-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include sast check for dockerfiles #696
Merged
Merged
Changes from 8 commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
a59e40c
Include sast check for dockerfiles
Tansito 11402cf
TEMPORAL COMMIT: just to run the gha
Tansito ebf61a7
Add shell bash to the job
Tansito 15b0c3f
Test run command
Tansito c10a3e2
Use GITHUB_WORKSPACE instead of pwd
Tansito 2ef098b
Improved run command readability
Tansito 6aabdf2
Removed paths from matrix
Tansito 1557de7
Revert "TEMPORAL COMMIT: just to run the gha"
Tansito 26e3c8b
TEMPORAL COMMIT adding a comment in a dockerfile
Tansito ff70eba
Revert "TEMPORAL COMMIT adding a comment in a dockerfile"
Tansito 3637475
Included additional path to the workflow
Tansito d7f31b8
Merge branch 'main' into docker-sast
Tansito 60357d2
Fix warnings error
Tansito d783b29
Use warnings but import it
Tansito 60a4921
Remove warnings import
Tansito File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
package main | ||
|
||
# Do Not store secrets in ENV variables | ||
secrets_env = [ | ||
"passwd", | ||
"password", | ||
"pass", | ||
"secret", | ||
"key", | ||
"access", | ||
"api_key", | ||
"apikey", | ||
"token", | ||
"tkn" | ||
] | ||
|
||
deny[msg] { | ||
input[i].Cmd == "env" | ||
val := input[i].Value | ||
contains(lower(val[_]), secrets_env[_]) | ||
msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, val]) | ||
} | ||
|
||
# Only use trusted base images | ||
deny[msg] { | ||
input[i].Cmd == "from" | ||
val := split(input[i].Value[0], "/") | ||
count(val) > 2 | ||
msg = sprintf("Line %d: use a trusted base image", [i]) | ||
} | ||
|
||
# Do not use 'latest' tag for base imagedeny[msg] { | ||
deny[msg] { | ||
input[i].Cmd == "from" | ||
val := split(input[i].Value[0], ":") | ||
contains(lower(val[1]), "latest") | ||
msg = sprintf("Line %d: do not use 'latest' tag for base images", [i]) | ||
} | ||
|
||
# Avoid curl bashing | ||
deny[msg] { | ||
input[i].Cmd == "run" | ||
val := concat(" ", input[i].Value) | ||
matches := regex.find_n("(curl|wget)[^|^>]*[|>]", lower(val), -1) | ||
count(matches) > 0 | ||
msg = sprintf("Line %d: Avoid curl bashing", [i]) | ||
} | ||
|
||
# Do not upgrade your system packages | ||
upgrade_commands = [ | ||
"apk upgrade", | ||
"apt-get upgrade", | ||
"dist-upgrade", | ||
] | ||
|
||
deny[msg] { | ||
input[i].Cmd == "run" | ||
val := concat(" ", input[i].Value) | ||
contains(val, upgrade_commands[_]) | ||
msg = sprintf("Line: %d: Do not upgrade your system packages", [i]) | ||
} | ||
|
||
# Do not use ADD if possible | ||
deny[msg] { | ||
input[i].Cmd == "add" | ||
msg = sprintf("Line %d: Use COPY instead of ADD", [i]) | ||
} | ||
|
||
# Any user... | ||
any_user { | ||
input[i].Cmd == "user" | ||
} | ||
|
||
deny[msg] { | ||
not any_user | ||
msg = "Do not run as root, use USER instead" | ||
} | ||
|
||
# ... but do not root | ||
forbidden_users = [ | ||
"root", | ||
"toor", | ||
"0" | ||
] | ||
|
||
warn[msg] { | ||
input[i].Cmd == "user" | ||
val := input[i].Value | ||
contains(lower(val[_]), forbidden_users[_]) | ||
msg = sprintf("Line %d: Do not run as root: %s", [i, val]) | ||
} | ||
|
||
# Do not sudo | ||
deny[msg] { | ||
input[i].Cmd == "run" | ||
val := concat(" ", input[i].Value) | ||
contains(lower(val), "sudo") | ||
msg = sprintf("Line %d: Do not use 'sudo' command", [i]) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little curious. Are these checks recommended ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, from the security team. I can share with you internally the link if you are interested, Aki.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please. I should have known them before I write any dockerfile :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Np, they seem relatively new. I didn't know them until we started some weeks ago with the deployment.