kubescape · alegrey91 · Oct 6, 2023 · Oct 6, 2023
diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml
@@ -27,7 +27,7 @@ jobs:
         with:
           use-verbose-mode: 'yes'
 
-  # main job of testing and building the env. 
+  # main job of testing and building the env.
   test_pr_checks:
     # needs: [markdown-link-check]
     permissions:
@@ -42,10 +42,10 @@ jobs:
 #     needs: [test_pr_checks]
 #     uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main
 #     if: |
-#       ${{ (always() && 
-#       (contains(needs.*.result, 'success')) && 
-#       !(contains(needs.*.result, 'skipped')) && 
-#       !(contains(needs.*.result, 'failure')) && 
+#       ${{ (always() &&
+#       (contains(needs.*.result, 'success')) &&
+#       !(contains(needs.*.result, 'skipped')) &&
+#       !(contains(needs.*.result, 'failure')) &&
 #       !(contains(needs.*.result, 'cancelled'))) }}
 #     with:
 #       COVERAGELIMIT: "58"
@@ -70,7 +70,7 @@ jobs:
         name: checkout repo content
         with:
           token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-        
+
       # Test using Golang OPA hot rule compilation
       - name: Set up Go
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
@@ -84,12 +84,20 @@ jobs:
           apt update && apt install -y cmake
           GOPATH=$(go env GOPATH) make
 
+      - name: Set up Regal
+        uses: StyraInc/[email protected]
+        with:
+          version: v0.10.1
+
+      - name: Lint Rego
+        run: regal lint --format github rules
+
       - name: setup python
         uses: actions/setup-python@v4
         with:
           python-version: 3.10.6
 
-      # validate control-ID duplications 
+      # validate control-ID duplications
       - run: python ./scripts/validations.py
 
       # generating subsections ids
@@ -117,7 +125,7 @@ jobs:
           path: ${{ env.REGO_ARTIFACT_PATH }}/
           if-no-files-found: error
 
-  # test kubescape with regolibrary artifacts 
+  # test kubescape with regolibrary artifacts
   ks-and-rego-test:
     uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main
     if: |
@@ -145,7 +153,7 @@ jobs:
                       ]'
       DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }}
     secrets: inherit
-  
+
   clean-up:
     name: Remove pre-release folder and clean up
     runs-on: ubuntu-latest

diff --git a/rules/.regal/config.yaml b/rules/.regal/config.yaml
@@ -4,6 +4,13 @@ rules:
       # This should be enabled, but the version of OPA used here is
       # too old to recognize the object.keys built-in function
       level: ignore
+    no-defined-entrypoint:
+      level: ignore
+    use-some-for-output-vars:
+      level: ignore
+  imports:
+    prefer-package-imports:
+      level: ignore
   style:
     avoid-get-and-list-prefix:
       level: ignore
@@ -15,6 +22,11 @@ rules:
       level: ignore
     prefer-snake-case:
       level: ignore
+    prefer-some-in-iteration:
+      level: ignore
+    rule-length:
+      level: error
+      max-rule-length: 50
     todo-comment:
       level: ignore
     use-assignment-operator:

diff --git a/rules/CVE-2021-25742/raw.rego b/rules/CVE-2021-25742/raw.rego
@@ -8,11 +8,11 @@ deny[msga] {
 	is_tag_image(image)
 
 	# Extracting version from image tag
-	tag_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", image, -1)[0][0]
+	tag_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, image, -1)[0][0]
     image_version_str_arr := split(tag_version_match,".")
 	image_version_arr := [to_number(image_version_str_arr[0]),to_number(image_version_str_arr[1]),to_number(image_version_str_arr[2])]
 
-	# Check if vulnerable 
+	# Check if vulnerable
 	is_vulnerable(image_version_arr, deployment.metadata.namespace)
 
 	path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
@@ -25,7 +25,7 @@ deny[msga] {
 		}
 }
 
-	
+
 is_nginx_image(image) {
 	contains(image, "nginx-controller")
 }
@@ -57,7 +57,7 @@ is_vulnerable(image_version, namespace) {
 	image_version[2] == 0
 	is_allow_snippet_annotation_on(namespace)
 }
-	
+
 is_vulnerable(image_version, namespace) {
 	image_version[0] == 1
 	image_version[1] == 0

diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego
@@ -3,15 +3,15 @@ package armo_builtins
 deny[msga] {
 	node := input[_]
     node.kind == "Node"
-    kernel_version_match := regex.find_all_string_submatch_n("[0-9]+\\.[0-9]+\\.[0-9]+", node.status.nodeInfo.kernelVersion, -1)
+    kernel_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, node.status.nodeInfo.kernelVersion, -1)
     kernelVersion := kernel_version_match[0][0]
-    
+
     kernel_version_arr := split(kernelVersion, ".")
     to_number(kernel_version_arr[0]) == 5
     to_number(kernel_version_arr[1]) >= 1
     to_number(kernel_version_arr[1]) <= 16
-    to_number(kernel_version_arr[2]) < 2 
-    
+    to_number(kernel_version_arr[2]) < 2
+
     node.status.nodeInfo.operatingSystem == "linux"
     path := "status.nodeInfo.kernelVersion"
 

diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego
@@ -42,7 +42,7 @@ deny[msga] {
      }
 }
 
-#handles cronjob
+# handles cronjob
 deny[msga] {
 	wl := input[_]
 	wl.kind == "CronJob"

diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego
@@ -24,7 +24,7 @@ deny[msga] {
 	}
 }
 
-#handles majority of workload resources
+# handles majority of workload resources
 deny[msga] {
 	wl := input[_]
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
@@ -48,7 +48,7 @@ deny[msga] {
 	}
 }
 
-#handles CronJobs
+# handles CronJobs
 deny[msga] {
 	wl := input[_]
 	wl.kind == "CronJob"

diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego
@@ -31,7 +31,7 @@ deny[msga] {
 	}
 }
 
-#handles majority of workload resources
+# handles majority of workload resources
 deny[msga] {
 	wl := input[_]
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
@@ -57,11 +57,11 @@ deny[msga] {
 		"alertObject": {
 			"k8sApiObjects": [wl]
 		}
-	
+
 	}
 }
 
-#handles CronJobs
+# handles CronJobs
 deny[msga] {
 	wl := input[_]
 	wl.kind == "CronJob"
@@ -73,7 +73,7 @@ deny[msga] {
 	volume_mount := container.volumeMounts[k]
 	volume_mount.name == volume.name
 	beggining_of_path := "spec.jobTemplate.spec.template.spec."
-	result := is_rw_mount(volume_mount, beggining_of_path,  i, k) 
+	result := is_rw_mount(volume_mount, beggining_of_path,  i, k)
 	failed_path := get_failed_path(result)
     fixed_path := get_fixed_path(result)
 
@@ -112,4 +112,4 @@ is_rw_mount(mount, beggining_of_path,  i, k) =  [failed_path, fix_path] {
   	mount.readOnly == false
   	failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)])
     fix_path = ""
-} 
+}
diff --git a/rules/anonymous-requests-to-kubelet-updated/raw.rego b/rules/anonymous-requests-to-kubelet-updated/raw.rego
@@ -1,6 +1,6 @@
 package armo_builtins
 
-#CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638
+# CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638
 
 deny[msga] {
 	obj := input[_]

diff --git a/rules/audit-policy-content/raw.rego b/rules/audit-policy-content/raw.rego
@@ -57,11 +57,11 @@ deny[msga] {
 }
 
 # Sample rules object
-#rules:
-#  - level: RequestResponse
-#    resources:
-#    - group: ""
-#      resources: ["pods"]
+# rules:
+# - level: RequestResponse
+#   resources:
+#   - group: ""
+#     resources: ["pods"]
 are_audit_file_rules_valid(rules) if {
 	seeked_resources_with_audit_level := {
 		"secrets": {

diff --git a/rules/cluster-admin-role/raw.rego b/rules/cluster-admin-role/raw.rego
@@ -3,6 +3,7 @@ package armo_builtins
 import future.keywords.in
 
 # returns subjects with cluster admin role
+# regal ignore:rule-length
 deny[msga] {
 	subjectVector := input[_]
 

diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego
@@ -1,6 +1,6 @@
 package armo_builtins
 
-#CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643
+# CIS 4.2.3 https://workbench.cisecurity.org/sections/1126668/recommendations/1838643
 
 deny[msga] {
 	obj := input[_]

diff --git a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/raw.rego
@@ -31,7 +31,7 @@ deny[msga] {
 	policies.kind == "PolicyVersion"
 	policies.metadata.provider == "eks"
 
