diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 529be556..863ba418 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -90,6 +90,8 @@ In the example above, you'll notice properties are being accessed from the `inpu You should also write a test for your rule(s). There are many examples of these in the `checks/cloud` directory. +This repository formats all rules with the `opa fmt -w ` option, so make sure to run it on your files before you commit. + Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` to generate the documentation for your new policy and submit a PR for us to take a look at. You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000). diff --git a/checks/docker/update_instruction_alone.rego b/checks/docker/update_instruction_alone.rego index 74a87253..33406679 100644 --- a/checks/docker/update_instruction_alone.rego +++ b/checks/docker/update_instruction_alone.rego @@ -24,6 +24,7 @@ deny[res] { command = concat(" ", run.Value) + is_package_manager(command) is_valid_update(command) not update_followed_by_install(command) @@ -31,16 +32,16 @@ deny[res] { res := result.new(msg, run) } -is_valid_update(command) { - chained_parts := regex.split(`\s*&&\s*`, command) - - array_split := split(chained_parts[_], " ") +package_manager_regex := `(apk)|(apt-get)|(yum)` - len = count(array_split) +is_package_manager(command) { + regex.match(package_manager_regex, command) +} - update := {"update", "--update"} +update_regex := `( update)|( check-update)` - array_split[len - 1] == update[_] +is_valid_update(command) { + regex.match(update_regex, command) } update_followed_by_install(command) { diff --git a/checks/docker/update_instruction_alone_test.rego b/checks/docker/update_instruction_alone_test.rego index 81fc8085..d7fa38ce 100644 --- a/checks/docker/update_instruction_alone_test.rego +++ b/checks/docker/update_instruction_alone_test.rego @@ -77,16 +77,20 @@ test_allowed { }, { "Cmd": "run", - "Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"], + "Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"], }, { "Cmd": "run", - "Value": ["apk update && apk add --no-cache git ca-certificates"], + "Value": ["apk update && apk add --no-cache git ca-certificates"], }, { "Cmd": "run", "Value": ["apk --update add easy-rsa"], }, + { + "Cmd": "run", + "Value": ["/bin/sh /scripts/someScript.sh update"], + }, { "Cmd": "entrypoint", "Value": ["mysql"],