From b4da0e77bf649f6711aeff92b7f01b959a8d7418 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 6 Dec 2024 13:24:01 +0600 Subject: [PATCH 1/6] feat: add examples for dockerfile checks Signed-off-by: Nikita Pivkin --- checks/docker/add_instead_of_copy.yaml | 12 +++++++++ ...issing_yes_flag_to_avoid_manual_input.yaml | 11 ++++++++ ...py_from_references_current_from_alias.yaml | 17 +++++++++++++ ...n_two_arguments_not_ending_with_slash.yaml | 11 ++++++++ checks/docker/latest_tag.yaml | 11 ++++++++ checks/docker/maintainer_is_deprecated.yaml | 10 ++++++++ checks/docker/missing_dnf_clean_all.yaml | 13 ++++++++++ checks/docker/missing_zypper_clean.yaml | 15 +++++++++++ .../multiple_cmd_instructions_listed.yaml | 16 ++++++++++++ ...ltiple_entrypoint_instructions_listed.yaml | 19 ++++++++++++++ .../multiple_healthcheck_instructions.yaml | 20 +++++++++++++++ checks/docker/port22.yaml | 11 ++++++++ checks/docker/root_user.yaml | 10 ++++++++ checks/docker/run_apt_get_dist_upgrade.yaml | 13 ++++++++++ .../run_command_cd_instead_of_workdir.yaml | 13 ++++++++++ checks/docker/run_using_sudo.yaml | 11 ++++++++ checks/docker/run_using_wget_and_curl.yaml | 19 ++++++++++++++ .../docker/same_alias_in_different_froms.yaml | 25 +++++++++++++++++++ checks/docker/unix_ports_out_of_range.yaml | 11 ++++++++ checks/docker/update_instruction_alone.yaml | 14 +++++++++++ checks/docker/workdir_path_not_absolute.yaml | 11 ++++++++ checks/docker/yum_clean_all_missing.yaml | 15 +++++++++++ .../dockerfile/DS001/Dockerfile.allowed | 3 --- .../dockerfile/DS001/Dockerfile.denied | 3 --- .../dockerfile/DS002/Dockerfile.allowed | 3 --- .../dockerfile/DS002/Dockerfile.denied | 2 -- .../dockerfile/DS004/Dockerfile.allowed | 3 --- .../dockerfile/DS004/Dockerfile.denied | 3 --- .../dockerfile/DS005/Dockerfile.allowed | 3 --- .../dockerfile/DS005/Dockerfile.denied | 4 --- .../dockerfile/DS006/Dockerfile.allowed | 6 ----- .../dockerfile/DS006/Dockerfile.denied | 6 ----- .../dockerfile/DS007/Dockerfile.allowed | 6 ----- .../dockerfile/DS007/Dockerfile.denied | 8 ------ .../dockerfile/DS008/Dockerfile.allowed | 3 --- .../dockerfile/DS008/Dockerfile.denied | 3 --- .../dockerfile/DS009/Dockerfile.allowed | 3 --- .../dockerfile/DS009/Dockerfile.denied | 3 --- .../dockerfile/DS010/Dockerfile.allowed | 3 --- .../dockerfile/DS010/Dockerfile.denied | 3 --- .../dockerfile/DS011/Dockerfile.allowed | 3 --- .../dockerfile/DS011/Dockerfile.denied | 3 --- .../dockerfile/DS012/Dockerfile.allowed | 10 -------- .../dockerfile/DS012/Dockerfile.denied | 10 -------- .../dockerfile/DS013/Dockerfile.allowed | 4 --- .../dockerfile/DS013/Dockerfile.denied | 4 --- .../dockerfile/DS014/Dockerfile.allowed | 7 ------ .../dockerfile/DS014/Dockerfile.denied | 7 ------ .../dockerfile/DS015/Dockerfile.allowed | 5 ---- .../dockerfile/DS015/Dockerfile.denied | 5 ---- .../dockerfile/DS016/Dockerfile.allowed | 5 ---- .../dockerfile/DS016/Dockerfile.denied | 6 ----- .../dockerfile/DS017/Dockerfile.allowed | 4 --- .../dockerfile/DS017/Dockerfile.denied | 5 ---- .../dockerfile/DS019/Dockerfile.allowed | 5 ---- .../dockerfile/DS019/Dockerfile.denied | 4 --- .../dockerfile/DS020/Dockerfile.allowed | 5 ---- .../dockerfile/DS020/Dockerfile.denied | 5 ---- .../dockerfile/DS021/Dockerfile.allowed | 3 --- .../dockerfile/DS021/Dockerfile.denied | 3 --- .../dockerfile/DS022/Dockerfile.allowed | 2 -- .../dockerfile/DS022/Dockerfile.denied | 3 --- .../dockerfile/DS023/Dockerfile.allowed | 7 ------ .../dockerfile/DS023/Dockerfile.denied | 8 ------ .../dockerfile/DS024/Dockerfile.allowed | 4 --- .../dockerfile/DS024/Dockerfile.denied | 4 --- 66 files changed, 308 insertions(+), 199 deletions(-) create mode 100644 checks/docker/add_instead_of_copy.yaml create mode 100644 checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml create mode 100644 checks/docker/copy_from_references_current_from_alias.yaml create mode 100644 checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml create mode 100644 checks/docker/latest_tag.yaml create mode 100644 checks/docker/maintainer_is_deprecated.yaml create mode 100644 checks/docker/missing_dnf_clean_all.yaml create mode 100644 checks/docker/missing_zypper_clean.yaml create mode 100644 checks/docker/multiple_cmd_instructions_listed.yaml create mode 100644 checks/docker/multiple_entrypoint_instructions_listed.yaml create mode 100644 checks/docker/multiple_healthcheck_instructions.yaml create mode 100644 checks/docker/port22.yaml create mode 100644 checks/docker/root_user.yaml create mode 100644 checks/docker/run_apt_get_dist_upgrade.yaml create mode 100644 checks/docker/run_command_cd_instead_of_workdir.yaml create mode 100644 checks/docker/run_using_sudo.yaml create mode 100644 checks/docker/run_using_wget_and_curl.yaml create mode 100644 checks/docker/same_alias_in_different_froms.yaml create mode 100644 checks/docker/unix_ports_out_of_range.yaml create mode 100644 checks/docker/update_instruction_alone.yaml create mode 100644 checks/docker/workdir_path_not_absolute.yaml create mode 100644 checks/docker/yum_clean_all_missing.yaml delete mode 100644 test/testdata/dockerfile/DS001/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS001/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS002/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS002/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS004/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS004/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS005/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS005/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS006/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS006/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS007/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS007/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS008/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS008/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS009/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS009/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS010/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS010/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS011/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS011/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS012/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS012/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS013/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS013/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS014/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS014/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS015/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS015/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS016/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS016/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS017/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS017/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS019/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS019/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS020/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS020/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS021/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS021/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS022/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS022/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS023/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS023/Dockerfile.denied delete mode 100644 test/testdata/dockerfile/DS024/Dockerfile.allowed delete mode 100644 test/testdata/dockerfile/DS024/Dockerfile.denied diff --git a/checks/docker/add_instead_of_copy.yaml b/checks/docker/add_instead_of_copy.yaml new file mode 100644 index 00000000..dfa9a21d --- /dev/null +++ b/checks/docker/add_instead_of_copy.yaml @@ -0,0 +1,12 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources" + bad: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources.jar" + ADD "/target/app.jar" "app.jar" diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml new file mode 100644 index 00000000..e7b35ad6 --- /dev/null +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM node:12 + USER mike + RUN apt-get -fmy install apt-utils && apt-get clean + bad: + - |- + FROM node:12 + USER mike + RUN apt-get install apt-utils && apt-get clean diff --git a/checks/docker/copy_from_references_current_from_alias.yaml b/checks/docker/copy_from_references_current_from_alias.yaml new file mode 100644 index 00000000..6ee8498d --- /dev/null +++ b/checks/docker/copy_from_references_current_from_alias.yaml @@ -0,0 +1,17 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY --from=dep /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml new file mode 100644 index 00000000..8a2377e5 --- /dev/null +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp/"] + bad: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp"] diff --git a/checks/docker/latest_tag.yaml b/checks/docker/latest_tag.yaml new file mode 100644 index 00000000..a1b787ea --- /dev/null +++ b/checks/docker/latest_tag.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:latest + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo diff --git a/checks/docker/maintainer_is_deprecated.yaml b/checks/docker/maintainer_is_deprecated.yaml new file mode 100644 index 00000000..025ce6f2 --- /dev/null +++ b/checks/docker/maintainer_is_deprecated.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + USER mike + bad: + - |- + FROM busybox:1.33.1 + USER mike + MAINTAINER Lukas Martinelli diff --git a/checks/docker/missing_dnf_clean_all.yaml b/checks/docker/missing_dnf_clean_all.yaml new file mode 100644 index 00000000..88dc9964 --- /dev/null +++ b/checks/docker/missing_dnf_clean_all.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - | + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + bad: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/checks/docker/missing_zypper_clean.yaml b/checks/docker/missing_zypper_clean.yaml new file mode 100644 index 00000000..d7e0146d --- /dev/null +++ b/checks/docker/missing_zypper_clean.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN zypper install bash && zypper clean + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN zypper install bash + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/multiple_cmd_instructions_listed.yaml b/checks/docker/multiple_cmd_instructions_listed.yaml new file mode 100644 index 00000000..b7eb20cc --- /dev/null +++ b/checks/docker/multiple_cmd_instructions_listed.yaml @@ -0,0 +1,16 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 + USER mike + CMD ./apps + FROM alpine:3.13 + CMD ./app + bad: + - |- + FROM golang:1.7.3 + USER mike + CMD ./app + CMD ./apps + FROM alpine:3.13 + CMD ./app diff --git a/checks/docker/multiple_entrypoint_instructions_listed.yaml b/checks/docker/multiple_entrypoint_instructions_listed.yaml new file mode 100644 index 00000000..eac101c5 --- /dev/null +++ b/checks/docker/multiple_entrypoint_instructions_listed.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY dep /binary / + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/multiple_healthcheck_instructions.yaml b/checks/docker/multiple_healthcheck_instructions.yaml new file mode 100644 index 00000000..fdf31cab --- /dev/null +++ b/checks/docker/multiple_healthcheck_instructions.yaml @@ -0,0 +1,20 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app + bad: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD curl http://localhost:8080 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app diff --git a/checks/docker/port22.yaml b/checks/docker/port22.yaml new file mode 100644 index 00000000..a87b41de --- /dev/null +++ b/checks/docker/port22.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 22 diff --git a/checks/docker/root_user.yaml b/checks/docker/root_user.yaml new file mode 100644 index 00000000..941d35b0 --- /dev/null +++ b/checks/docker/root_user.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/checks/docker/run_apt_get_dist_upgrade.yaml b/checks/docker/run_apt_get_dist_upgrade.yaml new file mode 100644 index 00000000..ad3bbfec --- /dev/null +++ b/checks/docker/run_apt_get_dist_upgrade.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get install -y curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/run_command_cd_instead_of_workdir.yaml b/checks/docker/run_command_cd_instead_of_workdir.yaml new file mode 100644 index 00000000..0397fb71 --- /dev/null +++ b/checks/docker/run_command_cd_instead_of_workdir.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM nginx:2.2 + WORKDIR /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + bad: + - |- + FROM nginx:2.2 + RUN cd /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' diff --git a/checks/docker/run_using_sudo.yaml b/checks/docker/run_using_sudo.yaml new file mode 100644 index 00000000..10647c1d --- /dev/null +++ b/checks/docker/run_using_sudo.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + RUN pip install --upgrade pip + USER mike + bad: + - |- + FROM alpine:3.13 + RUN sudo pip install --upgrade pip + USER mike diff --git a/checks/docker/run_using_wget_and_curl.yaml b/checks/docker/run_using_wget_and_curl.yaml new file mode 100644 index 00000000..a784b76d --- /dev/null +++ b/checks/docker/run_using_wget_and_curl.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM debian:stable-20210621 + RUN curl http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com + bad: + - |- + FROM debian:stable-20210621 + RUN wget http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com diff --git a/checks/docker/same_alias_in_different_froms.yaml b/checks/docker/same_alias_in_different_froms.yaml new file mode 100644 index 00000000..c25048f4 --- /dev/null +++ b/checks/docker/same_alias_in_different_froms.yaml @@ -0,0 +1,25 @@ +dockerfile: + good: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build2 + USER mike + RUN stuff + + FROM debian:jesse1 as build1 + USER mike + RUN more_stuff + bad: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build + USER mike + RUN stuff + + FROM debian:jesse1 as build + USER mike + RUN more_stuff diff --git a/checks/docker/unix_ports_out_of_range.yaml b/checks/docker/unix_ports_out_of_range.yaml new file mode 100644 index 00000000..92b6d43f --- /dev/null +++ b/checks/docker/unix_ports_out_of_range.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65530 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65536 8080 diff --git a/checks/docker/update_instruction_alone.yaml b/checks/docker/update_instruction_alone.yaml new file mode 100644 index 00000000..db6348ce --- /dev/null +++ b/checks/docker/update_instruction_alone.yaml @@ -0,0 +1,14 @@ +dockerfile: + good: + - |- + FROM ubuntu:18.04 + RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql + bad: + - |- + FROM ubuntu:18.04 + RUN apt-get update + RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql diff --git a/checks/docker/workdir_path_not_absolute.yaml b/checks/docker/workdir_path_not_absolute.yaml new file mode 100644 index 00000000..d9570f6b --- /dev/null +++ b/checks/docker/workdir_path_not_absolute.