-	#node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+	# node_instance_role_policies := ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 	some policy in node_instance_role_policies
 		some stat, _ in policies.data.policiesDocuments[policy].Statement
 			not isPolicyCompliant(policies, policy, stat)

diff --git a/rules/etcd-unique-ca/raw.rego b/rules/etcd-unique-ca/raw.rego
@@ -2,7 +2,7 @@ package armo_builtins
 
 import future.keywords.in
 
-#CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578
+# CIS 2.7 https://workbench.cisecurity.org/sections/1126654/recommendations/1838578
 
 deny[msga] {
 	etcdPod := [pod | pod := input[_]; filter_input(pod, "etcd")]
@@ -39,7 +39,7 @@ filter_input(obj, res) {
 }
 
 get_argument_value(command, argument) = value {
-	args := regex.split("=", command)
+	args := split(command, "=")
 	some i, sprintf("%v", [argument]) in args
 	value := args[i + 1]
 }

diff --git a/rules/exposed-critical-pods/filter.rego b/rules/exposed-critical-pods/filter.rego
@@ -1,5 +1,6 @@
 package armo_builtins
 
+# regal ignore:rule-length
 deny[msga] {
   services := [ x | x = input[_]; x.kind == "Service" ]
   pods     := [ x | x = input[_]; x.kind == "Pod" ]
@@ -9,8 +10,8 @@ deny[msga] {
   service := services[_]
   vuln    := vulns[_]
 
-  # vuln data is relevant 
-  count(vuln.data) > 0 
+  # vuln data is relevant
+  count(vuln.data) > 0
 
   # service is external-facing
   filter_external_access(service)
@@ -33,7 +34,7 @@ deny[msga] {
     "namespace": pod.metadata.namespace
   }
 
-  external_objects = { 
+  external_objects = {
     "apiVersion": "result.vulnscan.com/v1",
     "kind": pod.kind,
     "metadata": metadata,

diff --git a/rules/exposed-critical-pods/raw.rego b/rules/exposed-critical-pods/raw.rego
@@ -1,5 +1,6 @@
 package armo_builtins
 
+# regal ignore:rule-length
 deny[msga] {
   services := [ x | x = input[_]; x.kind == "Service" ]
   pods     := [ x | x = input[_]; x.kind == "Pod" ]
@@ -9,8 +10,8 @@ deny[msga] {
   service := services[_]
   vuln    := vulns[_]
 
-  # vuln data is relevant 
-  count(vuln.data) > 0 
+  # vuln data is relevant
+  count(vuln.data) > 0
 
   # service is external-facing
   filter_external_access(service)
@@ -22,7 +23,7 @@ deny[msga] {
   container := pod.spec.containers[i]
 
   # image has vulnerabilities
-  
+
   container.image == vuln.metadata.name
 
   # At least one critical vulnerabilities
@@ -37,7 +38,7 @@ deny[msga] {
     "namespace": pod.metadata.namespace
   }
 
-  external_objects = { 
+  external_objects = {
     "apiVersion": "result.vulnscan.com/v1",
     "kind": pod.kind,
     "metadata": metadata,

diff --git a/rules/exposed-rce-pods/filter.rego b/rules/exposed-rce-pods/filter.rego
@@ -1,5 +1,6 @@
 package armo_builtins
-
+
+# regal ignore:rule-length
 deny[msga] {
   services := [ x | x = input[_]; x.kind == "Service" ; x.apiVersion == "v1"]
   pods     := [ x | x = input[_]; x.kind == "Pod" ; x.apiVersion == "v1"]
@@ -9,8 +10,8 @@ deny[msga] {
   service := services[_]
   vuln    := vulns[_]
 
-  # vuln data is relevant 
-  count(vuln.data) > 0 
+  # vuln data is relevant
+  count(vuln.data) > 0
 
   # service is external-facing
   filter_external_access(service)
@@ -33,7 +34,7 @@ deny[msga] {
     "namespace": pod.metadata.namespace
   }
 
-  external_objects = { 
+  external_objects = {
     "apiVersion": "result.vulnscan.com/v1",
     "kind": pod.kind,
     "metadata": metadata,