-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #884 from stacklok/docker-latest-tag
rule: Add new rule type that checks if folks are using the `latest` tag in their Dockerfiles
- Loading branch information
Showing
2 changed files
with
54 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
version: v1 | ||
type: rule-type | ||
name: dockerfile_no_latest_tag | ||
context: | ||
provider: github | ||
group: Root Group | ||
description: Verifies that the Dockerfile image references don't use the latest tag | ||
guidance: | | ||
Using the latest tag for Docker images is not recommended as it can lead to unexpected behavior. | ||
It is recommended to use a checksum instead, as that's immutable and will always point to the same image. | ||
def: | ||
# Defines the section of the pipeline the rule will appear in. | ||
# This will affect the template that is used to render multiple parts | ||
# of the rule. | ||
in_entity: repository | ||
# Defines the schema for writing a rule with this rule being checked | ||
# In this case there is no settings that need to be configured | ||
rule_schema: {} | ||
# Defines the configuration for ingesting data relevant for the rule | ||
ingest: | ||
type: git | ||
git: | ||
branch: master | ||
# Defines the configuration for evaluating data ingested against the given policy | ||
# This example uses the checks for that github actions are using pinned tags | ||
# for the uses directive, in the form of SHA-1 hash | ||
# For example, this wil fail: | ||
# uses: actions/checkout@v2 | ||
# This will pass: | ||
# uses: actions/checkout@f3d2b746c498f2d3d1f2d3d1f2d3d1f2d3d1f2d3 | ||
eval: | ||
type: rego | ||
rego: | ||
type: constraints | ||
def: | | ||
package mediator | ||
violations[{"msg": msg}] { | ||
# Read Dockerfile | ||
dockerfile := file.read("Dockerfile") | ||
# Find all lines that start with FROM | ||
from_lines := regex.find_n("^FROM \\S+.*^", dockerfile, -1) | ||
# Is there the `latest` tag? | ||
from_line := from_lines[_] | ||
endswith(from_line, ":latest") | ||
msg := sprintf("Dockerfile contains 'latest' tag in import: %s", [from_line]) | ||
} |