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + WORKDIR /path/to/workdir + bad: + - |- + FROM alpine:3.13 + USER mike + WORKDIR path/to/workdir diff --git a/checks/docker/yum_clean_all_missing.yaml b/checks/docker/yum_clean_all_missing.yaml new file mode 100644 index 00000000..116a9bef --- /dev/null +++ b/checks/docker/yum_clean_all_missing.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN yum install && yum clean all + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN yum install vim + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/test/testdata/dockerfile/DS001/Dockerfile.allowed b/test/testdata/dockerfile/DS001/Dockerfile.allowed deleted file mode 100644 index ee5c6cc9..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS001/Dockerfile.denied b/test/testdata/dockerfile/DS001/Dockerfile.denied deleted file mode 100644 index 5e2b193a..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:latest -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS002/Dockerfile.allowed b/test/testdata/dockerfile/DS002/Dockerfile.allowed deleted file mode 100644 index 8bb3de30..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo \ No newline at end of file diff --git a/test/testdata/dockerfile/DS002/Dockerfile.denied b/test/testdata/dockerfile/DS002/Dockerfile.denied deleted file mode 100644 index 9b996cc7..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.denied +++ /dev/null @@ -1,2 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/test/testdata/dockerfile/DS004/Dockerfile.allowed b/test/testdata/dockerfile/DS004/Dockerfile.allowed deleted file mode 100644 index 8af97be7..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 8080 diff --git a/test/testdata/dockerfile/DS004/Dockerfile.denied b/test/testdata/dockerfile/DS004/Dockerfile.denied deleted file mode 100644 index 91016100..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 22 \ No newline at end of file diff --git a/test/testdata/dockerfile/DS005/Dockerfile.allowed b/test/testdata/dockerfile/DS005/Dockerfile.allowed deleted file mode 100644 index 28d89b43..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources" diff --git a/test/testdata/dockerfile/DS005/Dockerfile.denied b/test/testdata/dockerfile/DS005/Dockerfile.denied deleted file mode 100644 index 98c1249f..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources.jar" -ADD "/target/app.jar" "app.jar" \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.allowed b/test/testdata/dockerfile/DS006/Dockerfile.allowed deleted file mode 100644 index 529198ac..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.denied b/test/testdata/dockerfile/DS006/Dockerfile.denied deleted file mode 100644 index cdb11213..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY --from=dep /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.allowed b/test/testdata/dockerfile/DS007/Dockerfile.allowed deleted file mode 100644 index 37b3bb39..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.denied b/test/testdata/dockerfile/DS007/Dockerfile.denied deleted file mode 100644 index 228966f1..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM golang:1.7.3 as dep -COPY dep /binary / -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS008/Dockerfile.allowed b/test/testdata/dockerfile/DS008/Dockerfile.allowed deleted file mode 100644 index f66bb31d..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65530 8080 diff --git a/test/testdata/dockerfile/DS008/Dockerfile.denied b/test/testdata/dockerfile/DS008/Dockerfile.denied deleted file mode 100644 index 89c465a6..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65536 8080 diff --git a/test/testdata/dockerfile/DS009/Dockerfile.allowed b/test/testdata/dockerfile/DS009/Dockerfile.allowed deleted file mode 100644 index 1db32e18..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR /path/to/workdir diff --git a/test/testdata/dockerfile/DS009/Dockerfile.denied b/test/testdata/dockerfile/DS009/Dockerfile.denied deleted file mode 100644 index 422d65f0..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR path/to/workdir diff --git a/test/testdata/dockerfile/DS010/Dockerfile.allowed b/test/testdata/dockerfile/DS010/Dockerfile.allowed deleted file mode 100644 index 67232624..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS010/Dockerfile.denied b/test/testdata/dockerfile/DS010/Dockerfile.denied deleted file mode 100644 index cd63e40e..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN sudo pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS011/Dockerfile.allowed b/test/testdata/dockerfile/DS011/Dockerfile.allowed deleted file mode 100644 index c5d7133a..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp/"] diff --git a/test/testdata/dockerfile/DS011/Dockerfile.denied b/test/testdata/dockerfile/DS011/Dockerfile.denied deleted file mode 100644 index 72df0188..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp"] diff --git a/test/testdata/dockerfile/DS012/Dockerfile.allowed b/test/testdata/dockerfile/DS012/Dockerfile.allowed deleted file mode 100644 index a3eeb0f4..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.allowed +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build2 -USER mike -RUN stuff - -FROM debian:jesse1 as build1 -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS012/Dockerfile.denied b/test/testdata/dockerfile/DS012/Dockerfile.denied deleted file mode 100644 index 86e7882d..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.denied +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build -USER mike -RUN stuff - -FROM debian:jesse1 as build -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.allowed b/test/testdata/dockerfile/DS013/Dockerfile.allowed deleted file mode 100644 index c1426226..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -WORKDIR /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.denied b/test/testdata/dockerfile/DS013/Dockerfile.denied deleted file mode 100644 index e5a769aa..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -RUN cd /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS014/Dockerfile.allowed b/test/testdata/dockerfile/DS014/Dockerfile.allowed deleted file mode 100644 index b46d24c9..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN curl http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS014/Dockerfile.denied b/test/testdata/dockerfile/DS014/Dockerfile.denied deleted file mode 100644 index c5ec6eff..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.denied +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN wget http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS015/Dockerfile.allowed b/test/testdata/dockerfile/DS015/Dockerfile.allowed deleted file mode 100644 index 5ab6a656..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install && yum clean all -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS015/Dockerfile.denied b/test/testdata/dockerfile/DS015/Dockerfile.denied deleted file mode 100644 index e1ba5704..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install vim -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS016/Dockerfile.allowed b/test/testdata/dockerfile/DS016/Dockerfile.allowed deleted file mode 100644 index 46f07fda..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS016/Dockerfile.denied b/test/testdata/dockerfile/DS016/Dockerfile.denied deleted file mode 100644 index e861f0a0..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./app -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS017/Dockerfile.allowed b/test/testdata/dockerfile/DS017/Dockerfile.allowed deleted file mode 100644 index d92984d7..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS017/Dockerfile.denied b/test/testdata/dockerfile/DS017/Dockerfile.denied deleted file mode 100644 index e9bf2a9a..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update -RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS019/Dockerfile.allowed b/test/testdata/dockerfile/DS019/Dockerfile.allowed deleted file mode 100644 index 0b975046..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 - diff --git a/test/testdata/dockerfile/DS019/Dockerfile.denied b/test/testdata/dockerfile/DS019/Dockerfile.denied deleted file mode 100644 index 47c2c25f..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/test/testdata/dockerfile/DS020/Dockerfile.allowed b/test/testdata/dockerfile/DS020/Dockerfile.allowed deleted file mode 100644 index b76d238a..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash && zypper clean -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS020/Dockerfile.denied b/test/testdata/dockerfile/DS020/Dockerfile.denied deleted file mode 100644 index 22235094..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.allowed b/test/testdata/dockerfile/DS021/Dockerfile.allowed deleted file mode 100644 index 84d2c559..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get -fmy install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.denied b/test/testdata/dockerfile/DS021/Dockerfile.denied deleted file mode 100644 index 988e111d..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.allowed b/test/testdata/dockerfile/DS022/Dockerfile.allowed deleted file mode 100644 index eaa7e488..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.allowed +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox:1.33.1 -USER mike \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.denied b/test/testdata/dockerfile/DS022/Dockerfile.denied deleted file mode 100644 index aebd38f0..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox:1.33.1 -USER mike -MAINTAINER Lukas Martinelli \ No newline at end of file diff --git a/test/testdata/dockerfile/DS023/Dockerfile.allowed b/test/testdata/dockerfile/DS023/Dockerfile.allowed deleted file mode 100644 index 29c48f20..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS023/Dockerfile.denied b/test/testdata/dockerfile/DS023/Dockerfile.denied deleted file mode 100644 index 6dc49ab5..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD curl http://localhost:8080 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS024/Dockerfile.allowed b/test/testdata/dockerfile/DS024/Dockerfile.allowed deleted file mode 100644 index b5512870..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get install -y curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py diff --git a/test/testdata/dockerfile/DS024/Dockerfile.denied b/test/testdata/dockerfile/DS024/Dockerfile.denied deleted file mode 100644 index 7bc3ae89..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py From 3e1660814fa64a9f5a32d97880c9a1ac9cbdf66a Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 6 Dec 2024 13:45:29 +0600 Subject: [PATCH 2/6] feat: add examples for kubernetes checks Signed-off-by: Nikita Pivkin --- .../protect_core_components_namespace.yaml | 28 +++++++++++ ...protecting_pod_service_account_tokens.yaml | 14 ++++++ .../selector_usage_in_network_policies.yaml | 19 ++++++++ .../kubernetes/general/CPU_not_limited.yaml | 32 +++++++++++++ .../general/CPU_requests_not_specified.yaml | 32 +++++++++++++ .../general/SYS_ADMIN_capability.yaml | 33 +++++++++++++ .../general/capabilities_no_drop_all.yaml | 27 +++++++++++ .../general/file_system_not_read_only.yaml | 33 +++++++++++++ .../general/memory_not_limited.yaml | 32 +++++++++++++ .../memory_requests_not_specified.yaml | 32 +++++++++++++ .../general/mounts_docker_socket.yaml | 36 +++++++++++++++ .../general/runs_with_GID_le_10000.yaml | 31 +++++++++++++ .../general/runs_with_UID_le_10000.yaml | 31 +++++++++++++ .../general/tiller_is_deployed.yaml | 46 +++++++++++++++++++ .../general/uses_image_tag_latest.yaml | 29 ++++++++++++ .../kubernetes/pss/baseline/1_host_ipc.yaml | 31 +++++++++++++ .../pss/baseline/1_host_network.yaml | 31 +++++++++++++ .../kubernetes/pss/baseline/1_host_pid.yaml | 31 +++++++++++++ .../kubernetes/pss/baseline/2_privileged.yaml | 31 +++++++++++++ .../3_specific_capabilities_added.yaml | 33 +++++++++++++ .../baseline/4_hostpath_volumes_mounted.yaml | 33 +++++++++++++ .../pss/baseline/5_access_to_host_ports.yaml | 31 +++++++++++++ .../baseline/6_apparmor_policy_disabled.yaml | 33 +++++++++++++ .../7_selinux_custom_options_set.yaml | 33 +++++++++++++ .../8_non_default_proc_masks_set.yaml | 35 ++++++++++++++ .../baseline/9_unsafe_sysctl_options_set.yaml | 39 ++++++++++++++++ .../restricted/1_non_core_volume_types.yaml | 42 +++++++++++++++++ .../2_can_elevate_its_own_privileges.yaml | 29 ++++++++++++ .../pss/restricted/3_runs_as_root.yaml | 25 ++++++++++ ...ntime_default_seccomp_profile_not_set.yaml | 31 +++++++++++++ test/testdata/kubernetes/KSV001/allowed.yaml | 11 ----- test/testdata/kubernetes/KSV001/denied.yaml | 13 ------ test/testdata/kubernetes/KSV002/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV002/denied.yaml | 15 ------ test/testdata/kubernetes/KSV003/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV003/denied.yaml | 9 ---- test/testdata/kubernetes/KSV005/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV005/denied.yaml | 17 ------- test/testdata/kubernetes/KSV006/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV006/denied.yaml | 18 -------- test/testdata/kubernetes/KSV008/allowed.yaml | 14 ------ test/testdata/kubernetes/KSV008/denied.yaml | 14 ------ test/testdata/kubernetes/KSV009/allowed.yaml | 14 ------ test/testdata/kubernetes/KSV009/denied.yaml | 14 ------ test/testdata/kubernetes/KSV010/allowed.yaml | 14 ------ test/testdata/kubernetes/KSV010/denied.yaml | 14 ------ test/testdata/kubernetes/KSV011/allowed.yaml | 16 ------- test/testdata/kubernetes/KSV011/denied.yaml | 13 ------ test/testdata/kubernetes/KSV012/allowed.yaml | 11 ----- test/testdata/kubernetes/KSV012/denied.yaml | 9 ---- test/testdata/kubernetes/KSV013/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV013/denied.yaml | 13 ------ test/testdata/kubernetes/KSV014/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV014/denied.yaml | 15 ------ test/testdata/kubernetes/KSV015/allowed.yaml | 16 ------- test/testdata/kubernetes/KSV015/denied.yaml | 13 ------ test/testdata/kubernetes/KSV016/allowed.yaml | 16 ------- test/testdata/kubernetes/KSV016/denied.yaml | 13 ------ test/testdata/kubernetes/KSV017/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV017/denied.yaml | 15 ------ test/testdata/kubernetes/KSV018/allowed.yaml | 16 ------- test/testdata/kubernetes/KSV018/denied.yaml | 14 ------ test/testdata/kubernetes/KSV020/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV020/denied.yaml | 13 ------ test/testdata/kubernetes/KSV021/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV021/denied.yaml | 13 ------ test/testdata/kubernetes/KSV022/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV022/denied.yaml | 17 ------- test/testdata/kubernetes/KSV023/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV023/denied.yaml | 17 ------- test/testdata/kubernetes/KSV024/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV024/denied.yaml | 15 ------ test/testdata/kubernetes/KSV025/allowed.yaml | 14 ------ test/testdata/kubernetes/KSV025/denied.yaml | 16 ------- test/testdata/kubernetes/KSV026/allowed.yaml | 17 ------- test/testdata/kubernetes/KSV026/denied.yaml | 19 -------- test/testdata/kubernetes/KSV027/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV027/denied.yaml | 17 ------- test/testdata/kubernetes/KSV028/allowed.yaml | 15 ------ test/testdata/kubernetes/KSV028/denied.yaml | 24 ---------- test/testdata/kubernetes/KSV030/allowed.yaml | 14 ------ test/testdata/kubernetes/KSV030/denied.yaml | 14 ------ test/testdata/kubernetes/KSV036/allowed.yaml | 12 ----- test/testdata/kubernetes/KSV037/allowed.yaml | 13 ------ test/testdata/kubernetes/KSV037/denied.yaml | 12 ----- test/testdata/kubernetes/KSV038/allowed.yaml | 8 ---- test/testdata/kubernetes/KSV038/denied.yaml | 6 --- test/testdata/kubernetes/KSV102/allowed.yaml | 24 ---------- test/testdata/kubernetes/KSV102/denied.yaml | 19 -------- .../kubernetes/optional/KSV004/allowed.yaml | 13 ------ .../kubernetes/optional/KSV004/denied.yaml | 11 ----- .../kubernetes/optional/KSV007/allowed.yaml | 5 -- .../kubernetes/optional/KSV007/denied.yaml | 10 ---- .../kubernetes/optional/KSV032/allowed.yaml | 8 ---- .../kubernetes/optional/KSV032/denied.yaml | 8 ---- .../kubernetes/optional/KSV033/allowed.yaml | 8 ---- .../kubernetes/optional/KSV033/denied.yaml | 8 ---- .../kubernetes/optional/KSV034/allowed.yaml | 8 ---- .../kubernetes/optional/KSV034/denied.yaml | 8 ---- .../kubernetes/optional/KSV035/allowed.yaml | 8 ---- .../kubernetes/optional/KSV035/denied.yaml | 8 ---- .../kubernetes/optional/KSV039/allowed.yaml | 35 -------------- .../kubernetes/optional/KSV039/denied.yaml | 11 ----- .../kubernetes/optional/KSV040/allowed.yaml | 11 ----- .../kubernetes/optional/KSV040/denied.yaml | 10 ---- 105 files changed, 943 insertions(+), 1017 deletions(-) create mode 100644 checks/kubernetes/advanced/protect_core_components_namespace.yaml create mode 100644 checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml create mode 100644 checks/kubernetes/advanced/selector_usage_in_network_policies.yaml create mode 100644 checks/kubernetes/general/CPU_not_limited.yaml create mode 100644 checks/kubernetes/general/CPU_requests_not_specified.yaml create mode 100644 checks/kubernetes/general/SYS_ADMIN_capability.yaml create mode 100644 checks/kubernetes/general/capabilities_no_drop_all.yaml create mode 100644 checks/kubernetes/general/file_system_not_read_only.yaml create mode 100644 checks/kubernetes/general/memory_not_limited.yaml create mode 100644 checks/kubernetes/general/memory_requests_not_specified.yaml create mode 100644 checks/kubernetes/general/mounts_docker_socket.yaml create mode 100644 checks/kubernetes/general/runs_with_GID_le_10000.yaml create mode 100644 checks/kubernetes/general/runs_with_UID_le_10000.yaml create mode 100644 checks/kubernetes/general/tiller_is_deployed.yaml create mode 100644 checks/kubernetes/general/uses_image_tag_latest.yaml create mode 100644 checks/kubernetes/pss/baseline/1_host_ipc.yaml create mode 100644 checks/kubernetes/pss/baseline/1_host_network.yaml create mode 100644 checks/kubernetes/pss/baseline/1_host_pid.yaml create mode 100644 checks/kubernetes/pss/baseline/2_privileged.yaml create mode 100644 checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml create mode 100644 checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml create mode 100644 checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml create mode 100644 checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml create mode 100644 checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml create mode 100644 checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml create mode 100644 checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml create mode 100644 checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml create mode 100644 checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml create mode 100644 checks/kubernetes/pss/restricted/3_runs_as_root.yaml create mode 100644 checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml delete mode 100644 test/testdata/kubernetes/KSV001/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV001/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV002/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV002/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV003/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV003/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV005/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV005/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV006/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV006/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV008/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV008/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV009/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV009/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV010/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV010/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV011/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV011/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV012/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV012/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV013/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV013/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV014/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV014/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV015/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV015/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV016/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV016/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV017/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV017/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV018/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV018/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV020/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV020/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV021/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV021/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV022/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV022/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV023/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV023/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV024/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV024/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV025/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV025/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV026/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV026/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV027/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV027/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV028/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV028/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV030/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV030/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV036/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV037/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV037/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV038/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV038/denied.yaml delete mode 100644 test/testdata/kubernetes/KSV102/allowed.yaml delete mode 100644 test/testdata/kubernetes/KSV102/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV004/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV004/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV007/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV007/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV032/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV032/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV033/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV033/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV034/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV034/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV035/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV035/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV039/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV039/denied.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV040/allowed.yaml delete mode 100644 test/testdata/kubernetes/optional/KSV040/denied.yaml diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.yaml b/checks/kubernetes/advanced/protect_core_components_namespace.yaml new file mode 100644 index 00000000..1dc722da --- /dev/null +++ b/checks/kubernetes/advanced/protect_core_components_namespace.yaml @@ -0,0 +1,28 @@ +kubernetes: + good: + - | + apiVersion: v1 + kind: Pod + metadata: + name: mypod + namespace: test + labels: + name: mypod + spec: + automountServiceAccountToken: true + containers: + - name: mypod + image: nginx + bad: + - | + apiVersion: v1 + kind: Pod + metadata: + name: mypod + namespace: kube-system + labels: + name: mypod + spec: + containers: + - name: mypod + image: nginx diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml new file mode 100644 index 00000000..070aa2e8 --- /dev/null +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml @@ -0,0 +1,14 @@ +kubernetes: + good: + - | + apiVersion: v1 + kind: Pod + metadata: + name: mypod + namespace: test + labels: + name: mypod + spec: + containers: + - name: mypod + image: nginx diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml new file mode 100644 index 00000000..0ac7442f --- /dev/null +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml @@ -0,0 +1,19 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + podSelector: + matchLabels: + role: db + bad: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + something: true diff --git a/checks/kubernetes/general/CPU_not_limited.yaml b/checks/kubernetes/general/CPU_not_limited.yaml new file mode 100644 index 00000000..bda3e67d --- /dev/null +++ b/checks/kubernetes/general/CPU_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + cpu: 500m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/CPU_requests_not_specified.yaml b/checks/kubernetes/general/CPU_requests_not_specified.yaml new file mode 100644 index 00000000..d7415254 --- /dev/null +++ b/checks/kubernetes/general/CPU_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + cpu: 250m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/SYS_ADMIN_capability.yaml b/checks/kubernetes/general/SYS_ADMIN_capability.yaml new file mode 100644 index 00000000..893b38d9 --- /dev/null +++ b/checks/kubernetes/general/SYS_ADMIN_capability.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - SYS_ADMIN diff --git a/checks/kubernetes/general/capabilities_no_drop_all.yaml b/checks/kubernetes/general/capabilities_no_drop_all.yaml new file mode 100644 index 00000000..4b4f9eb2 --- /dev/null +++ b/checks/kubernetes/general/capabilities_no_drop_all.yaml @@ -0,0 +1,27 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello diff --git a/checks/kubernetes/general/file_system_not_read_only.yaml b/checks/kubernetes/general/file_system_not_read_only.yaml new file mode 100644 index 00000000..6321542f --- /dev/null +++ b/checks/kubernetes/general/file_system_not_read_only.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: false diff --git a/checks/kubernetes/general/memory_not_limited.yaml b/checks/kubernetes/general/memory_not_limited.yaml new file mode 100644 index 00000000..b8bfc3eb --- /dev/null +++ b/checks/kubernetes/general/memory_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + memory: 128Mi + bad: + - | + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/memory_requests_not_specified.yaml b/checks/kubernetes/general/memory_requests_not_specified.yaml new file mode 100644 index 00000000..11db8a51 --- /dev/null +++ b/checks/kubernetes/general/memory_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + memory: 64Mi + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/mounts_docker_socket.yaml b/checks/kubernetes/general/mounts_docker_socket.yaml new file mode 100644 index 00000000..ae080f07 --- /dev/null +++ b/checks/kubernetes/general/mounts_docker_socket.yaml @@ -0,0 +1,36 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + hostPath: + path: "/var/run/docker.sock" + type: Directory diff --git a/checks/kubernetes/general/runs_with_GID_le_10000.yaml b/checks/kubernetes/general/runs_with_GID_le_10000.yaml new file mode 100644 index 00000000..738f7762 --- /dev/null +++ b/checks/kubernetes/general/runs_with_GID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsGroup: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/runs_with_UID_le_10000.yaml b/checks/kubernetes/general/runs_with_UID_le_10000.yaml new file mode 100644 index 00000000..3b77bbb7 --- /dev/null +++ b/checks/kubernetes/general/runs_with_UID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsUser: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/tiller_is_deployed.yaml b/checks/kubernetes/general/tiller_is_deployed.yaml new file mode 100644 index 00000000..369f81b5 --- /dev/null +++ b/checks/kubernetes/general/tiller_is_deployed.yaml @@ -0,0 +1,46 @@ +kubernetes: + good: + - |- + apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: Onga + spec: + template: + spec: + containers: + - name: carts-db + image: mongo + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false + metadata: + name: None + labels: + app: example + tier: backend + bad: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mongo-deployment + spec: + template: + spec: + containers: + - name: carts-db + image: tiller + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false diff --git a/checks/kubernetes/general/uses_image_tag_latest.yaml b/checks/kubernetes/general/uses_image_tag_latest.yaml new file mode 100644 index 00000000..23e7b2e2 --- /dev/null +++ b/checks/kubernetes/general/uses_image_tag_latest.yaml @@ -0,0 +1,29 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:1.33.1 + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:latest + name: hello diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.yaml b/checks/kubernetes/pss/baseline/1_host_ipc.yaml new file mode 100644 index 00000000..c4da835a --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_ipc.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + hostIPC: false + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + hostIPC: true + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/1_host_network.yaml b/checks/kubernetes/pss/baseline/1_host_network.yaml new file mode 100644 index 00000000..344e9ff5 --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_network.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + hostNetwork: false + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + hostNetwork: true + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/1_host_pid.yaml b/checks/kubernetes/pss/baseline/1_host_pid.yaml new file mode 100644 index 00000000..8a4c28c0 --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_pid.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + hostPID: false + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + hostPID: true + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/2_privileged.yaml b/checks/kubernetes/pss/baseline/2_privileged.yaml new file mode 100644 index 00000000..a98620b4 --- /dev/null +++ b/checks/kubernetes/pss/baseline/2_privileged.