Merge pull request #569 from acornett21/conditonally_run_runasnonroot…

…_check

adding in RootExceptionContainerPolicy check list

certification/engine/engine.go

@@ -137,6 +137,18 @@ var scratchContainerPolicy = map[string]certification.Check{
 	// runSystemContainerCheck.Name(): runSystemContainerCheck,
 }
 
+var rootExceptionContainerPolicy = map[string]certification.Check{
+	hasLicenseCheck.Name():        hasLicenseCheck,
+	hasUniqueTagCheck.Name():      hasUniqueTagCheck,
+	maxLayersCheck.Name():         maxLayersCheck,
+	hasNoProhibitedCheck.Name():   hasNoProhibitedCheck,
+	hasRequiredLabelsCheck.Name(): hasRequiredLabelsCheck,
+	basedOnUbiCheck.Name():        basedOnUbiCheck,
+	hasModifiedFilesCheck.Name():  hasModifiedFilesCheck,
+	// runnableContainerCheck.Name():  runnableContainerCheck,
+	// runSystemContainerCheck.Name(): runSystemContainerCheck,
+}
+
 func makeCheckList(checkMap map[string]certification.Check) []string {
 	checks := make([]string, 0, len(checkMap))
 
@@ -158,3 +170,7 @@ func ContainerPolicy() []string {
 func ScratchContainerPolicy() []string {
 	return makeCheckList(scratchContainerPolicy)
 }
+
+func RootExceptionContainerPolicy() []string {
+	return makeCheckList(rootExceptionContainerPolicy)
+}

certification/pyxis/types.go

@@ -102,6 +102,7 @@ type Container struct {
 	Registry         string `json:"registry,omitempty"`
 	Repository       string `json:"repository,omitempty"`
 	OsContentType    string `json:"os_content_type,omitempty"`
+	Privileged       bool   `json:"privileged,omitempty"`
 }
 
 type Layer struct {

cmd/check_container.go

@@ -95,6 +95,11 @@ var checkContainerCmd = &cobra.Command{
 				cfg.EnabledChecks = engine.ScratchContainerPolicy()
 				cfg.Scratch = true
 			}
+
+			// if a partner sets `Host Level Access` in connect to `Privileged`, enable RootExceptionContainerPolicy checks
+			if certProject.Container.Privileged {
+				cfg.EnabledChecks = engine.RootExceptionContainerPolicy()
+			}
 		}
 
 		engine, err := engine.NewForConfig(cfg)