Skip to content

Commit

Permalink
Simplify rule to use regex instead of splitting
Browse files Browse the repository at this point in the history
add check if there is actually a package manager in the run command
  • Loading branch information
Morl99 committed Jan 16, 2024
1 parent 3f16e8a commit 129e9b5
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 10 deletions.
16 changes: 8 additions & 8 deletions checks/docker/update_instruction_alone.rego
Original file line number Diff line number Diff line change
Expand Up @@ -24,23 +24,23 @@ deny[res] {

command = concat(" ", run.Value)

is_package_manager(command)
is_valid_update(command)
not update_followed_by_install(command)

msg := "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement."
res := result.new(msg, run)
}

is_valid_update(command) {
chained_parts := regex.split(`\s*&&\s*`, command)

array_split := split(chained_parts[_], " ")

len = count(array_split)
package_manager_regex := `(apk)|(apt-get)|(yum)`

update := {"update", "--update"}
is_package_manager(command) {
regex.match(package_manager_regex, command)
}

array_split[len - 1] == update[_]
update_regex := `( update)|( check-update)`
is_valid_update(command) {
regex.match(update_regex, command)
}

update_followed_by_install(command) {
Expand Down
8 changes: 6 additions & 2 deletions checks/docker/update_instruction_alone_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,20 @@ test_allowed {
},
{
"Cmd": "run",
"Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"],
"Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"],
},
{
"Cmd": "run",
"Value": ["apk update && apk add --no-cache git ca-certificates"],
"Value": ["apk update && apk add --no-cache git ca-certificates"],
},
{
"Cmd": "run",
"Value": ["apk --update add easy-rsa"],
},
{
"Cmd": "run",
"Value": ["/bin/sh /scripts/someScript.sh update"],
},
{
"Cmd": "entrypoint",
"Value": ["mysql"],
Expand Down

0 comments on commit 129e9b5

Please sign in to comment.