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + privileged: true diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml new file mode 100644 index 00000000..040a69ef --- /dev/null +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - NET_BIND_SERVICE diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml new file mode 100644 index 00000000..364bb685 --- /dev/null +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - hostPath: + path: "/sys" + type: '' diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml new file mode 100644 index 00000000..2f58f7e0 --- /dev/null +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml new file mode 100644 index 00000000..7cfd6f47 --- /dev/null +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: runtime/default + name: hello-apparmor + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: custom + name: hello-apparmor + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml new file mode 100644 index 00000000..25da66d3 --- /dev/null +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + securityContext: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + securityContext: + seLinuxOptions: + type: custom + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml new file mode 100644 index 00000000..07eb30e4 --- /dev/null +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml @@ -0,0 +1,35 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + securityContext: + procMount: Unmasked diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml new file mode 100644 index 00000000..d71beeb7 --- /dev/null +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml @@ -0,0 +1,39 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: '0' + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + securityContext: + sysctls: + - name: net.core.somaxconn + value: '1024' + - name: kernel.msgmax + value: '65536' + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml new file mode 100644 index 00000000..b90c7775 --- /dev/null +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml @@ -0,0 +1,42 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-a + secretRef: + name: sio-secret + fsType: xfs diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml new file mode 100644 index 00000000..476456af --- /dev/null +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml @@ -0,0 +1,29 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + allowPrivilegeEscalation: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.yaml b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml new file mode 100644 index 00000000..35ade03e --- /dev/null +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml @@ -0,0 +1,25 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + runAsNonRoot: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml new file mode 100644 index 00000000..5880fe0a --- /dev/null +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + seccompProfile: + type: RuntimeDefault + localhostProfile: profiles/audit.json + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + seccompProfile: + type: LocalPort + localhostProfile: profiles/audit.json diff --git a/test/testdata/kubernetes/KSV001/allowed.yaml b/test/testdata/kubernetes/KSV001/allowed.yaml deleted file mode 100644 index f40d17d2..00000000 --- a/test/testdata/kubernetes/KSV001/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/KSV001/denied.yaml b/test/testdata/kubernetes/KSV001/denied.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV001/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV002/allowed.yaml b/test/testdata/kubernetes/KSV002/allowed.yaml deleted file mode 100644 index c98da678..00000000 --- a/test/testdata/kubernetes/KSV002/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: runtime/default - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV002/denied.yaml b/test/testdata/kubernetes/KSV002/denied.yaml deleted file mode 100644 index a127b4b4..00000000 --- a/test/testdata/kubernetes/KSV002/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: custom - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV003/allowed.yaml b/test/testdata/kubernetes/KSV003/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV003/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV003/denied.yaml b/test/testdata/kubernetes/KSV003/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV003/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/allowed.yaml b/test/testdata/kubernetes/KSV005/allowed.yaml deleted file mode 100644 index ff08b26f..00000000 --- a/test/testdata/kubernetes/KSV005/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/denied.yaml b/test/testdata/kubernetes/KSV005/denied.yaml deleted file mode 100644 index c34e9fad..00000000 --- a/test/testdata/kubernetes/KSV005/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - SYS_ADMIN diff --git a/test/testdata/kubernetes/KSV006/allowed.yaml b/test/testdata/kubernetes/KSV006/allowed.yaml deleted file mode 100644 index 04f1710d..00000000 --- a/test/testdata/kubernetes/KSV006/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume diff --git a/test/testdata/kubernetes/KSV006/denied.yaml b/test/testdata/kubernetes/KSV006/denied.yaml deleted file mode 100644 index d7335ac9..00000000 --- a/test/testdata/kubernetes/KSV006/denied.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume - hostPath: - path: "/var/run/docker.sock" - type: Directory diff --git a/test/testdata/kubernetes/KSV008/allowed.yaml b/test/testdata/kubernetes/KSV008/allowed.yaml deleted file mode 100644 index 6dd4513d..00000000 --- a/test/testdata/kubernetes/KSV008/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV008/denied.yaml b/test/testdata/kubernetes/KSV008/denied.yaml deleted file mode 100644 index 826f58a6..00000000 --- a/test/testdata/kubernetes/KSV008/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV009/allowed.yaml b/test/testdata/kubernetes/KSV009/allowed.yaml deleted file mode 100644 index 61d615b1..00000000 --- a/test/testdata/kubernetes/KSV009/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV009/denied.yaml b/test/testdata/kubernetes/KSV009/denied.yaml deleted file mode 100644 index 2b862ca5..00000000 --- a/test/testdata/kubernetes/KSV009/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/allowed.yaml b/test/testdata/kubernetes/KSV010/allowed.yaml deleted file mode 100644 index b215b5c7..00000000 --- a/test/testdata/kubernetes/KSV010/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/denied.yaml b/test/testdata/kubernetes/KSV010/denied.yaml deleted file mode 100644 index 69acff1a..00000000 --- a/test/testdata/kubernetes/KSV010/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV011/allowed.yaml b/test/testdata/kubernetes/KSV011/allowed.yaml deleted file mode 100644 index f271ed67..00000000 --- a/test/testdata/kubernetes/KSV011/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - cpu: 500m diff --git a/test/testdata/kubernetes/KSV011/denied.yaml b/test/testdata/kubernetes/KSV011/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV011/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV012/allowed.yaml b/test/testdata/kubernetes/KSV012/allowed.yaml deleted file mode 100644 index 0811a40e..00000000 --- a/test/testdata/kubernetes/KSV012/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - runAsNonRoot: true diff --git a/test/testdata/kubernetes/KSV012/denied.yaml b/test/testdata/kubernetes/KSV012/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV012/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV013/allowed.yaml b/test/testdata/kubernetes/KSV013/allowed.yaml deleted file mode 100644 index f46dae03..00000000 --- a/test/testdata/kubernetes/KSV013/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:1.33.1 - name: hello diff --git a/test/testdata/kubernetes/KSV013/denied.yaml b/test/testdata/kubernetes/KSV013/denied.yaml deleted file mode 100644 index d6fd1939..00000000 --- a/test/testdata/kubernetes/KSV013/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:latest - name: hello diff --git a/test/testdata/kubernetes/KSV014/allowed.yaml b/test/testdata/kubernetes/KSV014/allowed.yaml deleted file mode 100644 index 0ff96a44..00000000 --- a/test/testdata/kubernetes/KSV014/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: true diff --git a/test/testdata/kubernetes/KSV014/denied.yaml b/test/testdata/kubernetes/KSV014/denied.yaml deleted file mode 100644 index c15b769f..00000000 --- a/test/testdata/kubernetes/KSV014/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: false diff --git a/test/testdata/kubernetes/KSV015/allowed.yaml b/test/testdata/kubernetes/KSV015/allowed.yaml deleted file mode 100644 index fd552363..00000000 --- a/test/testdata/kubernetes/KSV015/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - cpu: 250m diff --git a/test/testdata/kubernetes/KSV015/denied.yaml b/test/testdata/kubernetes/KSV015/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV015/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV016/allowed.yaml b/test/testdata/kubernetes/KSV016/allowed.yaml deleted file mode 100644 index c43f990f..00000000 --- a/test/testdata/kubernetes/KSV016/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - memory: 64Mi diff --git a/test/testdata/kubernetes/KSV016/denied.yaml b/test/testdata/kubernetes/KSV016/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV016/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/allowed.yaml b/test/testdata/kubernetes/KSV017/allowed.yaml deleted file mode 100644 index b608e5c7..00000000 --- a/test/testdata/kubernetes/KSV017/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/denied.yaml b/test/testdata/kubernetes/KSV017/denied.yaml deleted file mode 100644 index 620f6497..00000000 --- a/test/testdata/kubernetes/KSV017/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - privileged: true diff --git a/test/testdata/kubernetes/KSV018/allowed.yaml b/test/testdata/kubernetes/KSV018/allowed.yaml deleted file mode 100644 index eb00e56e..00000000 --- a/test/testdata/kubernetes/KSV018/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - memory: 128Mi diff --git a/test/testdata/kubernetes/KSV018/denied.yaml b/test/testdata/kubernetes/KSV018/denied.yaml deleted file mode 100644 index 6bf001e3..00000000 --- a/test/testdata/kubernetes/KSV018/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - diff --git a/test/testdata/kubernetes/KSV020/allowed.yaml b/test/testdata/kubernetes/KSV020/allowed.yaml deleted file mode 100644 index 36f7916b..00000000 --- a/test/testdata/kubernetes/KSV020/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsUser: 10004 diff --git a/test/testdata/kubernetes/KSV020/denied.yaml b/test/testdata/kubernetes/KSV020/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV020/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV021/allowed.yaml b/test/testdata/kubernetes/KSV021/allowed.yaml deleted file mode 100644 index f176cb07..00000000 --- a/test/testdata/kubernetes/KSV021/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsGroup: 10004 diff --git a/test/testdata/kubernetes/KSV021/denied.yaml b/test/testdata/kubernetes/KSV021/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV021/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/allowed.yaml b/test/testdata/kubernetes/KSV022/allowed.yaml deleted file mode 100644 index 1e4b014e..00000000 --- a/test/testdata/kubernetes/KSV022/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/denied.yaml b/test/testdata/kubernetes/KSV022/denied.yaml deleted file mode 100644 index 3e5b7aec..00000000 --- a/test/testdata/kubernetes/KSV022/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - NET_BIND_SERVICE \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV023/allowed.yaml b/test/testdata/kubernetes/KSV023/allowed.yaml deleted file mode 100644 index 8c198274..00000000 --- a/test/testdata/kubernetes/KSV023/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV023/denied.yaml b/test/testdata/kubernetes/KSV023/denied.yaml deleted file mode 100644 index da474eb9..00000000 --- a/test/testdata/kubernetes/KSV023/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - hostPath: - path: "/sys" - type: '' diff --git a/test/testdata/kubernetes/KSV024/allowed.yaml b/test/testdata/kubernetes/KSV024/allowed.yaml deleted file mode 100644 index 24b1c975..00000000 --- a/test/testdata/kubernetes/KSV024/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV024/denied.yaml b/test/testdata/kubernetes/KSV024/denied.yaml deleted file mode 100644 index f23d66ed..00000000 --- a/test/testdata/kubernetes/KSV024/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/allowed.yaml b/test/testdata/kubernetes/KSV025/allowed.yaml deleted file mode 100644 index 508ad7b2..00000000 --- a/test/testdata/kubernetes/KSV025/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/denied.yaml b/test/testdata/kubernetes/KSV025/denied.yaml deleted file mode 100644 index 9fbaa41d..00000000 --- a/test/testdata/kubernetes/KSV025/denied.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - seLinuxOptions: - type: custom - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV026/allowed.yaml b/test/testdata/kubernetes/KSV026/allowed.yaml deleted file mode 100644 index 9ff2d7bc..00000000 --- a/test/testdata/kubernetes/KSV026/allowed.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: '0' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV026/denied.yaml b/test/testdata/kubernetes/KSV026/denied.yaml deleted file mode 100644 index 69eed5d6..00000000 --- a/test/testdata/kubernetes/KSV026/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: net.core.somaxconn - value: '1024' - - name: kernel.msgmax - value: '65536' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV027/allowed.yaml b/test/testdata/kubernetes/KSV027/allowed.yaml deleted file mode 100644 index 40b8c24a..00000000 --- a/test/testdata/kubernetes/KSV027/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 diff --git a/test/testdata/kubernetes/KSV027/denied.yaml b/test/testdata/kubernetes/KSV027/denied.yaml deleted file mode 100644 index 40354e4e..00000000 --- a/test/testdata/kubernetes/KSV027/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 - securityContext: - procMount: Unmasked diff --git a/test/testdata/kubernetes/KSV028/allowed.yaml b/test/testdata/kubernetes/KSV028/allowed.yaml deleted file mode 100644 index a2f93da0..00000000 --- a/test/testdata/kubernetes/KSV028/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a diff --git a/test/testdata/kubernetes/KSV028/denied.yaml b/test/testdata/kubernetes/KSV028/denied.yaml deleted file mode 100644 index 57fc35cf..00000000 --- a/test/testdata/kubernetes/KSV028/denied.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a - scaleIO: - gateway: https://localhost:443/api - system: scaleio - protectionDomain: sd0 - storagePool: sp1 - volumeName: vol-a - secretRef: - name: sio-secret - fsType: xfs diff --git a/test/testdata/kubernetes/KSV030/allowed.yaml b/test/testdata/kubernetes/KSV030/allowed.yaml deleted file mode 100644 index 48b8c1d4..00000000 --- a/test/testdata/kubernetes/KSV030/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: RuntimeDefault - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV030/denied.yaml b/test/testdata/kubernetes/KSV030/denied.yaml deleted file mode 100644 index 45b3bd31..00000000 --- a/test/testdata/kubernetes/KSV030/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: LocalPort - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV036/allowed.yaml b/test/testdata/kubernetes/KSV036/allowed.yaml deleted file mode 100644 index 42a9ded8..00000000 --- a/test/testdata/kubernetes/KSV036/allowed.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV037/allowed.yaml b/test/testdata/kubernetes/KSV037/allowed.yaml deleted file mode 100644 index 99c22f0a..00000000 --- a/test/testdata/kubernetes/KSV037/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - automountServiceAccountToken: true - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV037/denied.yaml b/test/testdata/kubernetes/KSV037/denied.yaml deleted file mode 100644 index c42d41e0..00000000 --- a/test/testdata/kubernetes/KSV037/denied.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: kube-system - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV038/allowed.yaml b/test/testdata/kubernetes/KSV038/allowed.yaml deleted file mode 100644 index ccdac794..00000000 --- a/test/testdata/kubernetes/KSV038/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - podSelector: - matchLabels: - role: db diff --git a/test/testdata/kubernetes/KSV038/denied.yaml b/test/testdata/kubernetes/KSV038/denied.yaml deleted file mode 100644 index ed554dac..00000000 --- a/test/testdata/kubernetes/KSV038/denied.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - something: true diff --git a/test/testdata/kubernetes/KSV102/allowed.yaml b/test/testdata/kubernetes/KSV102/allowed.yaml deleted file mode 100644 index 3b6b9f49..00000000 --- a/test/testdata/kubernetes/KSV102/allowed.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: Onga -spec: - template: - spec: - containers: - - name: carts-db - image: mongo - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false - metadata: - name: None - labels: - app: example - tier: backend diff --git a/test/testdata/kubernetes/KSV102/denied.yaml b/test/testdata/kubernetes/KSV102/denied.yaml deleted file mode 100644 index c760bc68..00000000 --- a/test/testdata/kubernetes/KSV102/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongo-deployment -spec: - template: - spec: - containers: - - name: carts-db - image: tiller - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/optional/KSV004/allowed.yaml b/test/testdata/kubernetes/optional/KSV004/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/optional/KSV004/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/optional/KSV004/denied.yaml b/test/testdata/kubernetes/optional/KSV004/denied.yaml deleted file mode 100644 index dc02a266..00000000 --- a/test/testdata/kubernetes/optional/KSV004/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: diff --git a/test/testdata/kubernetes/optional/KSV007/allowed.yaml b/test/testdata/kubernetes/optional/KSV007/allowed.yaml deleted file mode 100644 index 86b25607..00000000 --- a/test/testdata/kubernetes/optional/KSV007/allowed.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: diff --git a/test/testdata/kubernetes/optional/KSV007/denied.yaml b/test/testdata/kubernetes/optional/KSV007/denied.yaml deleted file mode 100644 index a9480234..00000000 --- a/test/testdata/kubernetes/optional/KSV007/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "foo.local" - - "bar.local" diff --git a/test/testdata/kubernetes/optional/KSV032/allowed.yaml b/test/testdata/kubernetes/optional/KSV032/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV032/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV032/denied.yaml b/test/testdata/kubernetes/optional/KSV032/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV032/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV033/allowed.yaml b/test/testdata/kubernetes/optional/KSV033/allowed.yaml deleted file mode 100644 index 4c8bfa57..00000000 --- a/test/testdata/kubernetes/optional/KSV033/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: gcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV033/denied.yaml b/test/testdata/kubernetes/optional/KSV033/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV033/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV034/allowed.yaml b/test/testdata/kubernetes/optional/KSV034/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV034/denied.yaml b/test/testdata/kubernetes/optional/KSV034/denied.yaml deleted file mode 100644 index b7f7eef0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ghcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV035/allowed.yaml b/test/testdata/kubernetes/optional/KSV035/allowed.yaml deleted file mode 100644 index feaa3199..00000000 --- a/test/testdata/kubernetes/optional/KSV035/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ecr.us-east-2.amazonaws.com/something diff --git a/test/testdata/kubernetes/optional/KSV035/denied.yaml b/test/testdata/kubernetes/optional/KSV035/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV035/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV039/allowed.yaml b/test/testdata/kubernetes/optional/KSV039/allowed.yaml deleted file mode 100644 index 7844f5db..00000000 --- a/test/testdata/kubernetes/optional/KSV039/allowed.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: core-resource-limits -spec: - limits: - - type: Pod - default: - cpu: '2' - memory: 1Gi - defaultRequest: - cpu: '2' - memory: 1Gi - max: - cpu: '2' - memory: 1Gi - min: - cpu: 200m - memory: 6Mi - - type: Container - max: - cpu: '2' - memory: 1Gi - min: - cpu: 100m - memory: 4Mi - default: - cpu: 300m - memory: 200Mi - defaultRequest: - cpu: 200m - memory: 100Mi - maxLimitRequestRatio: - cpu: '10' \ No newline at end of file diff --git a/test/testdata/kubernetes/optional/KSV039/denied.yaml b/test/testdata/kubernetes/optional/KSV039/denied.yaml deleted file mode 100644 index b53d2971..00000000 --- a/test/testdata/kubernetes/optional/KSV039/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - name: cpu-limit-range -spec: - limits: - - default: - cpu: 1 - defaultRequest: - cpu: 0.5 - type: Container diff --git a/test/testdata/kubernetes/optional/KSV040/allowed.yaml b/test/testdata/kubernetes/optional/KSV040/allowed.yaml deleted file mode 100644 index cf9bbf2d..00000000 --- a/test/testdata/kubernetes/optional/KSV040/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2' - limits.memory: 2Gi diff --git a/test/testdata/kubernetes/optional/KSV040/denied.yaml b/test/testdata/kubernetes/optional/KSV040/denied.yaml deleted file mode 100644 index b73d6e67..00000000 --- a/test/testdata/kubernetes/optional/KSV040/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2' From dc6dc28fd27d23976d376d81a3d57501e106e34a Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 6 Dec 2024 14:17:49 +0600 Subject: [PATCH 3/6] chore: link examples and dockerfile checks Signed-off-by: Nikita Pivkin --- checks/docker/add_instead_of_copy.rego | 1 + ...issing_yes_flag_to_avoid_manual_input.rego | 1 + ...py_from_references_current_from_alias.rego | 1 + ...n_two_arguments_not_ending_with_slash.rego | 1 + checks/docker/latest_tag.rego | 1 + checks/docker/maintainer_is_deprecated.rego | 1 + checks/docker/missing_dnf_clean_all.rego | 1 + checks/docker/missing_zypper_clean.rego | 1 + .../multiple_cmd_instructions_listed.rego | 1 + ...ltiple_entrypoint_instructions_listed.rego | 1 + .../multiple_healthcheck_instructions.rego | 1 + checks/docker/port22.rego | 1 + checks/docker/root_user.rego | 1 + checks/docker/run_apt_get_dist_upgrade.rego | 1 + .../run_command_cd_instead_of_workdir.rego | 1 + checks/docker/run_using_sudo.rego | 1 + checks/docker/run_using_wget_and_curl.rego | 1 + .../docker/same_alias_in_different_froms.rego | 1 + checks/docker/unix_ports_out_of_range.rego | 1 + checks/docker/update_instruction_alone.rego | 1 + checks/docker/workdir_path_not_absolute.rego | 1 + checks/docker/yum_clean_all_missing.rego | 1 + go.mod | 14 ++-- go.sum | 28 +++---- integration/check_examples_test.go | 12 +-- internal/examples/examples.go | 4 + test/docker_test.go | 78 ------------------- 27 files changed, 53 insertions(+), 105 deletions(-) delete mode 100644 test/docker_test.go diff --git a/checks/docker/add_instead_of_copy.rego b/checks/docker/add_instead_of_copy.rego index 7e9d135c..b5bd9795 100644 --- a/checks/docker/add_instead_of_copy.rego +++ b/checks/docker/add_instead_of_copy.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/add_instead_of_copy.yaml package builtin.dockerfile.DS005 import data.lib.docker diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego index 7645f11a..d3b317c9 100644 --- a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego @@ -16,6 +16,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml package builtin.dockerfile.DS021 import data.lib.docker diff --git a/checks/docker/copy_from_references_current_from_alias.rego b/checks/docker/copy_from_references_current_from_alias.rego index c80f444d..d442ed52 100644 --- a/checks/docker/copy_from_references_current_from_alias.rego +++ b/checks/docker/copy_from_references_current_from_alias.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_from_references_current_from_alias.yaml package builtin.dockerfile.DS006 import data.lib.docker diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego index 50dca814..5f1956fd 100644 --- a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml package builtin.dockerfile.DS011 import data.lib.docker diff --git a/checks/docker/latest_tag.rego b/checks/docker/latest_tag.rego index 3aff03d6..a605eae7 100644 --- a/checks/docker/latest_tag.rego +++ b/checks/docker/latest_tag.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/latest_tag.yaml package builtin.dockerfile.DS001 import data.lib.docker diff --git a/checks/docker/maintainer_is_deprecated.rego b/checks/docker/maintainer_is_deprecated.rego index 762f05fc..095892ef 100644 --- a/checks/docker/maintainer_is_deprecated.rego +++ b/checks/docker/maintainer_is_deprecated.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/maintainer_is_deprecated.yaml package builtin.dockerfile.DS022 import data.lib.docker diff --git a/checks/docker/missing_dnf_clean_all.rego b/checks/docker/missing_dnf_clean_all.rego index 182c6806..268e3e08 100644 --- a/checks/docker/missing_dnf_clean_all.rego +++ b/checks/docker/missing_dnf_clean_all.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_dnf_clean_all.yaml package builtin.dockerfile.DS019 import data.lib.docker diff --git a/checks/docker/missing_zypper_clean.rego b/checks/docker/missing_zypper_clean.rego index 657f2004..b6ebd41d 100644 --- a/checks/docker/missing_zypper_clean.rego +++ b/checks/docker/missing_zypper_clean.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_zypper_clean.yaml package builtin.dockerfile.DS020 import data.lib.docker diff --git a/checks/docker/multiple_cmd_instructions_listed.rego b/checks/docker/multiple_cmd_instructions_listed.rego index 2712590f..b81e5a81 100644 --- a/checks/docker/multiple_cmd_instructions_listed.rego +++ b/checks/docker/multiple_cmd_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_cmd_instructions_listed.yaml package builtin.dockerfile.DS016 import data.lib.docker diff --git a/checks/docker/multiple_entrypoint_instructions_listed.rego b/checks/docker/multiple_entrypoint_instructions_listed.rego index 89783d3d..979fc43f 100644 --- a/checks/docker/multiple_entrypoint_instructions_listed.rego +++ b/checks/docker/multiple_entrypoint_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_entrypoint_instructions_listed.yaml package builtin.dockerfile.DS007 import data.lib.docker diff --git a/checks/docker/multiple_healthcheck_instructions.rego b/checks/docker/multiple_healthcheck_instructions.rego index bb916d5c..ba9ea162 100644 --- a/checks/docker/multiple_healthcheck_instructions.rego +++ b/checks/docker/multiple_healthcheck_instructions.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_healthcheck_instructions.yaml package builtin.dockerfile.DS023 import data.lib.docker diff --git a/checks/docker/port22.rego b/checks/docker/port22.rego index 106866ac..46a9d7e8 100644 --- a/checks/docker/port22.rego +++ b/checks/docker/port22.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/port22.yaml package builtin.dockerfile.DS004 import data.lib.docker diff --git a/checks/docker/root_user.rego b/checks/docker/root_user.rego index 71eeb085..17156f34 100644 --- a/checks/docker/root_user.rego +++ b/checks/docker/root_user.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/root_user.yaml package builtin.dockerfile.DS002 import data.lib.docker diff --git a/checks/docker/run_apt_get_dist_upgrade.rego b/checks/docker/run_apt_get_dist_upgrade.rego index d92163f9..5bded83d 100644 --- a/checks/docker/run_apt_get_dist_upgrade.rego +++ b/checks/docker/run_apt_get_dist_upgrade.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_apt_get_dist_upgrade.yaml package builtin.dockerfile.DS024 import data.lib.docker diff --git a/checks/docker/run_command_cd_instead_of_workdir.rego b/checks/docker/run_command_cd_instead_of_workdir.rego index e9012490..859f6b78 100644 --- a/checks/docker/run_command_cd_instead_of_workdir.rego +++ b/checks/docker/run_command_cd_instead_of_workdir.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_command_cd_instead_of_workdir.yaml package builtin.dockerfile.DS013 import data.lib.docker diff --git a/checks/docker/run_using_sudo.rego b/checks/docker/run_using_sudo.rego index d4710013..6ec882d1 100644 --- a/checks/docker/run_using_sudo.rego +++ b/checks/docker/run_using_sudo.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_sudo.yaml package builtin.dockerfile.DS010 import data.lib.docker diff --git a/checks/docker/run_using_wget_and_curl.rego b/checks/docker/run_using_wget_and_curl.rego index 2838de9a..66e170ec 100644 --- a/checks/docker/run_using_wget_and_curl.rego +++ b/checks/docker/run_using_wget_and_curl.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_wget_and_curl.yaml package builtin.dockerfile.DS014 import data.lib.docker diff --git a/checks/docker/same_alias_in_different_froms.rego b/checks/docker/same_alias_in_different_froms.rego index a573dea8..1053cb00 100644 --- a/checks/docker/same_alias_in_different_froms.rego +++ b/checks/docker/same_alias_in_different_froms.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/same_alias_in_different_froms.yaml package builtin.dockerfile.DS012 import data.lib.docker diff --git a/checks/docker/unix_ports_out_of_range.rego b/checks/docker/unix_ports_out_of_range.rego index 0235406f..bc5da560 100644 --- a/checks/docker/unix_ports_out_of_range.rego +++ b/checks/docker/unix_ports_out_of_range.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/unix_ports_out_of_range.yaml package builtin.dockerfile.DS008 import data.lib.docker diff --git a/checks/docker/update_instruction_alone.rego b/checks/docker/update_instruction_alone.rego index fb59257b..1c0bac19 100644 --- a/checks/docker/update_instruction_alone.rego +++ b/checks/docker/update_instruction_alone.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/update_instruction_alone.yaml package builtin.dockerfile.DS017 import data.lib.docker diff --git a/checks/docker/workdir_path_not_absolute.rego b/checks/docker/workdir_path_not_absolute.rego index 4cabe688..83ac2ff4 100644 --- a/checks/docker/workdir_path_not_absolute.rego +++ b/checks/docker/workdir_path_not_absolute.