Qiskit · Tansito · Jun 22, 2023 · Jun 21, 2023 · Jun 21, 2023 · Jun 21, 2023
diff --git a/.github/scripts/dockerfile-security.rego b/.github/scripts/dockerfile-security.rego
@@ -0,0 +1,99 @@
+package main
+
+# Do Not store secrets in ENV variables
+secrets_env = [
+    "passwd",
+    "password",
+    "pass",
+    "secret",
+    "key",
+    "access",
+    "api_key",
+    "apikey",
+    "token",
+    "tkn"
+]
+
+deny[msg] {
+    input[i].Cmd == "env"
+    val := input[i].Value
+    contains(lower(val[_]), secrets_env[_])
+    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, val])
+}
+
+# Only use trusted base images
+deny[msg] {
+    input[i].Cmd == "from"
+    val := split(input[i].Value[0], "/")
+    count(val) > 2
+    msg = sprintf("Line %d: use a trusted base image", [i])
+}
+
+# Do not use 'latest' tag for base imagedeny[msg] {
+deny[msg] {
+    input[i].Cmd == "from"
+    val := split(input[i].Value[0], ":")
+    contains(lower(val[1]), "latest")
+    msg = sprintf("Line %d: do not use 'latest' tag for base images", [i])
+}
+
+# Avoid curl bashing
+deny[msg] {
+    input[i].Cmd == "run"
+    val := concat(" ", input[i].Value)
+    matches := regex.find_n("(curl|wget)[^|^>]*[|>]", lower(val), -1)
+    count(matches) > 0
+    msg = sprintf("Line %d: Avoid curl bashing", [i])
+}
+
+# Do not upgrade your system packages
+upgrade_commands = [
+    "apk upgrade",
+    "apt-get upgrade",
+    "dist-upgrade",
+]
+
+deny[msg] {
+    input[i].Cmd == "run"
+    val := concat(" ", input[i].Value)
+    contains(val, upgrade_commands[_])
+    msg = sprintf("Line: %d: Do not upgrade your system packages", [i])
+}
+
+# Do not use ADD if possible
+deny[msg] {
+    input[i].Cmd == "add"
+    msg = sprintf("Line %d: Use COPY instead of ADD", [i])
+}
+
+# Any user...
+any_user {
+    input[i].Cmd == "user"
+}
+
+deny[msg] {
+    not any_user
+    msg = "Do not run as root, use USER instead"
+}
+
+# ... but do not root
+forbidden_users = [
+    "root",
+    "toor",
+    "0"
+]
+
+warn[msg] {
+    input[i].Cmd == "user"
+    val := input[i].Value
+    contains(lower(val[_]), forbidden_users[_])
+    msg = sprintf("Line %d: Do not run as root: %s", [i, val])
+}
+
+# Do not sudo
+deny[msg] {
+    input[i].Cmd == "run"
+    val := concat(" ", input[i].Value)
+    contains(lower(val), "sudo")
+    msg = sprintf("Line %d: Do not use 'sudo' command", [i])
+}
diff --git a/.github/workflows/docker-verify.yaml b/.github/workflows/docker-verify.yaml
@@ -7,10 +7,7 @@ on:
 
 env:
   HADOLINT_DOCKER_IMAGE: hadolint/hadolint:v2.12.0
-
-defaults:
-  run:
-    working-directory: ./infrastructure/docker
+  OPENPOLICYAGENT_DOCKER_IMAGE: openpolicyagent/conftest:v0.43.1
 
 jobs:
   lint:
@@ -24,7 +21,32 @@ jobs:
             Dockerfile-repository-server,
           ]
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./infrastructure/docker
     steps:
       - uses: actions/checkout@v3
       - name: Run hadolint in ${{ matrix.dockerfile }}
         run: docker run --name hadolint --rm --interactive ${{ env.HADOLINT_DOCKER_IMAGE }} < ${{ matrix.dockerfile }}
+  sast:
+    strategy:
+      matrix:
+        dockerfile:
+          [
+            Dockerfile-gateway,
+            Dockerfile-notebook,
+            Dockerfile-ray-qiskit,
+            Dockerfile-repository-server,
+          ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run conftest in ${{ matrix.dockerfile }}
+        shell: bash
+        run: |
+          docker run \
+          --name conftest \
+          --rm --volume $GITHUB_WORKSPACE:/project ${{ env.OPENPOLICYAGENT_DOCKER_IMAGE }} \
+          test --strict --parser dockerfile \
+          --policy .github/scripts/dockerfile-security.rego \
+          ./infrastructure/docker/${{ matrix.dockerfile }}