checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago β€’ verified publisher icon bridgecrewio

How to consume regex in the custom policies (python based)-Dockerfile

Open 1632711 opened this issue 3 years ago β€’ 7 comments

Is there any examples available for basic python code that consume the regex pattern , we tried (https://github.com/bridgecrewio/checkov/blob/2.0.1131/checkov/dockerfile/checks/WorkdirIsAbsolute.py) this code but it's not working and understand that it is deprecated. Could you please provide some other solutions.

1632711 avatar May 12 '22 07:05 1632711

hi @1632711 I'm not sure, if I understand your question. Do you just want to write a check, which uses somewhere re.match(pattern, some_string)? you can do anything you like inside the Python code πŸ™‚ And the mentioned check is not deprecated as far as I know.

gruebel avatar May 12 '22 07:05 gruebel

import re from checkov.common.models.enums import CheckCategories, CheckResult from checkov.dockerfile.base_dockerfile_check import BaseDockerfileCheck

PATTERN = re.compile(r"\s*(chmod)\s*(.)\s(777)(.*)")

class RunChmod(BaseDockerfileCheck): def init(self): name = "Ensure no chmod 777 command used in the Dockerfile" id = "CKV_DOCKER_07" supported_instructions = ["RUN"] categories = [CheckCategories.APPLICATION_SECURITY] super().init(name=name, id=id, categories=categories, supported_instructions=supported_instructions)

def scan_entity_conf(self, conf):
    for mydir in conf:
        mypath = mydir["value"]
        if not re.match(PATTERN, mypath):
            return CheckResult.FAILED, mydir
    return CheckResult.PASSED, None

check = RunChmod()

O/P - Check: CKV_DOCKER_07: "Ensure no chmod 777 command used in the Dockerfile" FAILED for resource: tests/Dockerfile.RUN File: tests/Dockerfile:2-2

            2 | RUN apk --no-cache add nginx

As per the regex it is should match the lines that contains chmod , not working as expected .

1632711 avatar May 12 '22 07:05 1632711

can you share the whole Dockerfile, which you try to scan? easier to debug πŸ˜„

gruebel avatar May 12 '22 08:05 gruebel

RUN chmod 777 sample/etc/ RUN CHMOD 777 etc/project/ RUN chmod -R 777 sample/project/ RUN CHMOD +R 777 /sample/folder RUN apk --no-cache add nginx RUN chmod -r 777 / usr/local/etc/ RUN chmod +R 765 /sample/folder

This is the content of the Dockerfile which i used

1632711 avatar May 12 '22 09:05 1632711

Will u able to support the above requirement.

karthickmuthuraj avatar May 13 '22 06:05 karthickmuthuraj

sure, we do. here is the full example to achieve what you want πŸ™‚

import re

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.dockerfile.base_dockerfile_check import BaseDockerfileCheck

PATTERN = re.compile(r"\s*(?i)chmod\s*.{0,2}\s777.*")


class RunChmod777(BaseDockerfileCheck):
    def __init__(self):
        """
        Apt interface is less stable than apt-get and so this preferred
        """
        name = "Ensure no chmod 777 used"
        id = "CKV_DOCKER_12"
        supported_instructions = ["RUN"]
        categories = [CheckCategories. APPLICATION_SECURITY]
        super().__init__(name=name, id=id, categories=categories, supported_instructions=supported_instructions)

    def scan_entity_conf(self, conf):
        output = []

        for run in conf:
            value = run["value"]
            if re.match(PATTERN, value):
                output.append(run)

        if output:
            return CheckResult.FAILED, output

        return CheckResult.PASSED, None


check = RunChmod777()

this results in

$ checkov -d example --check CKV_DOCKER_12

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.1124 


dockerfile scan results:

Passed checks: 0, Failed checks: 5, Skipped checks: 0

Check: CKV_DOCKER_12: "Ensure no chmod 777 used"
        FAILED for resource: /Dockerfile.RUN
        File: /Dockerfile:3-3