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/workdir_path_not_absolute.yaml package builtin.dockerfile.DS009 import data.lib.docker diff --git a/checks/docker/yum_clean_all_missing.rego b/checks/docker/yum_clean_all_missing.rego index fbe5937a..e272f719 100644 --- a/checks/docker/yum_clean_all_missing.rego +++ b/checks/docker/yum_clean_all_missing.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/yum_clean_all_missing.yaml package builtin.dockerfile.DS015 import future.keywords.in diff --git a/go.mod b/go.mod index 77b61f7c..c541004e 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,8 @@ go 1.22.9 toolchain go1.23.0 +replace github.com/aquasecurity/trivy => /Users/nikita/projects/trivy + require ( github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77 github.com/aws-cloudformation/rain v1.19.0 @@ -105,10 +107,10 @@ require ( github.com/chzyer/readline v1.5.1 // indirect github.com/cloudflare/circl v1.3.8 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.23 // indirect + github.com/containerd/containerd v1.7.24 // indirect github.com/containerd/containerd/api v1.8.0 // indirect github.com/containerd/containerd/v2 v2.0.0 // indirect - github.com/containerd/continuity v0.4.4 // indirect + github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/fifo v1.1.0 // indirect @@ -117,7 +119,7 @@ require ( github.com/containerd/plugin v1.0.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect github.com/containerd/ttrpc v1.2.6 // indirect - github.com/containerd/typeurl/v2 v2.2.2 // indirect + github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect @@ -128,9 +130,9 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/dlclark/regexp2 v1.4.0 // indirect - github.com/docker/cli v27.3.1+incompatible // indirect + github.com/docker/cli v27.4.0-rc.2+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.3.1+incompatible // indirect + github.com/docker/docker v27.4.0-rc.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect @@ -252,7 +254,7 @@ require ( github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect - github.com/moby/buildkit v0.17.2 // indirect + github.com/moby/buildkit v0.18.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.4.0 // indirect diff --git a/go.sum b/go.sum index 9bd6c626..7b3e1a74 100644 --- a/go.sum +++ b/go.sum @@ -349,10 +349,6 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831 h1:Ol9LT6V3KXCwaJE6lyeOR+3NGgDyA0HOXvPtumz/dxA= -github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831/go.mod h1:fURPZjqUDH08tYy/2EhU4k0uAOzXcPAJeM2O0Z6k0nU= -github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77 h1:asWezOVucyj/9U+XUYgp/T952z1rpS1o1Kd+KyZD1C0= -github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77/go.mod h1:ZFPGXENLDMCKV7uXY3G1dloqMki9SZBHZldFo2aqupA= github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw= github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= @@ -493,14 +489,14 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= -github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= +github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA= +github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= github.com/containerd/containerd/v2 v2.0.0 h1:qLDdFaAykQrIyLiqwQrNLLz95wiC36bAZVwioUwqShM= github.com/containerd/containerd/v2 v2.0.0/go.mod h1:j25kDy9P48/ngb1sxWIFfK6GsnqOHoSqo1EpAod20VQ= -github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= -github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= +github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= +github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= @@ -517,8 +513,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4= github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= -github.com/containerd/typeurl/v2 v2.2.2 h1:3jN/k2ysKuPCsln5Qv8bzR9cxal8XjkxPogJfSNO31k= -github.com/containerd/typeurl/v2 v2.2.2/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= +github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= +github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= @@ -566,12 +562,12 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= -github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= -github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.0-rc.2+incompatible h1:A0GZwegDlt2wdt3tpmrUzkVOZmbhvd7i05wPSf7Oo74= +github.com/docker/cli v27.4.0-rc.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= -github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.4.0-rc.2+incompatible h1:9OJjVGtelk/zGC3TyKweJ29b9Axzh0s/0vtU4mneumE= +github.com/docker/docker v27.4.0-rc.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -1064,8 +1060,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= -github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U= -github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg= +github.com/moby/buildkit v0.18.0 h1:KSelhNINJcNA3FCWBbGCytvicjP+kjU5kZlZhkTUkVo= +github.com/moby/buildkit v0.18.0/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= diff --git a/integration/check_examples_test.go b/integration/check_examples_test.go index f92141a2..87d97c73 100644 --- a/integration/check_examples_test.go +++ b/integration/check_examples_test.go @@ -94,7 +94,7 @@ func setupTarget(t *testing.T) string { func writeExamples(t *testing.T, examples []string, provider, cacheDir string, id string, typ string) { for i, example := range examples { - name := "test" + extensionByProvider(provider) + name := fileNameByProvider(provider) file := filepath.Join(cacheDir, id, provider, typ, strconv.Itoa(i), name) require.NoError(t, os.MkdirAll(filepath.Dir(file), fs.ModePerm)) require.NoError(t, os.WriteFile(file, []byte(example), fs.ModePerm)) @@ -154,12 +154,14 @@ func getFailureIDs(report types.Report) map[string][]string { return ids } -func extensionByProvider(provider string) string { +func fileNameByProvider(provider string) string { switch provider { case "terraform": - return ".tf" + return "main.tf" case "cloudformation": - return ".yaml" + return "template.yaml" + case "dockerfile": + return "Dockerfile" } - panic("unreachable") + panic("unreachable: " + provider) } diff --git a/internal/examples/examples.go b/internal/examples/examples.go index 999e63b0..3ed9de29 100644 --- a/internal/examples/examples.go +++ b/internal/examples/examples.go @@ -33,6 +33,10 @@ func GetCheckExamples(r scan.Rule) (CheckExamples, string, error) { // TODO: use `examples` field after adding func getCheckExamplesPath(r scan.Rule) string { + if r.Examples != "" { + return r.Examples + } + for _, eng := range []*scan.EngineMetadata{r.Terraform, r.CloudFormation} { if eng == nil { continue diff --git a/test/docker_test.go b/test/docker_test.go deleted file mode 100644 index cc19bdb6..00000000 --- a/test/docker_test.go +++ /dev/null @@ -1,78 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scanners/dockerfile" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/require" - - builtinrego "github.com/aquasecurity/trivy-checks/pkg/rego" -) - -func init() { - builtinrego.RegisterBuiltins() -} - -func Test_Dockerfile(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/docker")), - rego.WithPolicyDirs("."), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - }, - }, - } - - testdata := "./testdata/dockerfile" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - } - opts = append(opts, tt.opts...) - - scanner := dockerfile.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/Dockerfile.denied", dirName), - fmt.Sprintf("%s/Dockerfile.allowed", dirName), - results, - ) - }) - } - }) - } -} From 43da45685e408517cf948d986e16b313a13e379f Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 9 Dec 2024 11:47:44 +0600 Subject: [PATCH 4/6] chore: link examples and kubernetes checks Signed-off-by: Nikita Pivkin --- .../protect_core_components_namespace.rego | 1 + ...protecting_pod_service_account_tokens.rego | 1 + .../selector_usage_in_network_policies.rego | 1 + .../kubernetes/network/no_public_egress.rego | 1 + .../kubernetes/network/no_public_ingress.rego | 1 + .../kubernetes/pss/baseline/1_host_ipc.rego | 1 + .../pss/baseline/1_host_network.rego | 1 + .../kubernetes/pss/baseline/1_host_pid.rego | 1 + .../kubernetes/pss/baseline/2_privileged.rego | 1 + .../3_specific_capabilities_added.rego | 1 + .../baseline/4_hostpath_volumes_mounted.rego | 1 + .../pss/baseline/5_access_to_host_ports.rego | 1 + .../baseline/6_apparmor_policy_disabled.rego | 1 + .../7_selinux_custom_options_set.rego | 1 + .../8_non_default_proc_masks_set.rego | 1 + .../baseline/9_unsafe_sysctl_options_set.rego | 1 + .../restricted/1_non_core_volume_types.rego | 1 + .../2_can_elevate_its_own_privileges.rego | 1 + .../pss/restricted/3_runs_as_root.rego | 1 + ...ntime_default_seccomp_profile_not_set.rego | 1 + integration/check_examples_test.go | 2 + test/kubernetes_test.go | 115 ------------------ test/testdata/kubernetes/KSV036/denied.yaml | 0 23 files changed, 22 insertions(+), 115 deletions(-) delete mode 100644 test/kubernetes_test.go delete mode 100644 test/testdata/kubernetes/KSV036/denied.yaml diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.rego b/checks/kubernetes/advanced/protect_core_components_namespace.rego index 0a7284e0..7bde2ddb 100644 --- a/checks/kubernetes/advanced/protect_core_components_namespace.rego +++ b/checks/kubernetes/advanced/protect_core_components_namespace.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protect_core_components_namespace.yaml package builtin.kubernetes.KSV037 import data.lib.kubernetes diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego index a72c9560..fa05a93d 100644 --- a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml package builtin.kubernetes.KSV036 import data.lib.kubernetes diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego index 92347fa6..8c0e4811 100644 --- a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/selector_usage_in_network_policies.yaml package builtin.kubernetes.KSV038 import data.lib.kubernetes diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego index 0f1185a1..de0f8a79 100644 --- a/checks/kubernetes/network/no_public_egress.rego +++ b/checks/kubernetes/network/no_public_egress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_egress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr +# examples: checks/kubernetes/network/no_public_egress.yaml package builtin.kube.network.kube0002 import rego.v1 diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego index 29f3c51b..69e3e062 100644 --- a/checks/kubernetes/network/no_public_ingress.rego +++ b/checks/kubernetes/network/no_public_ingress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_ingress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr +# examples: checks/kubernetes/network/no_public_ingress.yaml package builtin.kube.network.kube0001 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.rego b/checks/kubernetes/pss/baseline/1_host_ipc.rego index b482b749..0a7ae572 100644 --- a/checks/kubernetes/pss/baseline/1_host_ipc.rego +++ b/checks/kubernetes/pss/baseline/1_host_ipc.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_ipc.yaml package builtin.kubernetes.KSV008 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/1_host_network.rego b/checks/kubernetes/pss/baseline/1_host_network.rego index df2e05de..d214c17d 100644 --- a/checks/kubernetes/pss/baseline/1_host_network.rego +++ b/checks/kubernetes/pss/baseline/1_host_network.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_network.yaml package builtin.kubernetes.KSV009 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/1_host_pid.rego b/checks/kubernetes/pss/baseline/1_host_pid.rego index 1972f037..2b16b207 100644 --- a/checks/kubernetes/pss/baseline/1_host_pid.rego +++ b/checks/kubernetes/pss/baseline/1_host_pid.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_pid.yaml package builtin.kubernetes.KSV010 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/2_privileged.rego b/checks/kubernetes/pss/baseline/2_privileged.rego index dcb0c648..d69cae58 100644 --- a/checks/kubernetes/pss/baseline/2_privileged.rego +++ b/checks/kubernetes/pss/baseline/2_privileged.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/2_privileged.yaml package builtin.kubernetes.KSV017 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego index b5ebf057..a6c60909 100644 --- a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml package builtin.kubernetes.KSV022 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego index 206d4ca9..6bac024f 100644 --- a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml package builtin.kubernetes.KSV023 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego index a04878aa..7c968749 100644 --- a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml package builtin.kubernetes.KSV024 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego index 52293ee1..dd5b516d 100644 --- a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml package builtin.kubernetes.KSV002 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego index 7333101f..95150776 100644 --- a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml package builtin.kubernetes.KSV025 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego index 7e63550e..56724575 100644 --- a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml package builtin.kubernetes.KSV027 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego index b4442c36..9fbb2e8a 100644 --- a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml package builtin.kubernetes.KSV026 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego index 504a55e8..66f1dfe3 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml package builtin.kubernetes.KSV028 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego index 7a9685f6..fa614ff8 100644 --- a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml package builtin.kubernetes.KSV001 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.rego b/checks/kubernetes/pss/restricted/3_runs_as_root.rego index ce27c7de..74b8b06d 100644 --- a/checks/kubernetes/pss/restricted/3_runs_as_root.rego +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/3_runs_as_root.yaml package builtin.kubernetes.KSV012 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego index e534daf9..c1509ad2 100644 --- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml package builtin.kubernetes.KSV030 import data.lib.kubernetes diff --git a/integration/check_examples_test.go b/integration/check_examples_test.go index 87d97c73..11d26dee 100644 --- a/integration/check_examples_test.go +++ b/integration/check_examples_test.go @@ -162,6 +162,8 @@ func fileNameByProvider(provider string) string { return "template.yaml" case "dockerfile": return "Dockerfile" + case "kubernetes": + return "test.yaml" } panic("unreachable: " + provider) } diff --git a/test/kubernetes_test.go b/test/kubernetes_test.go deleted file mode 100644 index 7a126661..00000000 --- a/test/kubernetes_test.go +++ /dev/null @@ -1,115 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/scanners/kubernetes" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_Kubenetes(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/kubernetes")), - rego.WithPolicyDirs("."), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - }, - }, - } - - testdata := "./testdata/kubernetes" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(t.Name(), func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - } - opts = append(opts, tt.opts...) - - scanner := kubernetes.