diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml index 8ae3f74b1..9ad180434 100644 --- a/.github/workflows/pr-tests.yaml +++ b/.github/workflows/pr-tests.yaml @@ -27,7 +27,7 @@ jobs: with: use-verbose-mode: 'yes' - # main job of testing and building the env. + # main job of testing and building the env. test_pr_checks: # needs: [markdown-link-check] permissions: @@ -42,10 +42,10 @@ jobs: # needs: [test_pr_checks] # uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main # if: | -# ${{ (always() && -# (contains(needs.*.result, 'success')) && -# !(contains(needs.*.result, 'skipped')) && -# !(contains(needs.*.result, 'failure')) && +# ${{ (always() && +# (contains(needs.*.result, 'success')) && +# !(contains(needs.*.result, 'skipped')) && +# !(contains(needs.*.result, 'failure')) && # !(contains(needs.*.result, 'cancelled'))) }} # with: # COVERAGELIMIT: "58" @@ -70,7 +70,7 @@ jobs: name: checkout repo content with: token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - + # Test using Golang OPA hot rule compilation - name: Set up Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 @@ -84,12 +84,20 @@ jobs: apt update && apt install -y cmake GOPATH=$(go env GOPATH) make + - name: Set up Regal + uses: StyraInc/setup-regal@v0.1.0 + with: + version: v0.10.1 + + - name: Lint Rego + run: regal lint --format github rules + - name: setup python uses: actions/setup-python@v4 with: python-version: 3.10.6 - # validate control-ID duplications + # validate control-ID duplications - run: python ./scripts/validations.py # generating subsections ids @@ -117,7 +125,7 @@ jobs: path: ${{ env.REGO_ARTIFACT_PATH }}/ if-no-files-found: error - # test kubescape with regolibrary artifacts + # test kubescape with regolibrary artifacts ks-and-rego-test: uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main if: | @@ -145,7 +153,7 @@ jobs: ]' DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }} secrets: inherit - + clean-up: name: Remove pre-release folder and clean up runs-on: ubuntu-latest diff --git a/rules/.regal/config.yaml b/rules/.regal/config.yaml index 6d657855c..51a89fd35 100644 --- a/rules/.regal/config.yaml +++ b/rules/.regal/config.yaml @@ -4,6 +4,13 @@ rules: # This should be enabled, but the version of OPA used here is # too old to recognize the object.keys built-in function level: ignore + no-defined-entrypoint: + level: ignore + use-some-for-output-vars: + level: ignore + imports: + prefer-package-imports: + level: ignore style: avoid-get-and-list-prefix: level: ignore @@ -15,6 +22,11 @@ rules: level: ignore prefer-snake-case: level: ignore + prefer-some-in-iteration: + level: ignore + rule-length: + level: error + max-rule-length: 50 todo-comment: level: ignore use-assignment-operator: diff --git a/rules/CVE-2021-25742/raw.rego b/rules/CVE-2021-25742/raw.rego index 70f3e2371..c53035014 100644 --- a/rules/CVE-2021-25742/raw.rego +++ b/rules/CVE-2021-25742/raw.rego @@ -8,11 +8,11 @@ deny[msga] { is_tag_image(image) # Extracting version from image tag - tag_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", image, -1)[0][0] + tag_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, image, -1)[0][0] image_version_str_arr := split(tag_version_match,".") image_version_arr := [to_number(image_version_str_arr[0]),to_number(image_version_str_arr[1]),to_number(image_version_str_arr[2])] - # Check if vulnerable + # Check if vulnerable is_vulnerable(image_version_arr, deployment.metadata.namespace) path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) @@ -25,7 +25,7 @@ deny[msga] { } } - + is_nginx_image(image) { contains(image, "nginx-controller") } @@ -57,7 +57,7 @@ is_vulnerable(image_version, namespace) { image_version[2] == 0 is_allow_snippet_annotation_on(namespace) } - + is_vulnerable(image_version, namespace) { image_version[0] == 1 image_version[1] == 0 diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego index d2ceb85d1..912ed4a0b 100644 --- a/rules/CVE-2022-0185/raw.rego +++ b/rules/CVE-2022-0185/raw.rego @@ -3,15 +3,15 @@ package armo_builtins deny[msga] { node := input[_] node.kind == "Node" - kernel_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", node.status.nodeInfo.kernelVersion, -1) + kernel_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, node.status.nodeInfo.kernelVersion, -1) kernelVersion := kernel_version_match[0][0] - + kernel_version_arr := split(kernelVersion, ".") to_number(kernel_version_arr[0]) == 5 to_number(kernel_version_arr[1]) >= 1 to_number(kernel_version_arr[1]) <= 16 - to_number(kernel_version_arr[2]) < 2 - + to_number(kernel_version_arr[2]) < 2 + node.status.nodeInfo.operatingSystem == "linux" path := "status.nodeInfo.kernelVersion" diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego index f5d103bd7..5531a1742 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/K8s common labels usage/raw.rego @@ -42,7 +42,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 49047a291..1815c20b5 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -24,7 +24,7 @@ deny[msga] { } } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -48,7 +48,7 @@ deny[msga] { } } -#handles CronJobs +# handles CronJobs deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index eeea414e8..fb5fdc2c2 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -31,7 +31,7 @@ deny[msga] { } } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -57,11 +57,11 @@ deny[msga] { "alertObject": { "k8sApiObjects": [wl] } - + } } -#handles CronJobs +# handles CronJobs deny[msga] { wl := input[_] wl.kind == "CronJob" @@ -73,7 +73,7 @@ deny[msga] { volume_mount := container.volumeMounts[k] volume_mount.name == volume.name beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + result := is_rw_mount(volume_mount, beggining_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -112,4 +112,4 @@ is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { mount.readOnly == false failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) fix_path = "" -} \ No newline at end of file +} \ No newline at end of file diff --git a/rules/anonymous-requests-to-kubelet-updated/raw.rego b/rules/anonymous-requests-to-kubelet-updated/raw.rego index 95cc2e464..462306ce7 100644 --- a/rules/anonymous-requests-to-kubelet-updated/raw.rego +++ b/rules/anonymous-requests-to-kubelet-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638 +# CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638 deny[msga] { obj := input[_] diff --git a/rules/audit-policy-content/raw.rego b/rules/audit-policy-content/raw.rego index 5a73f7045..c67473734 100644 --- a/rules/audit-policy-content/raw.rego +++ b/rules/audit-policy-content/raw.rego @@ -57,11 +57,11 @@ deny[msga] { } # Sample rules object -#rules: -# - level: RequestResponse -# resources: -# - group: "" -# resources: ["pods"] +# rules: +# - level: RequestResponse +# resources: +# - group: "" +# resources: ["pods"] are_audit_file_rules_valid(rules) if { seeked_resources_with_audit_level := { "secrets": { diff --git a/rules/cluster-admin-role/raw.rego b/rules/cluster-admin-role/raw.rego index 341528abc..1c2fb66b4 100644 --- a/rules/cluster-admin-role/raw.rego +++ b/rules/cluster-admin-role/raw.rego @@ -3,6 +3,7 @@ package armo_builtins import future.keywords.in # returns subjects with cluster admin role +# regal ignore:rule-length deny[msga] { subjectVector := input[_] diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego index 1a02aa859..5df9eea58 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego +++ b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643 +# CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643 deny[msga] { obj := input[_] diff --git a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego index 19c9374af..9d9fed432 100644 --- a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego +++ b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego @@ -31,7 +31,7 @@ deny[msga] { policies.kind == "PolicyVersion" policies.metadata.provider == "eks" - #node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"] + # node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"] some policy in node_instance_role_policies some stat, _ in policies.data.policiesDocuments[policy].Statement not isPolicyCompliant(policies, policy, stat) diff --git a/rules/etcd-unique-ca/raw.rego b/rules/etcd-unique-ca/raw.rego index 4c7f152e4..ac9e69796 