scope: package
 # schemas:
-# - input: schema.input
+# - input: schema["cloud"]
 # related_resources:
 # - https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/
 # custom:

rules/cloud/policies/aws/rds/enable_iam_auth.rego

@@ -3,7 +3,7 @@
 # description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access"
 # scope: package
 # schemas:
-# - input: schema.input
+# - input: schema["cloud"]
 # related_resources:
 # - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
 # custom:

rules/docker/policies/add_instead_of_copy.rego

@@ -5,7 +5,7 @@
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#add
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # custom:
 #   id: DS005
 #   avd_id: AVD-DS-0005

rules/docker/policies/apt_get_missing_yes_flag_to_avoid_manual_input.rego

@@ -5,7 +5,7 @@
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#run
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # custom:
 #   schema_version: 1
 #   id: DS021

rules/docker/policies/copy_from_references_current_from_alias.rego

@@ -3,7 +3,7 @@
 # description: "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/multistage-build/
 # custom:

rules/docker/policies/copy_with_more_than_two_arguments_not_ending_with_slash.rego

@@ -3,7 +3,7 @@
 # description: "When a COPY command has more than two arguments, the last one should end with a slash."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#copy
 # custom:

rules/docker/policies/latest_tag.rego

@@ -3,7 +3,7 @@
 # description: "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # custom:
 #   id: DS001
 #   avd_id: AVD-DS-0001

rules/docker/policies/maintainer_is_deprecated.rego

@@ -3,7 +3,7 @@
 # description: "MAINTAINER has been deprecated since Docker 1.13.0."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/deprecated/#maintainer-in-dockerfile
 # custom:

rules/docker/policies/missing_apk_no_cache.rego

@@ -3,7 +3,7 @@
 # description: "You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache
 # custom:

rules/docker/policies/missing_dnf_clean_all.rego

@@ -3,7 +3,7 @@
 # description: "Cached package data should be cleaned after installation to reduce image size."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 # custom:

rules/docker/policies/missing_zypper_clean.rego

@@ -3,7 +3,7 @@
 # description: "The layer and image size should be reduced by deleting unneeded caches after running zypper."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 # custom:

rules/docker/policies/multiple_cmd_instructions_listed.rego

@@ -3,7 +3,7 @@
 # description: "There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#cmd
 # custom:

rules/docker/policies/multiple_entrypoint_instructions_listed.rego

@@ -3,7 +3,7 @@
 # description: "There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#entrypoint
 # custom:

rules/docker/policies/multiple_healthcheck_instructions.rego

@@ -3,7 +3,7 @@
 # description: "Providing more than one HEALTHCHECK instruction per stage is confusing and error-prone."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#healthcheck
 # custom:

rules/docker/policies/no_healthcheck_instruction.rego

@@ -3,7 +3,7 @@
 # description: "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://blog.aquasec.com/docker-security-best-practices
 # custom:

rules/docker/policies/port22.rego

@@ -3,7 +3,7 @@
 # description: "Exposing port 22 might allow users to SSH into the container."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # custom:
 #   id: DS004
 #   avd_id: AVD-DS-0004

rules/docker/policies/root_user.rego

@@ -3,7 +3,7 @@
 # description: "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 # custom:

rules/docker/policies/run_apt_get_dist_upgrade.rego

@@ -3,7 +3,7 @@
 # description: "'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # custom:
 #   id: DS024
 #   avd_id: AVD-DS-0024

rules/docker/policies/run_command_cd_instead_of_workdir.rego

@@ -3,7 +3,7 @@
 # description: "Use WORKDIR instead of proliferating instructions like 'RUN cd … && do-something', which are hard to read, troubleshoot, and maintain."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir
 # custom:

rules/docker/policies/run_using_sudo.rego

@@ -3,7 +3,7 @@
 # description: "Avoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#run
 # custom:

rules/docker/policies/run_using_wget_and_curl.rego

@@ -3,7 +3,7 @@
 # description: "Avoid using both 'wget' and 'curl' since these tools have the same effect."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 # custom:

rules/docker/policies/same_alias_in_different_froms.rego

@@ -3,7 +3,7 @@
 # description: "Different FROMs can't have the same alias defined."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/multistage-build/
 # custom:

rules/docker/policies/unix_ports_out_of_range.rego

@@ -3,7 +3,7 @@
 # description: "UNIX ports outside the range 0-65535 are exposed."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/engine/reference/builder/#expose
 # custom:

rules/docker/policies/update_instruction_alone.rego

@@ -3,7 +3,7 @@
 # description: "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 # custom:

rules/docker/policies/workdir_path_not_absolute.rego

@@ -3,7 +3,7 @@
 # description: "For clarity and reliability, you should always use absolute paths for your WORKDIR."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir
 # custom:

rules/docker/policies/yum_clean_all_missing.rego

@@ -3,7 +3,7 @@
 # description: "You should use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["dockerfile"]
 # related_resources:
 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 # custom:

rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego

@@ -3,7 +3,7 @@
 # description: "ensure that default namespace should not be used"
 # scope: package
 # schemas:
-# - input: schema.input
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
 # custom:

rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego

@@ -3,7 +3,7 @@
 # description: "Security best practices require containers to run with minimal required capabilities."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
 # custom:

rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego

@@ -3,7 +3,7 @@
 # description: "Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: KSV007
 #   avd_id: AVD-KSV-0007

rules/kubernetes/policies/advanced/optional/use_limit_range.rego

@@ -3,7 +3,7 @@
 # description: "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/
 # custom:

rules/kubernetes/policies/advanced/optional/use_resource_quota.rego

@@ -3,7 +3,7 @@
 # description: "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/
 # custom:

rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego

@@ -3,7 +3,7 @@
 # description: "Containers should only use images from trusted registries."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: KSV032
 #   avd_id: AVD-KSV-0032

rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego

@@ -3,7 +3,7 @@
 # description: "Container images from non-ECR registries should be forbidden."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: KSV035
 #   avd_id: AVD-KSV-0035

rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego

@@ -3,7 +3,7 @@
 # description: "Containers should only use images from trusted GCR registries."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: KSV033
 #   avd_id: AVD-KSV-0033

rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego

@@ -3,7 +3,7 @@
 # description: "Container images must not start with an empty prefix or a defined public registry domain."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: KSV034
 #   avd_id: AVD-KSV-0034

rules/kubernetes/policies/advanced/protect_core_components_namespace.rego

@@ -3,7 +3,7 @@
 # description: "ensure that User pods are not placed in kube-system namespace"
 # scope: package
 # schemas:
-# - input: schema.input
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/
 # custom:

rules/kubernetes/policies/advanced/protecting_pod_service_account_tokens.rego

@@ -3,7 +3,7 @@
 # description: "ensure that Pod specifications disable the secret token being mounted by setting automountServiceAccountToken: false"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
 # custom:

rules/kubernetes/policies/advanced/selector_usage_in_network_policies.rego

@@ -3,7 +3,7 @@
 # description: "ensure that network policies selectors are applied to pods or namespaces to restricted ingress and egress traffic within the pod network"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/
 # custom:

rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego

@@ -3,7 +3,7 @@
 # description: "Storing secrets in configMaps is unsafe"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: AVD-KSV-0109
 #   avd_id: AVD-KSV-0109

rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego

@@ -3,7 +3,7 @@
 # description: "Storing sensitive content such as usernames and email addresses in configMaps is unsafe"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: AVD-KSV-0110
 #   avd_id: AVD-KSV-01010

rules/kubernetes/policies/aquacommercial/service_with_externalip.rego

@@ -3,7 +3,7 @@
 # description: "Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554"
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # custom:
 #   id: AVD-KSV-0108
 #   avd_id: AVD-KSV-0108

rules/kubernetes/policies/cisbenchmarks/apiserver/admin_conf_ownership.rego

@@ -3,7 +3,7 @@
 # description: "Ensure that the admin config  file ownership is set to root:root."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://www.cisecurity.org/benchmark/kubernetes
 # custom:

rules/kubernetes/policies/cisbenchmarks/apiserver/admin_conf_permission.rego

@@ -3,7 +3,7 @@
 # description: "Ensure that the admin config file has permissions of 600 or more restrictive."
 # scope: package
 # schemas:
-# - input: schema["input"]
+# - input: schema["kubernetes"]
 # related_resources:
 # - https://www.cisecurity.org/benchmark/kubernetes
 # custom: