-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add image-sha check #540
base: main
Are you sure you want to change the base?
add image-sha check #540
Conversation
I'm not sure what the test failure here is. Perhaps @janisz can tell me what I'm missing |
You need to regenerate files
|
@VedantMahabaleshwarkar test is failing |
95d0c1b
to
b920841
Compare
51ef8a0
to
b7b01f5
Compare
@janisz I'm seeing a failure in the
However, on my local machine I do see the check if I run
I'm having trouble understanding the reason behind the error, I ran |
The problem is in order of tests. Bats tests should be sorted so you need to move your test after I'll think how to make error message better as I also needed some time to understand what's wrong. Maybe before making diff we should check order. |
@janisz Thanks for the help! It worked, all tests are passing now |
@janisz pinging again for a review on this PR |
I'm on PTO. I'll take a look next week. |
@VedantMahabaleshwarkar Please regenerate files |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR should only add a new check using existing template latest tag
@janisz hey sorry for the delay. I changed the test to accept |
@janisz Can this PR be merged? |
scope: | ||
objectKinds: | ||
- "Any" | ||
template: "image-sha" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
template: "image-sha" | |
template: "latest-tag" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could reuse the latest-tag template. probably we should change it's name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please reuse existing latest-tag template and not copy it.
- pkg/templates/imageshatag/internal/params/gen-params.go
- pkg/templates/imageshatag/internal/params/params.go
- pkg/templates/imageshatag/template.go
- pkg/templates/imageshatag/template_test.go
diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh
index 37e0491..d074400 100755
--- a/e2etests/bats-tests.sh
+++ b/e2etests/bats-tests.sh
@@ -359,8 +359,8 @@ get_value_from() {
message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
count=$(get_value_from "${lines[0]}" '.Reports | length')
- [[ "${message1}" == "Deployment: The container \"app\" is using an invalid container image, \"app:v1\". Please reference the image using a SHA256 tag." ]]
- [[ "${message2}" == "DeploymentConfig: The container \"app\" is using an invalid container image, \"app:v1\". Please reference the image using a SHA256 tag." ]]
+ [[ "${message1}" == 'Deployment: The container "app" is using an invalid container image, "app:v1". Please use images that satisfies the `AllowList` criteria : [".*:[a-fA-F0-9]{64}$"]' ]]
+ [[ "${message2}" == 'DeploymentConfig: The container "app" is using an invalid container image, "app:v1". Please use images that satisfies the `AllowList` criteria : [".*:[a-fA-F0-9]{64}$"]' ]]
[[ "${count}" == "2" ]]
}
diff --git a/pkg/builtinchecks/yamls/image-sha.yaml b/pkg/builtinchecks/yamls/image-sha.yaml
index dd5eeb8..3aa99a5 100644
--- a/pkg/builtinchecks/yamls/image-sha.yaml
+++ b/pkg/builtinchecks/yamls/image-sha.yaml
@@ -4,6 +4,6 @@ remediation: "Reference all images using their sha256 tags."
scope:
objectKinds:
- "Any"
-template: "image-sha"
+template: "latest-tag"
params:
AllowList: [".*:[a-fA-F0-9]{64}$"]
diff --git a/pkg/templates/all/all.go b/pkg/templates/all/all.go
index 9e0056d..db88467 100644
--- a/pkg/templates/all/all.go
+++ b/pkg/templates/all/all.go
@@ -24,7 +24,6 @@ import (
_ "golang.stackrox.io/kube-linter/pkg/templates/hostpid"
_ "golang.stackrox.io/kube-linter/pkg/templates/hpareplicas"
_ "golang.stackrox.io/kube-linter/pkg/templates/imagepullpolicy"
- _ "golang.stackrox.io/kube-linter/pkg/templates/imageshatag"
_ "golang.stackrox.io/kube-linter/pkg/templates/latesttag"
_ "golang.stackrox.io/kube-linter/pkg/templates/livenessprobe"
_ "golang.stackrox.io/kube-linter/pkg/templates/memoryrequirements"
spec: | ||
containers: | ||
- name: app | ||
image: app:75bf9b911b6481dcf29f7942240d1555adaa607eec7fc61bedb7f624f87c36d4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this a valid format? I thought it should have sha256 prefix
- "Any" | ||
template: "image-sha" | ||
params: | ||
AllowList: [".*:[a-fA-F0-9]{64}$"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AllowList: [".*:[a-fA-F0-9]{64}$"] | |
AllowList: [".*@sha256:[a-fA-F0-9]{64}$"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping
Implementation for #539
Code is pretty similar to the
latest-tag
check as the intent behind the checks are pretty similar. Theimage-sha
check implements an AllowList regex instead of a blocklist that verifies if the images have an sha tag