From 3886fd9765220d96fa85fe74c9ad52d1f747d65d Mon Sep 17 00:00:00 2001 From: Anders Eknert Date: Fri, 6 Oct 2023 09:40:58 +0200 Subject: [PATCH] Add Regal linting in CI pipeline Simplified now by the new [setup-regal](https://github.com/StyraInc/setup-regal) GitHub Action. The new-ish `--format github` flag will also annotate PRs with any violation encountered in the code at the location of the violation, making it really easy to spot. Also fixed some style violations from more recent Regal rules, and amended the Regal configuration to ignore some of the new rules that would require more work to enable. Let me know what you all think, and have a great weekend! Signed-off-by: Anders Eknert --- .github/workflows/pr-tests.yaml | 26 ++++++++++++------- rules/.regal/config.yaml | 12 +++++++++ rules/CVE-2021-25742/raw.rego | 8 +++--- rules/CVE-2022-0185/raw.rego | 8 +++--- rules/K8s common labels usage/raw.rego | 2 +- rules/alert-any-hostpath/raw.rego | 4 +-- rules/alert-rw-hostpath/raw.rego | 10 +++---- .../raw.rego | 2 +- rules/audit-policy-content/raw.rego | 10 +++---- rules/cluster-admin-role/raw.rego | 1 + .../raw.rego | 2 +- .../raw.rego | 2 +- rules/etcd-unique-ca/raw.rego | 4 +-- rules/exposed-critical-pods/filter.rego | 7 ++--- rules/exposed-critical-pods/raw.rego | 9 ++++--- rules/exposed-rce-pods/filter.rego | 9 ++++--- rules/exposed-rce-pods/raw.rego | 7 ++--- .../raw.rego | 4 +-- rules/kubelet-event-qps/raw.rego | 2 +- rules/kubelet-hostname-override/raw.rego | 2 +- rules/kubelet-ip-tables/raw.rego | 2 +- .../kubelet-protect-kernel-defaults/raw.rego | 2 +- rules/kubelet-rotate-certificates/raw.rego | 2 +- .../raw.rego | 4 +-- .../raw.rego | 4 +-- .../raw.rego | 2 +- rules/label-usage-for-resources/raw.rego | 4 +-- rules/read-only-port-enabled-updated/raw.rego | 2 +- .../resources-cpu-limit-and-request/raw.rego | 2 +- rules/rule-can-delete-k8s-events/raw.rego | 4 +-- rules/rule-can-list-get-secrets/raw.rego | 4 +-- rules/rule-can-update-configmap/raw.rego | 2 +- rules/rule-deny-cronjobs/raw.rego | 2 +- rules/rule-excessive-delete-rights/raw.rego | 4 +-- rules/rule-privileged-container/raw.rego | 6 ++--- rules/set-procmount-default/raw.rego | 4 +-- .../raw.rego | 4 +-- 37 files changed, 105 insertions(+), 80 deletions(-) diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml index 8ae3f74b1..9ad180434 100644 --- a/.github/workflows/pr-tests.yaml +++ b/.github/workflows/pr-tests.yaml @@ -27,7 +27,7 @@ jobs: with: use-verbose-mode: 'yes' - # main job of testing and building the env. + # main job of testing and building the env. test_pr_checks: # needs: [markdown-link-check] permissions: @@ -42,10 +42,10 @@ jobs: # needs: [test_pr_checks] # uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main # if: | -# ${{ (always() && -# (contains(needs.*.result, 'success')) && -# !(contains(needs.*.result, 'skipped')) && -# !(contains(needs.*.result, 'failure')) && +# ${{ (always() && +# (contains(needs.*.result, 'success')) && +# !(contains(needs.*.result, 'skipped')) && +# !(contains(needs.*.result, 'failure')) && # !(contains(needs.*.result, 'cancelled'))) }} # with: # COVERAGELIMIT: "58" @@ -70,7 +70,7 @@ jobs: name: checkout repo content with: token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - + # Test using Golang OPA hot rule compilation - name: Set up Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 @@ -84,12 +84,20 @@ jobs: apt update && apt install -y cmake GOPATH=$(go env GOPATH) make + - name: Set up Regal + uses: StyraInc/setup-regal@v0.1.0 + with: + version: v0.10.1 + + - name: Lint Rego + run: regal lint --format github rules + - name: setup python uses: actions/setup-python@v4 with: python-version: 3.10.6 - # validate control-ID duplications + # validate control-ID duplications - run: python ./scripts/validations.py # generating subsections ids @@ -117,7 +125,7 @@ jobs: path: ${{ env.REGO_ARTIFACT_PATH }}/ if-no-files-found: error - # test kubescape with regolibrary artifacts + # test kubescape with regolibrary artifacts