Skip to content

Commit

Permalink
Merge pull request #884 from stacklok/docker-latest-tag
Browse files Browse the repository at this point in the history
rule: Add new rule type that checks if folks are using the `latest` tag in their Dockerfiles
  • Loading branch information
JAORMX authored Sep 7, 2023
2 parents 306ea60 + 2142618 commit 13212d8
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 1 deletion.
4 changes: 3 additions & 1 deletion examples/github/policies/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ repository:
def: {}
- type: dependabot_enabled
def: {}
- type: dockerfile_no_latest_tag
def: {}
artifact:
- context: github
rules:
Expand All @@ -55,4 +57,4 @@ artifact:
def:
is_signed: true
is_verified: true
is_bundle_verified: true
is_bundle_verified: true
51 changes: 51 additions & 0 deletions examples/github/rule-types/dockerfile_no_latest_tag.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
version: v1
type: rule-type
name: dockerfile_no_latest_tag
context:
provider: github
group: Root Group
description: Verifies that the Dockerfile image references don't use the latest tag
guidance: |
Using the latest tag for Docker images is not recommended as it can lead to unexpected behavior.
It is recommended to use a checksum instead, as that's immutable and will always point to the same image.
def:
# Defines the section of the pipeline the rule will appear in.
# This will affect the template that is used to render multiple parts
# of the rule.
in_entity: repository
# Defines the schema for writing a rule with this rule being checked
# In this case there is no settings that need to be configured
rule_schema: {}
# Defines the configuration for ingesting data relevant for the rule
ingest:
type: git
git:
branch: master
# Defines the configuration for evaluating data ingested against the given policy
# This example uses the checks for that github actions are using pinned tags
# for the uses directive, in the form of SHA-1 hash
# For example, this wil fail:
# uses: actions/checkout@v2
# This will pass:
# uses: actions/checkout@f3d2b746c498f2d3d1f2d3d1f2d3d1f2d3d1f2d3
eval:
type: rego
rego:
type: constraints
def: |
package mediator
violations[{"msg": msg}] {
# Read Dockerfile
dockerfile := file.read("Dockerfile")
# Find all lines that start with FROM
from_lines := regex.find_n("^FROM \\S+.*^", dockerfile, -1)
# Is there the `latest` tag?
from_line := from_lines[_]
endswith(from_line, ":latest")
msg := sprintf("Dockerfile contains 'latest' tag in import: %s", [from_line])
}

0 comments on commit 13212d8

Please sign in to comment.