Merge pull request #60 from candrews/ds005-file-multi-in

fix(checks): handle `file:` and `multi:` in AVD-DS-005
aquasecurity · Feb 7, 2024 · ecc1ecd · ecc1ecd
2 parents 43c0ea6 + be21df0
commit ecc1ecd
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/checks/docker/add_instead_of_copy.rego b/checks/docker/add_instead_of_copy.rego
@@ -24,12 +24,22 @@ get_add[output] {
 	args := concat(" ", add.Value)
 
 	not contains(args, ".tar")
+
+	not is_command_with_hash(add.Value, "file:")
+	not is_command_with_hash(add.Value, "multi:")
+
 	output := {
 		"args": args,
 		"cmd": add,
 	}
 }
 
+is_command_with_hash(cmd, prefix) {
+	count(cmd) == 3
+	startswith(cmd[0], prefix)
+	cmd[1] == "in"
+}
+
 deny[res] {
 	output := get_add[_]
 	msg := sprintf("Consider using 'COPY %s' command instead of 'ADD %s'", [output.args, output.args])

diff --git a/checks/docker/add_instead_of_copy_test.rego b/checks/docker/add_instead_of_copy_test.rego
@@ -44,6 +44,24 @@ test_copy_allowed {
 	count(r) == 0
 }
 
+test_add_file_colon_in_allowed {
+	r := deny with input as {"Stages": [{
+		"Name": "alpine:3.13",
+		"Commands": [{"Cmd": "add", "Value": ["file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3", "in", "/xyz"]}],
+	}]}
+
+	count(r) == 0
+}
+
+test_add_multi_colon_in_allowed {
+	r := deny with input as {"Stages": [{
+		"Name": "alpine:3.13",
+		"Commands": [{"Cmd": "add", "Value": ["multi:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3", "in", "/xyz"]}],
+	}]}
+
+	count(r) == 0
+}
+
 test_add_tar_allowed {
 	r := deny with input as {"Stages": [{
 		"Name": "alpine:3.13",