Merge pull request #142 from anusha94/update-dockerfile-chart

Update dockerfile chart

charts/best-practices-dockerfile/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: best-practices-dockerfile
 description: Best practices Dockerfile policy set
 type: application
-version: 0.1.1
-appVersion: 0.1.1
+version: 0.1.2
+appVersion: 0.1.2
 keywords:
   - kubernetes
   - nirmata

charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for untrusted flag in Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-untrust-flag/"
     policies.kyverno.io/description: >-
       This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag.
 spec:

charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml

@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-apt-command-force-yes
+  annotations:
+    policies.kyverno.io/title: Check for overidding of safety checks in apt-get command 
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-apt-command-force-yes/"
+    policies.kyverno.io/description: >-
+        The --force-yes option in apt-get is used to override some safety checks
+        and prompts, allowing the installation or upgrade of packages even if
+        they require additional user confirmation or if they conflict with other
+        packages. This can potentially lead to system instability or unexpected
+        behavior, as it bypasses certain safeguards put in place to ensure the stability
+        and consistency of the system.
+spec:
+  rules:
+    - name: check-apt-command-force-yes
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
+      assert:
+        all:
+        - message: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system.
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+                ((starts_with(@, 'apt-get ') || contains(@, ' apt-get '))  && contains(@, ' --force-yes')): false
+        - message: refrain from using the '--force-yes' option with `apt` as it bypasses important package validation checks and can potentially compromise the stability and security of your system.
+          check:
+            ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
+                ((starts_with(@, 'apt ') || contains(@, ' apt '))  && contains(@, ' --force-yes')): false        

charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-curl/"
     policies.kyverno.io/description: >-
       This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command
 spec:

charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml

@@ -0,0 +1,25 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-certificate-validation-git-env-var
+  annotations:
+    policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-git-env-var/"
+    policies.kyverno.io/description: >-
+      To control SSL certificate validation in Git operations within a Docker container,
+      you can use the GIT_SSL_NO_VERIFY environment variable. Setting this variable to true
+      or 1 tells Git to bypass SSL certificate validation.
+spec:
+  rules:
+    - name: check-certificate-validation-git-env-var
+      match:
+        all:
+        - ($analyzer.resource.type): dockerfile
+        - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true
+      assert:
+        any:
+        - message: Ensure certificate validation is enabled by using `GIT_SSL_NO_VERIFY` env with value set to '0' or 'false'
+          check:
+            (Stages[].Commands[].Env[?Key=='GIT_SSL_NO_VERIFY' && (Value=='1' || Value=='true')][] | length(@) > `0`): false

charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-nodejs-env-var/"
     policies.kyverno.io/description: >-
       NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js
       to control TLS certificate verification behavior. This policy checks whether

charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-pip3/"
     policies.kyverno.io/description: >-
       This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command
 spec:

charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-python-env-var/"
     policies.kyverno.io/description: >-
       The PYTHONHTTPSVERIFY environment variable is used in Python to control
       certificate verification when making HTTPS requests. This policy checks
@@ -23,4 +24,3 @@ spec:
         - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1`
           check:
             (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true     
-

charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-wget/"
     policies.kyverno.io/description: >-
       This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command
 spec:

charts/best-practices-dockerfile/pols/check-label-maintainer.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-label-maintainer
+  annotations:
+    policies.kyverno.io/title: Validating LABEL maintainer instruction in Dockerfile
+    policies.kyverno.io/category: Dockerfile Best Practices
+    policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-label-maintainer/"
+    policies.kyverno.io/description: >-
+      MAINTAINER instruction is deprecated for the Dockerfile. Instead, you can use the 
+      LABEL instruction to provide the maintainer name in the Dockerfile. This policy checks
+      if LABEL instruction has been specified with maintainer name.
+spec:
+  rules:
+  - assert:
+      all:
+      - check:
+          (Stages[].Commands[?Name=='MAINTAINER'][] | length(@) > `0`): false
+        message: MAINTAINER instruction is deprecated, use LABELS instruction to mention maintainer name
+      - check:
+          (Stages[].Commands[].Labels[?Key=='maintainer' || Key=='owner' || Key=='author'][] | length(@) > `0`): true
+        message: Use the LABELS instruction to set the MAINTAINER name
+    name: dockerfile-allow-label-maintainer-instruction
+    match:
+        all:
+        - ($analyzer.resource.type): dockerfile

charts/best-practices-dockerfile/pols/check-last-user.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check last USER
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-last-user/"
     policies.kyverno.io/description: >-
       This policy validates that the last USER is not root.
 spec:

charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: check for missing signature options via rpm
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-missing-signature-options/"
     policies.kyverno.io/description: >-
         This policy ensures that packages with untrusted or missing signatures
         are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or

charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-nogpgcheck/"
     policies.kyverno.io/description: >-
         GPG signature checking is a security feature that verifies
         the authenticity and integrity of packages before they are

charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-npm-config-strict-ssl/"
     policies.kyverno.io/description: >-
       The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL
       certificate validation behavior in npm. This policy ensures that certificate

charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-unauthentication/"
     policies.kyverno.io/description: >-
       This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag.
 spec:

charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Detect Multiple Instructions in Single Line
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/detect-multiple-instructions/"
     policies.kyverno.io/description: >-
       This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers
 spec:

charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Check for sudo operation existence
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/disallow-sudo-operations/"
     policies.kyverno.io/description: >-
       Using sudo within a Dockerfile is not recommended to avoid privilege escalation.
 spec:

charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Prefer COPY over ADD in Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/prefer-copy-over-add/"
     policies.kyverno.io/description: >-
       This policy ensures that COPY instructions are used instead of ADD instructions in Dockerfiles.
 spec:

charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Validate base image tag
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-base-image-tag/"
     policies.kyverno.io/description: >-
       This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile.
 spec:

charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Validating Exposed Port 22 in Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-expose-port-22/"
     policies.kyverno.io/description: >-
       This policy checks whether Dockerfiles exposes port 22.
 spec:

charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Validate Healthcheck Instruction
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-healthcheck-instruction/"
     policies.kyverno.io/description: >-
       This policy checks if the HEALTHCHECK instruction is defined in the Dockerfile.
 spec:

charts/best-practices-dockerfile/pols/validate-user-instruction.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Validate USER instruction in Dockerfile
     policies.kyverno.io/category: Dockerfile Best Practices
     policies.kyverno.io/severity: medium
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-user-instruction/"
     policies.kyverno.io/description: >-
       This policy checks if the Dockerfile contains a USER instruction. If the USER instruction is not present, the policy fails.
 spec:

dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml

@@ -24,4 +24,3 @@ spec:
         - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1`
           check:
             (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true     
-