ks-and-rego-test: uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main if: | @@ -145,7 +153,7 @@ jobs: ]' DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }} secrets: inherit - + clean-up: name: Remove pre-release folder and clean up runs-on: ubuntu-latest diff --git a/rules/.regal/config.yaml b/rules/.regal/config.yaml index 6d657855c..51a89fd35 100644 --- a/rules/.regal/config.yaml +++ b/rules/.regal/config.yaml @@ -4,6 +4,13 @@ rules: # This should be enabled, but the version of OPA used here is # too old to recognize the object.keys built-in function level: ignore + no-defined-entrypoint: + level: ignore + use-some-for-output-vars: + level: ignore + imports: + prefer-package-imports: + level: ignore style: avoid-get-and-list-prefix: level: ignore @@ -15,6 +22,11 @@ rules: level: ignore prefer-snake-case: level: ignore + prefer-some-in-iteration: + level: ignore + rule-length: + level: error + max-rule-length: 50 todo-comment: level: ignore use-assignment-operator: diff --git a/rules/CVE-2021-25742/raw.rego b/rules/CVE-2021-25742/raw.rego index 70f3e2371..c53035014 100644 --- a/rules/CVE-2021-25742/raw.rego +++ b/rules/CVE-2021-25742/raw.rego @@ -8,11 +8,11 @@ deny[msga] { is_tag_image(image) # Extracting version from image tag - tag_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", image, -1)[0][0] + tag_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, image, -1)[0][0] image_version_str_arr := split(tag_version_match,".") image_version_arr := [to_number(image_version_str_arr[0]),to_number(image_version_str_arr[1]),to_number(image_version_str_arr[2])] - # Check if vulnerable + # Check if vulnerable is_vulnerable(image_version_arr, deployment.metadata.namespace) path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) @@ -25,7 +25,7 @@ deny[msga] { } } - + is_nginx_image(image) { contains(image, "nginx-controller") } @@ -57,7 +57,7 @@ is_vulnerable(image_version, namespace) { image_version[2] == 0 is_allow_snippet_annotation_on(namespace) } - + is_vulnerable(image_version, namespace) { image_version[0] == 1 image_version[1] == 0 diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego index d2ceb85d1..912ed4a0b 100644 --- a/rules/CVE-2022-0185/raw.rego +++ b/rules/CVE-2022-0185/raw.rego @@ -3,15 +3,15 @@ package armo_builtins deny[msga] { node := input[_] node.kind == "Node" - kernel_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", node.status.nodeInfo.kernelVersion, -1) + kernel_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, node.status.nodeInfo.kernelVersion, -1) kernelVersion := kernel_version_match[0][0] - + kernel_version_arr := split(kernelVersion, ".") to_number(kernel_version_arr[0]) == 5 to_number(kernel_version_arr[1]) >= 1 to_number(kernel_version_arr[1]) <= 16 - to_number(kernel_version_arr[2]) < 2 - + to_number(kernel_version_arr[2]) < 2 + node.status.nodeInfo.operatingSystem == "linux" path := "status.nodeInfo.kernelVersion" diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego index f5d103bd7..5531a1742 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/K8s common labels usage/raw.rego @@ -42,7 +42,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 49047a291..1815c20b5 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -24,7 +24,7 @@ deny[msga] { } } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -48,7 +48,7 @@ deny[msga] { } } -#handles CronJobs +# handles CronJobs deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index eeea414e8..fb5fdc2c2 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -31,7 +31,7 @@ deny[msga] { } } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -57,11 +57,11 @@ deny[msga] { "alertObject": { "k8sApiObjects": [wl] } - + } } -#handles CronJobs +# handles CronJobs deny[msga] { wl := input[_] wl.kind == "CronJob" @@ -73,7 +73,7 @@ deny[msga] { volume_mount := container.volumeMounts[k] volume_mount.name == volume.name beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + result := is_rw_mount(volume_mount, beggining_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -112,4 +112,4 @@ is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { mount.readOnly == false failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) fix_path = "" -} \ No newline at end of file +} \ No newline at end of file diff --git a/rules/anonymous-requests-to-kubelet-updated/raw.rego b/rules/anonymous-requests-to-kubelet-updated/raw.rego index 95cc2e464..462306ce7 100644 --- a/rules/anonymous-requests-to-kubelet-updated/raw.rego +++ b/rules/anonymous-requests-to-kubelet-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638 +# CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638 deny[msga] { obj := input[_] diff --git a/rules/audit-policy-content/raw.rego b/rules/audit-policy-content/raw.rego index 5a73f7045..c67473734 100644 --- a/rules/audit-policy-content/raw.rego +++ b/rules/audit-policy-content/raw.rego @@ -57,11 +57,11 @@ deny[msga] { } # Sample rules object -#rules: -# - level: RequestResponse -# resources: -# - group: "" -# resources: ["pods"] +# rules: +# - level: RequestResponse +# resources: +# - group: "" +# resources: ["pods"] are_audit_file_rules_valid(rules) if { seeked_resources_with_audit_level := { "secrets": { diff --git a/rules/cluster-admin-role/raw.rego b/rules/cluster-admin-role/raw.rego index 341528abc..1c2fb66b4 100644 --- a/rules/cluster-admin-role/raw.rego +++ b/rules/cluster-admin-role/raw.rego @@ -3,6 +3,7 @@ package armo_builtins import future.keywords.in # returns subjects with cluster admin role +# regal ignore:rule-length deny[msga] { subjectVector := input[_] diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego index 1a02aa859..5df9eea58 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego +++ b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643 +# CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643 deny[msga] { obj := input[_] diff --git a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego index 19c9374af..9d9fed432 100644 --- a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego +++ b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego @@ -31,7 +31,7 @@ deny[msga] { policies.kind == "PolicyVersion" policies.metadata.provider == "eks" - #node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"] + # node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"] some policy in node_instance_role_policies some stat, _ in policies.data.policiesDocuments[policy].Statement not isPolicyCompliant(policies, policy, stat) diff --git a/rules/etcd-unique-ca/raw.rego b/rules/etcd-unique-ca/raw.rego index 4c7f152e4..ac9e69796 100644 --- a/rules/etcd-unique-ca/raw.rego +++ b/rules/etcd-unique-ca/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578 +# CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578 deny[msga] { etcdPod := [pod | pod := input[_]; filter_input(pod, "etcd")] @@ -39,7 +39,7 @@ filter_input(obj, res) { } get_argument_value(command, argument) = value { - args := regex.split("=", command) + args := split(command, "=") some i, sprintf("%v", [argument]) in args value := args[i + 1] } diff --git a/rules/exposed-critical-pods/filter.rego b/rules/exposed-critical-pods/filter.rego index 2f0b23966..58217d11f 100644 --- a/rules/exposed-critical-pods/filter.rego +++ b/rules/exposed-critical-pods/filter.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -33,7 +34,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-critical-pods/raw.rego b/rules/exposed-critical-pods/raw.rego index aaba28cfa..722a6823e 100644 --- a/rules/exposed-critical-pods/raw.rego +++ b/rules/exposed-critical-pods/raw.