100644 --- a/rules/etcd-unique-ca/raw.rego +++ b/rules/etcd-unique-ca/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578 +# CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578 deny[msga] { etcdPod := [pod | pod := input[_]; filter_input(pod, "etcd")] @@ -39,7 +39,7 @@ filter_input(obj, res) { } get_argument_value(command, argument) = value { - args := regex.split("=", command) + args := split(command, "=") some i, sprintf("%v", [argument]) in args value := args[i + 1] } diff --git a/rules/exposed-critical-pods/filter.rego b/rules/exposed-critical-pods/filter.rego index 2f0b23966..58217d11f 100644 --- a/rules/exposed-critical-pods/filter.rego +++ b/rules/exposed-critical-pods/filter.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -33,7 +34,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-critical-pods/raw.rego b/rules/exposed-critical-pods/raw.rego index aaba28cfa..722a6823e 100644 --- a/rules/exposed-critical-pods/raw.rego +++ b/rules/exposed-critical-pods/raw.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -22,7 +23,7 @@ deny[msga] { container := pod.spec.containers[i] # image has vulnerabilities - + container.image == vuln.metadata.name # At least one critical vulnerabilities @@ -37,7 +38,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-rce-pods/filter.rego b/rules/exposed-rce-pods/filter.rego index 251261236..9dec46253 100644 --- a/rules/exposed-rce-pods/filter.rego +++ b/rules/exposed-rce-pods/filter.rego @@ -1,5 +1,6 @@ package armo_builtins - + +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ; x.apiVersion == "v1"] pods := [ x | x = input[_]; x.kind == "Pod" ; x.apiVersion == "v1"] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -33,7 +34,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-rce-pods/raw.rego b/rules/exposed-rce-pods/raw.rego index 701175ced..8b4d48c68 100644 --- a/rules/exposed-rce-pods/raw.rego +++ b/rules/exposed-rce-pods/raw.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -36,7 +37,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego index 71a4c7b10..8a75ea6fb 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego +++ b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.2 https://workbench.cisecurity.org/sections/1126668/recommendations/1838640 +# CIS 4.2.2 https://workbench.cisecurity.org/sections/1126668/recommendations/1838640 # has cli deny[msga] { @@ -64,7 +64,7 @@ deny[msga] { not contains(command, "--authorization-mode") not contains(command, "--config") - + external_obj := json.filter(obj, ["apiVersion", "data/cmdLine", "kind", "metadata"]) msga := { "alertMessage": "Anonymous requests are enabled", diff --git a/rules/kubelet-event-qps/raw.rego b/rules/kubelet-event-qps/raw.rego index 07a01115e..c700cb104 100644 --- a/rules/kubelet-event-qps/raw.rego +++ b/rules/kubelet-event-qps/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.9 https://workbench.cisecurity.org/sections/1126668/recommendations/1838656 +# CIS 4.2.9 https://workbench.cisecurity.org/sections/1126668/recommendations/1838656 # if --event-qps is present rule should pass deny[msga] { diff --git a/rules/kubelet-hostname-override/raw.rego b/rules/kubelet-hostname-override/raw.rego index a2ce22800..362f5dab5 100644 --- a/rules/kubelet-hostname-override/raw.rego +++ b/rules/kubelet-hostname-override/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.8 https://workbench.cisecurity.org/sections/1126668/recommendations/1838654 +# CIS 4.2.8 https://workbench.cisecurity.org/sections/1126668/recommendations/1838654 deny[msga] { kubelet_info := input[_] diff --git a/rules/kubelet-ip-tables/raw.rego b/rules/kubelet-ip-tables/raw.rego index 333adcd20..440f3491d 100644 --- a/rules/kubelet-ip-tables/raw.rego +++ b/rules/kubelet-ip-tables/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.7 https://workbench.cisecurity.org/sections/1126668/recommendations/1838651 +# CIS 4.2.7 https://workbench.cisecurity.org/sections/1126668/recommendations/1838651 deny[msga] { obj := input[_] diff --git a/rules/kubelet-protect-kernel-defaults/raw.rego b/rules/kubelet-protect-kernel-defaults/raw.rego index 84adb99c3..3c420c862 100644 --- a/rules/kubelet-protect-kernel-defaults/raw.rego +++ b/rules/kubelet-protect-kernel-defaults/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.6 https://workbench.cisecurity.org/sections/1126668/recommendations/1838648 +# CIS 4.2.6 https://workbench.cisecurity.org/sections/1126668/recommendations/1838648 deny[msga] { obj := input[_] diff --git a/rules/kubelet-rotate-certificates/raw.rego b/rules/kubelet-rotate-certificates/raw.rego index 553389513..4e8cff4e5 100644 --- a/rules/kubelet-rotate-certificates/raw.rego +++ b/rules/kubelet-rotate-certificates/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.11 https://workbench.cisecurity.org/sections/1126668/recommendations/1838658 +# CIS 4.2.11 https://workbench.cisecurity.org/sections/1126668/recommendations/1838658 deny[msga] { obj := input[_] diff --git a/rules/kubelet-rotate-kubelet-server-certificate/raw.rego b/rules/kubelet-rotate-kubelet-server-certificate/raw.rego index a9733d760..aa0fcc101 100644 --- a/rules/kubelet-rotate-kubelet-server-certificate/raw.rego +++ b/rules/kubelet-rotate-kubelet-server-certificate/raw.rego @@ -38,7 +38,7 @@ should_skip_check(kubelet_info) { is_RotateKubeletServerCertificate_enabled_via_cli(command) { contains(command, "--feature-gates=") - args := regex.split(" +", command) + args := regex.split(` +`, command) some i - regex.match("RotateKubeletServerCertificate=true", args[i]) + regex.match(`RotateKubeletServerCertificate=true`, args[i]) } diff --git a/rules/kubelet-streaming-connection-idle-timeout/raw.rego b/rules/kubelet-streaming-connection-idle-timeout/raw.rego index 3ccbc2a01..33fdc1d87 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/raw.rego +++ b/rules/kubelet-streaming-connection-idle-timeout/raw.rego @@ -2,12 +2,12 @@ package armo_builtins import future.keywords.in -#CIS 4.2.5 https://workbench.cisecurity.org/sections/1126668/recommendations/1838646 +# CIS 4.2.5 https://workbench.cisecurity.org/sections/1126668/recommendations/1838646 deny[msga] { obj := input[_] is_kubelet_info(obj) - + command := obj.data.cmdLine contains(command, "--streaming-connection-idle-timeout") diff --git a/rules/kubelet-strong-cryptography-ciphers/raw.rego b/rules/kubelet-strong-cryptography-ciphers/raw.rego index f07d6f301..c923a75d7 100644 --- a/rules/kubelet-strong-cryptography-ciphers/raw.rego +++ b/rules/kubelet-strong-cryptography-ciphers/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.13 https://workbench.cisecurity.org/sections/1126668/recommendations/1838663 +# CIS 4.2.13 https://workbench.cisecurity.org/sections/1126668/recommendations/1838663 deny[msga] { obj := input[_] diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 464c704cd..9c32ec293 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -42,7 +42,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" @@ -69,7 +69,7 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path2 := no_label_or_no_label_usage(podSpec, beggining_of_pod_path) path = array.concat(path1, path2) } - + # There is label-usage for WL but not for his Pod no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ not no_label_or_no_label_usage(wl, "") diff --git a/rules/read-only-port-enabled-updated/raw.rego b/rules/read-only-port-enabled-updated/raw.rego index 83023677f..99e1583f7 100644 --- a/rules/read-only-port-enabled-updated/raw.rego +++ b/rules/read-only-port-enabled-updated/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.4 https://workbench.cisecurity.org/sections/1126668/recommendations/1838645 +# CIS 4.2.4 https://workbench.cisecurity.org/sections/1126668/recommendations/1838645 deny[msga] { obj := input[_] diff --git a/rules/resources-cpu-limit-and-request/raw.rego b/rules/resources-cpu-limit-and-request/raw.rego index d63952f4c..760545b60 100644 --- a/rules/resources-cpu-limit-and-request/raw.rego +++ b/rules/resources-cpu-limit-and-request/raw.rego @@ -147,7 +147,7 @@ deny[msga] { -#################################################################################################################3 +################################################################################################################# request_or_limit_cpu(container) { container.resources.limits.cpu diff --git