                3 | RUN chmod 777 sample/etc/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used"
        FAILED for resource: /Dockerfile.RUN
        File: /Dockerfile:4-4

                4 | RUN CHMOD 777 etc/project/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used"
        FAILED for resource: /Dockerfile.RUN
        File: /Dockerfile:5-5

                5 | RUN chmod -R 777 sample/project/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used"
        FAILED for resource: /Dockerfile.RUN
        File: /Dockerfile:6-6

                6 | RUN CHMOD +R 777 /sample/folder

Check: CKV_DOCKER_12: "Ensure no chmod 777 used"
        FAILED for resource: /Dockerfile.RUN
        File: /Dockerfile:8-8

                8 | RUN chmod -r 777 / usr/local/etc/

@1632711 the regex was a bit off, so I adjusted it and I also adjusted the code to output all the findings, otherwise it will only output the first one. I hope this helps πŸ˜„

gruebel avatar May 13 '22 08:05 gruebel

Thank you 😊

On Fri, 13 May 2022, 16:19 Anton GrΓΌbel, @.***> wrote:

sure, we do. here is the full example to achieve what you want πŸ™‚

import re

from checkov.common.models.enums import CheckCategories, CheckResult from checkov.dockerfile.base_dockerfile_check import BaseDockerfileCheck

PATTERN = re.compile(r"\s*(?i)chmod\s*.{0,2}\s777.*")

class RunChmod777(BaseDockerfileCheck):

def __init__(self):

    """
    Apt interface is less stable than apt-get and so this preferred
    """

    name = "Ensure no chmod 777 used"

    id = "CKV_DOCKER_12"

    supported_instructions = ["RUN"]

    categories = [CheckCategories.NETWORKING]

    super().__init__(name=name, id=id, categories=categories, supported_instructions=supported_instructions)



def scan_entity_conf(self, conf):

    output = []



    for run in conf:

        value = run["value"]

        if re.match(PATTERN, value):

            output.append(run)



    if output:

        return CheckResult.FAILED, output



    return CheckResult.PASSED, None

check = RunChmod777()

this results in

$ checkov -d example --check CKV_DOCKER_12

   _               _

_| | ___ ___| | _______ __

/ | ' \ / _ / | |/ / _ \ \ / / | (| | | | / (| < (_) \ V / _|| ||_|_|_|___/ _/

By bridgecrew.io | version: 2.0.1124

dockerfile scan results:

Passed checks: 0, Failed checks: 5, Skipped checks: 0

Check: CKV_DOCKER_12: "Ensure no chmod 777 used" FAILED for resource: /Dockerfile.RUN File: /Dockerfile:3-3

            3 | RUN chmod 777 sample/etc/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used" FAILED for resource: /Dockerfile.RUN File: /Dockerfile:4-4

            4 | RUN CHMOD 777 etc/project/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used" FAILED for resource: /Dockerfile.RUN File: /Dockerfile:5-5

            5 | RUN chmod -R 777 sample/project/

Check: CKV_DOCKER_12: "Ensure no chmod 777 used" FAILED for resource: /Dockerfile.RUN File: /Dockerfile:6-6

            6 | RUN CHMOD +R 777 /sample/folder

Check: CKV_DOCKER_12: "Ensure no chmod 777 used" FAILED for resource: /Dockerfile.RUN File: /Dockerfile:8-8

            8 | RUN chmod -r 777 / usr/local/etc/

@1632711 https://github.com/1632711 the regex was a bit off, so I adjusted it and I also adjusted the code to output all the findings, otherwise it will only output the first one. I hope this helps πŸ˜„

β€” Reply to this email directly, view it on GitHub https://github.com/bridgecrewio/checkov/issues/2958#issuecomment-1125782528, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEA6ZSV7O2FFSCCGL3FWICTVJYGCFANCNFSM5VXHMMUQ . You are receiving this because you commented.Message ID: @.***>

karthickmuthuraj avatar May 14 '22 02:05 karthickmuthuraj