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -22,7 +23,7 @@ deny[msga] { container := pod.spec.containers[i] # image has vulnerabilities - + container.image == vuln.metadata.name # At least one critical vulnerabilities @@ -37,7 +38,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-rce-pods/filter.rego b/rules/exposed-rce-pods/filter.rego index 251261236..9dec46253 100644 --- a/rules/exposed-rce-pods/filter.rego +++ b/rules/exposed-rce-pods/filter.rego @@ -1,5 +1,6 @@ package armo_builtins - + +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ; x.apiVersion == "v1"] pods := [ x | x = input[_]; x.kind == "Pod" ; x.apiVersion == "v1"] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -33,7 +34,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/exposed-rce-pods/raw.rego b/rules/exposed-rce-pods/raw.rego index 701175ced..8b4d48c68 100644 --- a/rules/exposed-rce-pods/raw.rego +++ b/rules/exposed-rce-pods/raw.rego @@ -1,5 +1,6 @@ package armo_builtins +# regal ignore:rule-length deny[msga] { services := [ x | x = input[_]; x.kind == "Service" ] pods := [ x | x = input[_]; x.kind == "Pod" ] @@ -9,8 +10,8 @@ deny[msga] { service := services[_] vuln := vulns[_] - # vuln data is relevant - count(vuln.data) > 0 + # vuln data is relevant + count(vuln.data) > 0 # service is external-facing filter_external_access(service) @@ -36,7 +37,7 @@ deny[msga] { "namespace": pod.metadata.namespace } - external_objects = { + external_objects = { "apiVersion": "result.vulnscan.com/v1", "kind": pod.kind, "metadata": metadata, diff --git a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego index 71a4c7b10..8a75ea6fb 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego +++ b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.2 https://workbench.cisecurity.org/sections/1126668/recommendations/1838640 +# CIS 4.2.2 https://workbench.cisecurity.org/sections/1126668/recommendations/1838640 # has cli deny[msga] { @@ -64,7 +64,7 @@ deny[msga] { not contains(command, "--authorization-mode") not contains(command, "--config") - + external_obj := json.filter(obj, ["apiVersion", "data/cmdLine", "kind", "metadata"]) msga := { "alertMessage": "Anonymous requests are enabled", diff --git a/rules/kubelet-event-qps/raw.rego b/rules/kubelet-event-qps/raw.rego index 07a01115e..c700cb104 100644 --- a/rules/kubelet-event-qps/raw.rego +++ b/rules/kubelet-event-qps/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.9 https://workbench.cisecurity.org/sections/1126668/recommendations/1838656 +# CIS 4.2.9 https://workbench.cisecurity.org/sections/1126668/recommendations/1838656 # if --event-qps is present rule should pass deny[msga] { diff --git a/rules/kubelet-hostname-override/raw.rego b/rules/kubelet-hostname-override/raw.rego index a2ce22800..362f5dab5 100644 --- a/rules/kubelet-hostname-override/raw.rego +++ b/rules/kubelet-hostname-override/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.8 https://workbench.cisecurity.org/sections/1126668/recommendations/1838654 +# CIS 4.2.8 https://workbench.cisecurity.org/sections/1126668/recommendations/1838654 deny[msga] { kubelet_info := input[_] diff --git a/rules/kubelet-ip-tables/raw.rego b/rules/kubelet-ip-tables/raw.rego index 333adcd20..440f3491d 100644 --- a/rules/kubelet-ip-tables/raw.rego +++ b/rules/kubelet-ip-tables/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.7 https://workbench.cisecurity.org/sections/1126668/recommendations/1838651 +# CIS 4.2.7 https://workbench.cisecurity.org/sections/1126668/recommendations/1838651 deny[msga] { obj := input[_] diff --git a/rules/kubelet-protect-kernel-defaults/raw.rego b/rules/kubelet-protect-kernel-defaults/raw.rego index 84adb99c3..3c420c862 100644 --- a/rules/kubelet-protect-kernel-defaults/raw.rego +++ b/rules/kubelet-protect-kernel-defaults/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.6 https://workbench.cisecurity.org/sections/1126668/recommendations/1838648 +# CIS 4.2.6 https://workbench.cisecurity.org/sections/1126668/recommendations/1838648 deny[msga] { obj := input[_] diff --git a/rules/kubelet-rotate-certificates/raw.rego b/rules/kubelet-rotate-certificates/raw.rego index 553389513..4e8cff4e5 100644 --- a/rules/kubelet-rotate-certificates/raw.rego +++ b/rules/kubelet-rotate-certificates/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.11 https://workbench.cisecurity.org/sections/1126668/recommendations/1838658 +# CIS 4.2.11 https://workbench.cisecurity.org/sections/1126668/recommendations/1838658 deny[msga] { obj := input[_] diff --git a/rules/kubelet-rotate-kubelet-server-certificate/raw.rego b/rules/kubelet-rotate-kubelet-server-certificate/raw.rego index a9733d760..aa0fcc101 100644 --- a/rules/kubelet-rotate-kubelet-server-certificate/raw.rego +++ b/rules/kubelet-rotate-kubelet-server-certificate/raw.rego @@ -38,7 +38,7 @@ should_skip_check(kubelet_info) { is_RotateKubeletServerCertificate_enabled_via_cli(command) { contains(command, "--feature-gates=") - args := regex.split(" +", command) + args := regex.split(` +`, command) some i - regex.match("RotateKubeletServerCertificate=true", args[i]) + regex.match(`RotateKubeletServerCertificate=true`, args[i]) } diff --git a/rules/kubelet-streaming-connection-idle-timeout/raw.rego b/rules/kubelet-streaming-connection-idle-timeout/raw.rego index 3ccbc2a01..33fdc1d87 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/raw.rego +++ b/rules/kubelet-streaming-connection-idle-timeout/raw.rego @@ -2,12 +2,12 @@ package armo_builtins import future.keywords.in -#CIS 4.2.5 https://workbench.cisecurity.org/sections/1126668/recommendations/1838646 +# CIS 4.2.5 https://workbench.cisecurity.org/sections/1126668/recommendations/1838646 deny[msga] { obj := input[_] is_kubelet_info(obj) - + command := obj.data.cmdLine contains(command, "--streaming-connection-idle-timeout") diff --git a/rules/kubelet-strong-cryptography-ciphers/raw.rego b/rules/kubelet-strong-cryptography-ciphers/raw.rego index f07d6f301..c923a75d7 100644 --- a/rules/kubelet-strong-cryptography-ciphers/raw.rego +++ b/rules/kubelet-strong-cryptography-ciphers/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.13 https://workbench.cisecurity.org/sections/1126668/recommendations/1838663 +# CIS 4.2.13 https://workbench.cisecurity.org/sections/1126668/recommendations/1838663 deny[msga] { obj := input[_] diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 464c704cd..9c32ec293 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -42,7 +42,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" @@ -69,7 +69,7 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path2 := no_label_or_no_label_usage(podSpec, beggining_of_pod_path) path = array.concat(path1, path2) } - + # There is label-usage for WL but not for his Pod no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ not no_label_or_no_label_usage(wl, "") diff --git a/rules/read-only-port-enabled-updated/raw.rego b/rules/read-only-port-enabled-updated/raw.rego index 83023677f..99e1583f7 100644 --- a/rules/read-only-port-enabled-updated/raw.rego +++ b/rules/read-only-port-enabled-updated/raw.rego @@ -2,7 +2,7 @@ package armo_builtins import future.keywords.in -#CIS 4.2.4 https://workbench.cisecurity.org/sections/1126668/recommendations/1838645 +# CIS 4.2.4 https://workbench.cisecurity.org/sections/1126668/recommendations/1838645 deny[msga] { obj := input[_] diff --git a/rules/resources-cpu-limit-and-request/raw.rego b/rules/resources-cpu-limit-and-request/raw.rego index d63952f4c..760545b60 100644 --- a/rules/resources-cpu-limit-and-request/raw.rego +++ b/rules/resources-cpu-limit-and-request/raw.rego @@ -147,7 +147,7 @@ deny[msga] { -#################################################################################################################3 +################################################################################################################# request_or_limit_cpu(container) { container.resources.limits.cpu diff --git a/rules/rule-can-delete-k8s-events/raw.rego b/rules/rule-can-delete-k8s-events/raw.rego index edb1ca8cf..5a6aca47e 100644 --- a/rules/rule-can-delete-k8s-events/raw.rego +++ b/rules/rule-can-delete-k8s-events/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can delete events -#RoleBinding to Role +# RoleBinding to Role deny [msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -36,7 +36,7 @@ deny [msga] { # fails if user can delete events -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-can-list-get-secrets/raw.rego b/rules/rule-can-list-get-secrets/raw.rego index