a/rules/rule-can-delete-k8s-events/raw.rego b/rules/rule-can-delete-k8s-events/raw.rego index edb1ca8cf..5a6aca47e 100644 --- a/rules/rule-can-delete-k8s-events/raw.rego +++ b/rules/rule-can-delete-k8s-events/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can delete events -#RoleBinding to Role +# RoleBinding to Role deny [msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -36,7 +36,7 @@ deny [msga] { # fails if user can delete events -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-can-list-get-secrets/raw.rego b/rules/rule-can-list-get-secrets/raw.rego index f959c86e1..586f6c28c 100644 --- a/rules/rule-can-list-get-secrets/raw.rego +++ b/rules/rule-can-list-get-secrets/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can list/get secrets -#RoleBinding to Role +# RoleBinding to Role deny[msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -36,7 +36,7 @@ deny[msga] { # fails if user can list/get secrets -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-can-update-configmap/raw.rego b/rules/rule-can-update-configmap/raw.rego index 4617a6449..4e75b016b 100644 --- a/rules/rule-can-update-configmap/raw.rego +++ b/rules/rule-can-update-configmap/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # Fails if user can modify all configmaps, or if he can modify the 'coredns' configmap (default for coredns) -#RoleBinding to Role +# RoleBinding to Role deny [msga] { configmaps := [configmap | configmap = input[_]; configmap.kind == "ConfigMap"] configmap := configmaps[_] diff --git a/rules/rule-deny-cronjobs/raw.rego b/rules/rule-deny-cronjobs/raw.rego index fc1e0aa82..38dfed4e7 100644 --- a/rules/rule-deny-cronjobs/raw.rego +++ b/rules/rule-deny-cronjobs/raw.rego @@ -2,7 +2,7 @@ package armo_builtins # alert cronjobs -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] diff --git a/rules/rule-excessive-delete-rights/raw.rego b/rules/rule-excessive-delete-rights/raw.rego index 9553cd42f..88a0606e0 100644 --- a/rules/rule-excessive-delete-rights/raw.rego +++ b/rules/rule-excessive-delete-rights/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can can delete important resources -#RoleBinding to Role +# RoleBinding to Role deny[msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -37,7 +37,7 @@ deny[msga] { # fails if user can can delete important resources -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-privileged-container/raw.rego b/rules/rule-privileged-container/raw.rego index c4bc81609..517d24eb8 100644 --- a/rules/rule-privileged-container/raw.rego +++ b/rules/rule-privileged-container/raw.rego @@ -2,7 +2,7 @@ package armo_builtins # Deny mutating action unless user is in group owning the resource -#privileged pods +# privileged pods deny[msga] { pod := input[_] @@ -24,7 +24,7 @@ deny[msga] { } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -45,7 +45,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/set-procmount-default/raw.rego b/rules/set-procmount-default/raw.rego index 2d1a3496e..35d56eca5 100644 --- a/rules/set-procmount-default/raw.rego +++ b/rules/set-procmount-default/raw.rego @@ -93,7 +93,7 @@ is_control_plane_info(obj) { # check if ProcMountType feature-gate is enabled is_proc_mount_type_enabled(command) { contains(command, "--feature-gates=") - args := regex.split(" +", command) + args := regex.split(` +`, command) some i - regex.match("ProcMountType=true", args[i]) + regex.match(`ProcMountType=true`, args[i]) } diff --git a/rules/validate-kubelet-tls-configuration-updated/raw.rego b/rules/validate-kubelet-tls-configuration-updated/raw.rego index 9fdf8e8be..42597f960 100644 --- a/rules/validate-kubelet-tls-configuration-updated/raw.rego +++ b/rules/validate-kubelet-tls-configuration-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.10 https://workbench.cisecurity.org/sections/1126668/recommendations/1838657 +# CIS 4.2.10 https://workbench.cisecurity.org/sections/1126668/recommendations/1838657 deny[msga] { obj := input[_] @@ -73,7 +73,7 @@ deny[msga] { res := not_set_arguments(command) count(res) == 1 - #get yaml config equivalent + # get yaml config equivalent not_set_prop := res[0].configProp failed_args := extract_failed_object(res, "cliArg")