Skip to content

Commit

Permalink
fix(docker): check the flag after packages
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin committed Jul 9, 2023
1 parent 3b9a08c commit 61fe626
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
10 changes: 10 additions & 0 deletions rules/docker/policies/apt_get_missing_no_install_recommends.rego
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ no_install_flag := `--no-install-recommends`

optional_not_related_flags := `\s*(-(-)?[a-zA-Z]+\s*)*`

# https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-source
# https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
pkgs := `([a-z\d][a-z\d+\-.]+(?:=[\w.+\-~:]+)?\s*)*`

combined_flags := sprintf(`%s%s%s`, [optional_not_related_flags, no_install_flag, optional_not_related_flags])

# flags before command
Expand All @@ -81,3 +85,9 @@ includes_no_install_recommends(command) {
install_regexp := sprintf(`apt-get%sinstall%s`, [optional_not_related_flags, combined_flags])
regex.match(install_regexp, command)
}

# flags after pkgs
includes_no_install_recommends(command) {
install_regexp := sprintf(`apt-get%sinstall%s%s%s`, [optional_not_related_flags, optional_not_related_flags, pkgs, combined_flags])
regex.match(install_regexp, command)
}
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,17 @@ test_chained_allowed {

count(r) == 0
}

test_flags_after_pkgs_allowed {
r := deny with input as {"Stages": [{"Name": "debian:11-slim", "Commands": [
{
"Cmd": "from",
"Value": ["debian:11-slim"],
},
{
"Cmd": "run",
"Value": ["apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y tzdata postgresql-10 --no-install-recommends && rm -rf /var/lib/apt/lists/*"],
},
]}]}
count(r) == 0
}

0 comments on commit 61fe626

Please sign in to comment.