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - if entry.Name() == "optional" { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/denied.yaml", dirName), - fmt.Sprintf("%s/allowed.yaml", dirName), - results, - ) - }) - } - }) - } -} - -func assertChecks(t *testing.T, fileName, failCase, passCase string, results scan.Results) { - t.Helper() - - var matched bool - - for _, result := range results { - if !result.Rule().HasID(fileName) { - continue - } - - t.Run(result.Rule().AVDID, func(t *testing.T) { - switch result.Range().GetFilename() { - case failCase: - assert.Equal(t, scan.StatusFailed, result.Status(), "Rule should have failed, but didn't.") - if result.Rule().AVDID != "AVD-DS-0002" { - assert.Greater(t, result.Range().GetStartLine(), 0, "We should have line numbers for a failure") - assert.Greater(t, result.Range().GetEndLine(), 0, "We should have line numbers for a failure") - } - matched = true - case passCase: - assert.Equal(t, scan.StatusPassed, result.Status(), "Rule should have passed, but didn't.") - matched = true - default: - return - } - - if t.Failed() { - fmt.Println("Test failed - rego trace follows:") - for _, trace := range result.Traces() { - fmt.Println(trace) - } - } - }) - } - - assert.True(t, matched, "Rule should be matched once") -} diff --git a/test/testdata/kubernetes/KSV036/denied.yaml b/test/testdata/kubernetes/KSV036/denied.yaml deleted file mode 100644 index e69de29b..00000000 From 39a607a3ed7e731ece6d86e05b320ef253ab06ca Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 9 Dec 2024 12:15:21 +0600 Subject: [PATCH 5/6] chore: format dockerfile and kubernetes examples Signed-off-by: Nikita Pivkin --- checks/docker/add_instead_of_copy.yaml | 22 ++++---- ...issing_yes_flag_to_avoid_manual_input.yaml | 20 +++---- ...py_from_references_current_from_alias.yaml | 28 +++++----- ...n_two_arguments_not_ending_with_slash.yaml | 20 +++---- checks/docker/latest_tag.yaml | 20 +++---- checks/docker/maintainer_is_deprecated.yaml | 18 +++---- checks/docker/missing_dnf_clean_all.yaml | 24 ++++----- checks/docker/missing_zypper_clean.yaml | 28 +++++----- .../multiple_cmd_instructions_listed.yaml | 30 +++++------ ...ltiple_entrypoint_instructions_listed.yaml | 32 +++++------ .../multiple_healthcheck_instructions.yaml | 34 ++++++------ checks/docker/port22.yaml | 20 +++---- checks/docker/root_user.yaml | 18 +++---- checks/docker/run_apt_get_dist_upgrade.yaml | 24 ++++----- .../run_command_cd_instead_of_workdir.yaml | 24 ++++----- checks/docker/run_using_sudo.yaml | 20 +++---- checks/docker/run_using_wget_and_curl.yaml | 32 +++++------ .../docker/same_alias_in_different_froms.yaml | 40 +++++++------- checks/docker/unix_ports_out_of_range.yaml | 20 +++---- checks/docker/update_instruction_alone.yaml | 26 ++++----- checks/docker/workdir_path_not_absolute.yaml | 20 +++---- checks/docker/yum_clean_all_missing.yaml | 28 +++++----- .../protect_core_components_namespace.yaml | 50 ++++++++--------- ...protecting_pod_service_account_tokens.yaml | 24 ++++----- .../selector_usage_in_network_policies.yaml | 34 ++++++------ .../kubernetes/pss/baseline/1_host_ipc.yaml | 40 +++++++------- .../pss/baseline/1_host_network.yaml | 40 +++++++------- .../kubernetes/pss/baseline/1_host_pid.yaml | 40 +++++++------- .../kubernetes/pss/baseline/2_privileged.yaml | 36 ++++++------- .../3_specific_capabilities_added.yaml | 40 +++++++------- .../baseline/4_hostpath_volumes_mounted.yaml | 42 +++++++-------- .../pss/baseline/5_access_to_host_ports.yaml | 36 ++++++------- .../baseline/6_apparmor_policy_disabled.yaml | 40 +++++++------- .../7_selinux_custom_options_set.yaml | 44 +++++++-------- .../8_non_default_proc_masks_set.yaml | 36 ++++++------- .../baseline/9_unsafe_sysctl_options_set.yaml | 54 +++++++++---------- .../restricted/1_non_core_volume_types.yaml | 48 ++++++++--------- .../2_can_elevate_its_own_privileges.yaml | 46 +++++++++------- .../pss/restricted/3_runs_as_root.yaml | 42 ++++++++------- ...ntime_default_seccomp_profile_not_set.yaml | 50 +++++++++-------- internal/examples/examples.go | 13 +++++ 41 files changed, 667 insertions(+), 636 deletions(-) diff --git a/checks/docker/add_instead_of_copy.yaml b/checks/docker/add_instead_of_copy.yaml index dfa9a21d..adab27b6 100644 --- a/checks/docker/add_instead_of_copy.yaml +++ b/checks/docker/add_instead_of_copy.yaml @@ -1,12 +1,12 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - USER mike - ADD "/target/resources.tar.gz" "resources" - bad: - - |- - FROM alpine:3.13 - USER mike - ADD "/target/resources.tar.gz" "resources.jar" - ADD "/target/app.jar" "app.jar" + good: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources" + bad: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources.jar" + ADD "/target/app.jar" "app.jar" diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml index e7b35ad6..f49d6a45 100644 --- a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM node:12 - USER mike - RUN apt-get -fmy install apt-utils && apt-get clean - bad: - - |- - FROM node:12 - USER mike - RUN apt-get install apt-utils && apt-get clean + good: + - |- + FROM node:12 + USER mike + RUN apt-get -fmy install apt-utils && apt-get clean + bad: + - |- + FROM node:12 + USER mike + RUN apt-get install apt-utils && apt-get clean diff --git a/checks/docker/copy_from_references_current_from_alias.yaml b/checks/docker/copy_from_references_current_from_alias.yaml index 6ee8498d..78a25bc5 100644 --- a/checks/docker/copy_from_references_current_from_alias.yaml +++ b/checks/docker/copy_from_references_current_from_alias.yaml @@ -1,17 +1,17 @@ dockerfile: - good: - - |- - FROM golang:1.7.3 as dep - COPY /binary / + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / - FROM alpine:3.13 - USER mike - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - bad: - - |- - FROM golang:1.7.3 as dep - COPY --from=dep /binary / + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY --from=dep /binary / - FROM alpine:3.13 - USER mike - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml index 8a2377e5..9833de32 100644 --- a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - USER mike - COPY ["package.json", "yarn.lock", "myapp/"] - bad: - - |- - FROM alpine:3.13 - USER mike - COPY ["package.json", "yarn.lock", "myapp"] + good: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp/"] + bad: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp"] diff --git a/checks/docker/latest_tag.yaml b/checks/docker/latest_tag.yaml index a1b787ea..af254a3c 100644 --- a/checks/docker/latest_tag.yaml +++ b/checks/docker/latest_tag.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM debian:9 - RUN apt-get update && apt-get -y install vim && apt-get clean - USER foo - bad: - - |- - FROM debian:latest - RUN apt-get update && apt-get -y install vim && apt-get clean - USER foo + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:latest + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo diff --git a/checks/docker/maintainer_is_deprecated.yaml b/checks/docker/maintainer_is_deprecated.yaml index 025ce6f2..4b1dcc35 100644 --- a/checks/docker/maintainer_is_deprecated.yaml +++ b/checks/docker/maintainer_is_deprecated.yaml @@ -1,10 +1,10 @@ dockerfile: - good: - - |- - FROM busybox:1.33.1 - USER mike - bad: - - |- - FROM busybox:1.33.1 - USER mike - MAINTAINER Lukas Martinelli + good: + - |- + FROM busybox:1.33.1 + USER mike + bad: + - |- + FROM busybox:1.33.1 + USER mike + MAINTAINER Lukas Martinelli diff --git a/checks/docker/missing_dnf_clean_all.yaml b/checks/docker/missing_dnf_clean_all.yaml index 88dc9964..a62fd7b2 100644 --- a/checks/docker/missing_dnf_clean_all.yaml +++ b/checks/docker/missing_dnf_clean_all.yaml @@ -1,13 +1,13 @@ dockerfile: - good: - - | - FROM fedora:27 - USER mike - RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all - HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 - bad: - - |- - FROM fedora:27 - USER mike - RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce - HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + good: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + bad: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/checks/docker/missing_zypper_clean.yaml b/checks/docker/missing_zypper_clean.yaml index d7e0146d..73d5f292 100644 --- a/checks/docker/missing_zypper_clean.yaml +++ b/checks/docker/missing_zypper_clean.yaml @@ -1,15 +1,15 @@ dockerfile: - good: - - |- - FROM alpine:3.5 - RUN zypper install bash && zypper clean - RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt - USER mike - CMD python /usr/src/app/app.py - bad: - - |- - FROM alpine:3.5 - RUN zypper install bash - RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt - USER mike - CMD python /usr/src/app/app.py + good: + - |- + FROM alpine:3.5 + RUN zypper install bash && zypper clean + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN zypper install bash + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/multiple_cmd_instructions_listed.yaml b/checks/docker/multiple_cmd_instructions_listed.yaml index b7eb20cc..2447b40e 100644 --- a/checks/docker/multiple_cmd_instructions_listed.yaml +++ b/checks/docker/multiple_cmd_instructions_listed.yaml @@ -1,16 +1,16 @@ dockerfile: - good: - - |- - FROM golang:1.7.3 - USER mike - CMD ./apps - FROM alpine:3.13 - CMD ./app - bad: - - |- - FROM golang:1.7.3 - USER mike - CMD ./app - CMD ./apps - FROM alpine:3.13 - CMD ./app + good: + - |- + FROM golang:1.7.3 + USER mike + CMD ./apps + FROM alpine:3.13 + CMD ./app + bad: + - |- + FROM golang:1.7.3 + USER mike + CMD ./app + CMD ./apps + FROM alpine:3.13 + CMD ./app diff --git a/checks/docker/multiple_entrypoint_instructions_listed.yaml b/checks/docker/multiple_entrypoint_instructions_listed.yaml index eac101c5..e8f5e665 100644 --- a/checks/docker/multiple_entrypoint_instructions_listed.yaml +++ b/checks/docker/multiple_entrypoint_instructions_listed.yaml @@ -1,19 +1,19 @@ dockerfile: - good: - - |- - FROM golang:1.7.3 as dep - COPY /binary / + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / - FROM alpine:3.13 - USER mike - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - bad: - - |- - FROM golang:1.7.3 as dep - COPY dep /binary / - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY dep /binary / + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - FROM alpine:3.13 - USER mike - ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/multiple_healthcheck_instructions.yaml b/checks/docker/multiple_healthcheck_instructions.yaml index fdf31cab..978f6ff6 100644 --- a/checks/docker/multiple_healthcheck_instructions.yaml +++ b/checks/docker/multiple_healthcheck_instructions.yaml @@ -1,20 +1,20 @@ dockerfile: - good: - - |- - FROM busybox:1.33.1 - HEALTHCHECK CMD /bin/healthcheck + good: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD /bin/healthcheck - FROM alpine:3.13 - HEALTHCHECK CMD /bin/healthcheck - USER mike - CMD ./app - bad: - - |- - FROM busybox:1.33.1 - HEALTHCHECK CMD curl http://localhost:8080 - HEALTHCHECK CMD /bin/healthcheck + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app + bad: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD curl http://localhost:8080 + HEALTHCHECK CMD /bin/healthcheck - FROM alpine:3.13 - HEALTHCHECK CMD /bin/healthcheck - USER mike - CMD ./app + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app diff --git a/checks/docker/port22.yaml b/checks/docker/port22.yaml index a87b41de..14fdd880 100644 --- a/checks/docker/port22.yaml +++ b/checks/docker/port22.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - USER mike - EXPOSE 8080 - bad: - - |- - FROM alpine:3.13 - USER mike - EXPOSE 22 + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 22 diff --git a/checks/docker/root_user.yaml b/checks/docker/root_user.yaml index 941d35b0..92fa0ff2 100644 --- a/checks/docker/root_user.yaml +++ b/checks/docker/root_user.yaml @@ -1,10 +1,10 @@ dockerfile: - good: - - |- - FROM debian:9 - RUN apt-get update && apt-get -y install vim && apt-get clean - USER foo - bad: - - |- - FROM debian:9 - RUN apt-get update && apt-get -y install vim && apt-get clean + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/checks/docker/run_apt_get_dist_upgrade.yaml b/checks/docker/run_apt_get_dist_upgrade.yaml index ad3bbfec..58b85c59 100644 --- a/checks/docker/run_apt_get_dist_upgrade.yaml +++ b/checks/docker/run_apt_get_dist_upgrade.yaml @@ -1,13 +1,13 @@ dockerfile: - good: - - |- - FROM debian:9.13 - RUN apt-get update && apt-get install -y curl && apt-get clean - USER mike - CMD python /usr/src/app/app.py - bad: - - |- - FROM debian:9.13 - RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean - USER mike - CMD python /usr/src/app/app.py + good: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get install -y curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/run_command_cd_instead_of_workdir.yaml b/checks/docker/run_command_cd_instead_of_workdir.yaml index 0397fb71..b96df1bc 100644 --- a/checks/docker/run_command_cd_instead_of_workdir.yaml +++ b/checks/docker/run_command_cd_instead_of_workdir.yaml @@ -1,13 +1,13 @@ dockerfile: - good: - - |- - FROM nginx:2.2 - WORKDIR /usr/share/nginx/html - USER mike - CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' - bad: - - |- - FROM nginx:2.2 - RUN cd /usr/share/nginx/html - USER mike - CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + good: + - |- + FROM nginx:2.2 + WORKDIR /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + bad: + - |- + FROM nginx:2.2 + RUN cd /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' diff --git a/checks/docker/run_using_sudo.yaml b/checks/docker/run_using_sudo.yaml index 10647c1d..01c45339 100644 --- a/checks/docker/run_using_sudo.yaml +++ b/checks/docker/run_using_sudo.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - RUN pip install --upgrade pip - USER mike - bad: - - |- - FROM alpine:3.13 - RUN sudo pip install --upgrade pip - USER mike + good: + - |- + FROM alpine:3.13 + RUN pip install --upgrade pip + USER mike + bad: + - |- + FROM alpine:3.13 + RUN sudo pip install --upgrade pip + USER mike diff --git a/checks/docker/run_using_wget_and_curl.yaml b/checks/docker/run_using_wget_and_curl.yaml index a784b76d..50d317d2 100644 --- a/checks/docker/run_using_wget_and_curl.yaml +++ b/checks/docker/run_using_wget_and_curl.yaml @@ -1,19 +1,19 @@ dockerfile: - good: - - |- - FROM debian:stable-20210621 - RUN curl http://bing.com - RUN curl http://google.com + good: + - |- + FROM debian:stable-20210621 + RUN curl http://bing.com + RUN curl http://google.com - FROM baseimage:1.0 - USER mike - RUN curl http://bing.com - bad: - - |- - FROM debian:stable-20210621 - RUN wget http://bing.com - RUN curl http://google.com + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com + bad: + - |- + FROM debian:stable-20210621 + RUN wget http://bing.com + RUN curl http://google.com - FROM baseimage:1.0 - USER mike - RUN curl http://bing.com + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com diff --git a/checks/docker/same_alias_in_different_froms.yaml b/checks/docker/same_alias_in_different_froms.yaml index c25048f4..2449c00f 100644 --- a/checks/docker/same_alias_in_different_froms.yaml +++ b/checks/docker/same_alias_in_different_froms.yaml @@ -1,25 +1,25 @@ dockerfile: - good: - - |- - FROM baseImage:1.1 - RUN test + good: + - |- + FROM baseImage:1.1 + RUN test - FROM debian:jesse2 as build2 - USER mike - RUN stuff + FROM debian:jesse2 as build2 + USER mike + RUN stuff - FROM debian:jesse1 as build1 - USER mike - RUN more_stuff - bad: - - |- - FROM baseImage:1.1 - RUN test + FROM debian:jesse1 as build1 + USER mike + RUN more_stuff + bad: + - |- + FROM baseImage:1.1 + RUN test - FROM debian:jesse2 as build - USER mike - RUN stuff + FROM debian:jesse2 as build + USER mike + RUN stuff - FROM debian:jesse1 as build - USER mike - RUN more_stuff + FROM debian:jesse1 as build + USER mike + RUN more_stuff diff --git a/checks/docker/unix_ports_out_of_range.yaml b/checks/docker/unix_ports_out_of_range.yaml index 92b6d43f..d6a20e25 100644 --- a/checks/docker/unix_ports_out_of_range.yaml +++ b/checks/docker/unix_ports_out_of_range.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - USER mike - EXPOSE 65530 8080 - bad: - - |- - FROM alpine:3.13 - USER mike - EXPOSE 65536 8080 + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65530 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65536 8080 diff --git a/checks/docker/update_instruction_alone.yaml b/checks/docker/update_instruction_alone.yaml index db6348ce..60bed496 100644 --- a/checks/docker/update_instruction_alone.yaml +++ b/checks/docker/update_instruction_alone.yaml @@ -1,14 +1,14 @@ dockerfile: - good: - - |- - FROM ubuntu:18.04 - RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean - USER mike - ENTRYPOINT mysql - bad: - - |- - FROM ubuntu:18.04 - RUN apt-get update - RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean - USER mike - ENTRYPOINT mysql + good: + - |- + FROM ubuntu:18.04 + RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql + bad: + - |- + FROM ubuntu:18.04 + RUN apt-get update + RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql diff --git a/checks/docker/workdir_path_not_absolute.yaml b/checks/docker/workdir_path_not_absolute.yaml index d9570f6b..29f663fe 100644 --- a/checks/docker/workdir_path_not_absolute.yaml +++ b/checks/docker/workdir_path_not_absolute.yaml @@ -1,11 +1,11 @@ dockerfile: - good: - - |- - FROM alpine:3.13 - USER mike - WORKDIR /path/to/workdir - bad: - - |- - FROM alpine:3.13 - USER mike - WORKDIR path/to/workdir + good: + - |- + FROM alpine:3.13 + USER mike + WORKDIR /path/to/workdir + bad: + - |- + FROM alpine:3.13 + USER mike + WORKDIR path/to/workdir diff --git a/checks/docker/yum_clean_all_missing.yaml b/checks/docker/yum_clean_all_missing.yaml index 116a9bef..462fae7f 100644 --- a/checks/docker/yum_clean_all_missing.yaml +++ b/checks/docker/yum_clean_all_missing.yaml @@ -1,15 +1,15 @@ dockerfile: - good: - - |- - FROM alpine:3.5 - RUN yum install && yum clean all - RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt - USER mike - CMD python /usr/src/app/app.py - bad: - - |- - FROM alpine:3.5 - RUN yum install vim - RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt - USER mike - CMD python /usr/src/app/app.py + good: + - |- + FROM alpine:3.5 + RUN yum install && yum clean all + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN yum install vim + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.yaml b/checks/kubernetes/advanced/protect_core_components_namespace.yaml index 1dc722da..69db1e90 100644 --- a/checks/kubernetes/advanced/protect_core_components_namespace.yaml +++ b/checks/kubernetes/advanced/protect_core_components_namespace.yaml @@ -1,28 +1,28 @@ kubernetes: - good: - - | - apiVersion: v1 - kind: Pod - metadata: - name: mypod - namespace: test - labels: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: name: mypod - spec: - automountServiceAccountToken: true - containers: - - name: mypod - image: nginx - bad: - - | - apiVersion: v1 - kind: Pod - metadata: - name: mypod - namespace: kube-system - labels: + name: mypod + namespace: test + spec: + automountServiceAccountToken: true + containers: + - image: nginx + name: mypod + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: name: mypod - spec: - containers: - - name: mypod - image: nginx + name: mypod + namespace: kube-system + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml index 070aa2e8..c8bd592b 100644 --- a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml @@ -1,14 +1,14 @@ kubernetes: - good: - - | - apiVersion: v1 - kind: Pod - metadata: - name: mypod - namespace: test - labels: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: name: mypod - spec: - containers: - - name: mypod - image: nginx + name: mypod + namespace: test + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml index 0ac7442f..c5bebdd2 100644 --- a/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml @@ -1,19 +1,19 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: NetworkPolicy - metadata: - name: hello-cpu-limit - spec: - podSelector: + good: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + podSelector: matchLabels: - role: db - bad: - - |- - apiVersion: v1 - kind: NetworkPolicy - metadata: - name: hello-cpu-limit - spec: - something: true + role: db + bad: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + something: true diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.yaml b/checks/kubernetes/pss/baseline/1_host_ipc.yaml index c4da835a..efc137dd 100644 --- a/checks/kubernetes/pss/baseline/1_host_ipc.yaml +++ b/checks/kubernetes/pss/baseline/1_host_ipc.yaml @@ -1,31 +1,31 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-ipc - spec: - hostIPC: false - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-ipc - spec: - hostIPC: true - containers: + hostIPC: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello + hostIPC: true diff --git a/checks/kubernetes/pss/baseline/1_host_network.yaml b/checks/kubernetes/pss/baseline/1_host_network.yaml index 344e9ff5..2d66331e 100644 --- a/checks/kubernetes/pss/baseline/1_host_network.yaml +++ b/checks/kubernetes/pss/baseline/1_host_network.yaml @@ -1,31 +1,31 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-network - spec: - hostNetwork: false - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-network - spec: - hostNetwork: true - containers: + hostNetwork: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello + hostNetwork: true diff --git a/checks/kubernetes/pss/baseline/1_host_pid.yaml b/checks/kubernetes/pss/baseline/1_host_pid.yaml index 8a4c28c0..438ae676 100644 --- a/checks/kubernetes/pss/baseline/1_host_pid.yaml +++ b/checks/kubernetes/pss/baseline/1_host_pid.yaml @@ -1,31 +1,31 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-network - spec: - hostPID: false - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-network - spec: - hostPID: true - containers: + hostPID: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello + hostPID: true diff --git a/checks/kubernetes/pss/baseline/2_privileged.yaml b/checks/kubernetes/pss/baseline/2_privileged.yaml index a98620b4..0f900936 100644 --- a/checks/kubernetes/pss/baseline/2_privileged.yaml +++ b/checks/kubernetes/pss/baseline/2_privileged.yaml @@ -1,29 +1,29 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-privileged - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-privileged - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml index 040a69ef..0659959c 100644 --- a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml @@ -1,33 +1,33 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-add-capabilities - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-add-capabilities - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: capabilities: - add: - - NET_BIND_SERVICE + add: + - NET_BIND_SERVICE diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml index 364bb685..52786426 100644 --- a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml @@ -1,33 +1,33 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-path - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-path - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - volumes: + volumes: - hostPath: - path: "/sys" - type: '' + path: /sys + type: "" diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml index 2f58f7e0..c31bf1d3 100644 --- a/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml @@ -1,29 +1,29 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-ports - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-host-ports - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml index 7cfd6f47..4b08274d 100644 --- a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml @@ -1,33 +1,33 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - annotations: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: container.apparmor.security.beta.kubernetes.io/hello: runtime/default - name: hello-apparmor - spec: - containers: + name: hello-apparmor + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello AppArmor!' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - annotations: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: container.apparmor.security.beta.kubernetes.io/hello: custom - name: hello-apparmor - spec: - containers: + name: hello-apparmor + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello AppArmor!' && sleep 1h image: busybox name: hello diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml index 25da66d3..70d13a27 100644 --- a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml @@ -1,33 +1,33 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-selinux - spec: - securityContext: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-selinux - spec: - securityContext: - seLinuxOptions: - type: custom - containers: + securityContext: null + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello + securityContext: + seLinuxOptions: + type: custom diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml index 07eb30e4..1f333db1 100644 --- a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml @@ -1,31 +1,31 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-proc-mount - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello ports: - hostPort: 8080 - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-proc-mount - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml index d71beeb7..36540060 100644 --- a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml @@ -1,39 +1,39 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-sysctls - spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: '0' - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-sysctls - spec: - securityContext: + securityContext: sysctls: - - name: net.core.somaxconn - value: '1024' - - name: kernel.msgmax - value: '65536' - containers: + - name: kernel.shm_rmid_forced + value: "0" + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" + - name: kernel.msgmax + value: "65536" diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml index b90c7775..45f5a362 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml @@ -1,42 +1,42 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-volume-types - spec: - containers: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - volumes: + volumes: - name: volume-a - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-volume-types - spec: - containers: + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: - command: - sh - - "-c" + - -c - echo 'Hello' && sleep 1h image: busybox name: hello - volumes: + volumes: - name: volume-a scaleIO: + fsType: xfs gateway: https://localhost:443/api - system: scaleio protectionDomain: sd0 + secretRef: + name: sio-secret storagePool: sp1 + system: scaleio volumeName: vol-a - secretRef: - name: sio-secret - fsType: xfs diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml index 476456af..93204199 100644 --- a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml @@ -1,29 +1,35 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: allowPrivilegeEscalation: false - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: capabilities: - drop: - - all + drop: + - all diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.yaml b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml index 35ade03e..b0b0d6b1 100644 --- a/checks/kubernetes/pss/restricted/3_runs_as_root.yaml +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml @@ -1,25 +1,31 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: runAsNonRoot: true - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml index 5880fe0a..ba0c5c34 100644 --- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml @@ -1,31 +1,37 @@ kubernetes: - good: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: seccompProfile: - type: RuntimeDefault - localhostProfile: profiles/audit.json - bad: - - |- - apiVersion: v1 - kind: Pod - metadata: - name: hello-cpu-limit - spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + localhostProfile: profiles/audit.json + type: RuntimeDefault + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h image: busybox name: hello securityContext: seccompProfile: - type: LocalPort - localhostProfile: profiles/audit.json + localhostProfile: profiles/audit.json + type: LocalPort diff --git a/internal/examples/examples.go b/internal/examples/examples.go index 3ed9de29..a634b859 100644 --- a/internal/examples/examples.go +++ b/internal/examples/examples.go @@ -104,6 +104,7 @@ func (b blocks) format(fn func(blockString) blockString) { var formatters = map[string]func(blockString) blockString{ "terraform": formatHCL, "cloudformation": formatCFT, + "kubernetes": formatYAML, } func formatHCL(b blockString) blockString { @@ -118,3 +119,15 @@ func formatCFT(b blockString) blockString { return blockString(format.CftToYaml(tmpl)) } + +func formatYAML(b blockString) blockString { + var v any + if err := yaml.Unmarshal([]byte(b), &v); err != nil { + panic(err) + } + ret, err := yaml.Marshal(v) + if err != nil { + panic(err) + } + return blockString(ret) +} From 16d211030ae217228a44db88e9097ab7e14d2beb Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 9 Dec 2024 12:28:03 +0600 Subject: [PATCH 6/6] replace trivy Signed-off-by: Nikita Pivkin --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index c541004e..defb9dce 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22.9 toolchain go1.23.0 -replace github.com/aquasecurity/trivy => /Users/nikita/projects/trivy +replace github.com/aquasecurity/trivy => github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6 require ( github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77 diff --git a/go.sum b/go.sum index 7b3e1a74..6f6b44b6 100644 --- a/go.sum +++ b/go.sum @@ -1107,6 +1107,8 @@ github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdh github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/nikpivkin/opa v0.0.0-20240829080621-16999fcb5464 h1:jhZ8nLVxOAslgzmPdKTyctfDJkMfRgksCypFriHzf4E= github.com/nikpivkin/opa v0.0.0-20240829080621-16999fcb5464/go.mod h1:cvSIxY0dexL39hOPqXSZKdBYFNx2Rv8Fu5n3MmTjqtE= +github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6 h1:nEtgpPXEaOR8/TOBipl6Qd4ohR+kee93Q72oMGXmSt4= +github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6/go.mod h1:YM25zfuLoB1FVYGrW5LpcY2VpU5/RGPKvxGB/OhvS8c= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=