f959c86e1..586f6c28c 100644 --- a/rules/rule-can-list-get-secrets/raw.rego +++ b/rules/rule-can-list-get-secrets/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can list/get secrets -#RoleBinding to Role +# RoleBinding to Role deny[msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -36,7 +36,7 @@ deny[msga] { # fails if user can list/get secrets -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-can-update-configmap/raw.rego b/rules/rule-can-update-configmap/raw.rego index 4617a6449..4e75b016b 100644 --- a/rules/rule-can-update-configmap/raw.rego +++ b/rules/rule-can-update-configmap/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # Fails if user can modify all configmaps, or if he can modify the 'coredns' configmap (default for coredns) -#RoleBinding to Role +# RoleBinding to Role deny [msga] { configmaps := [configmap | configmap = input[_]; configmap.kind == "ConfigMap"] configmap := configmaps[_] diff --git a/rules/rule-deny-cronjobs/raw.rego b/rules/rule-deny-cronjobs/raw.rego index fc1e0aa82..38dfed4e7 100644 --- a/rules/rule-deny-cronjobs/raw.rego +++ b/rules/rule-deny-cronjobs/raw.rego @@ -2,7 +2,7 @@ package armo_builtins # alert cronjobs -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] diff --git a/rules/rule-excessive-delete-rights/raw.rego b/rules/rule-excessive-delete-rights/raw.rego index 9553cd42f..88a0606e0 100644 --- a/rules/rule-excessive-delete-rights/raw.rego +++ b/rules/rule-excessive-delete-rights/raw.rego @@ -3,7 +3,7 @@ package armo_builtins import data.cautils # fails if user can can delete important resources -#RoleBinding to Role +# RoleBinding to Role deny[msga] { roles := [role | role= input[_]; role.kind == "Role"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] @@ -37,7 +37,7 @@ deny[msga] { # fails if user can can delete important resources -#RoleBinding to ClusterRole +# RoleBinding to ClusterRole deny[msga] { roles := [role | role= input[_]; role.kind == "ClusterRole"] rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] diff --git a/rules/rule-privileged-container/raw.rego b/rules/rule-privileged-container/raw.rego index c4bc81609..517d24eb8 100644 --- a/rules/rule-privileged-container/raw.rego +++ b/rules/rule-privileged-container/raw.rego @@ -2,7 +2,7 @@ package armo_builtins # Deny mutating action unless user is in group owning the resource -#privileged pods +# privileged pods deny[msga] { pod := input[_] @@ -24,7 +24,7 @@ deny[msga] { } -#handles majority of workload resources +# handles majority of workload resources deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} @@ -45,7 +45,7 @@ deny[msga] { } } -#handles cronjob +# handles cronjob deny[msga] { wl := input[_] wl.kind == "CronJob" diff --git a/rules/set-procmount-default/raw.rego b/rules/set-procmount-default/raw.rego index 2d1a3496e..35d56eca5 100644 --- a/rules/set-procmount-default/raw.rego +++ b/rules/set-procmount-default/raw.rego @@ -93,7 +93,7 @@ is_control_plane_info(obj) { # check if ProcMountType feature-gate is enabled is_proc_mount_type_enabled(command) { contains(command, "--feature-gates=") - args := regex.split(" +", command) + args := regex.split(` +`, command) some i - regex.match("ProcMountType=true", args[i]) + regex.match(`ProcMountType=true`, args[i]) } diff --git a/rules/validate-kubelet-tls-configuration-updated/raw.rego b/rules/validate-kubelet-tls-configuration-updated/raw.rego index 9fdf8e8be..42597f960 100644 --- a/rules/validate-kubelet-tls-configuration-updated/raw.rego +++ b/rules/validate-kubelet-tls-configuration-updated/raw.rego @@ -1,6 +1,6 @@ package armo_builtins -#CIS 4.2.10 https://workbench.cisecurity.org/sections/1126668/recommendations/1838657 +# CIS 4.2.10 https://workbench.cisecurity.org/sections/1126668/recommendations/1838657 deny[msga] { obj := input[_] @@ -73,7 +73,7 @@ deny[msga] { res := not_set_arguments(command) count(res) == 1 - #get yaml config equivalent + # get yaml config equivalent not_set_prop := res[0].configProp failed_args := extract_failed_object(res, "cliArg")