@@ -17,6 +17,23 @@ class ApkNoCacheApkNoCacheValidatorTest : TestCase() {
1717 assertTrue(ApkNoCacheValidator .isValid(multiLineValid))
1818 assertTrue(ApkNoCacheValidator .isValid(" RUN ./autoupdate-script.sh" ))
1919 assertTrue(ApkNoCacheValidator .isValid(" RUN apk add --no-cache git" ))
20+ // BuildKit cache mount cases — no --no-cache required (fixing DFS030 false positive)
21+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk apk add curl git" ))
22+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk/ apk add curl" ))
23+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=\" /var/cache/apk\" apk add curl" ))
24+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk,sharing=locked,id=apk apk add curl" ))
25+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,id=apk,target=/var/cache/apk apk add curl" ))
26+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=secret,id=x --mount=type=cache,target=/var/cache/apk apk add curl" ))
27+ val multiLineMount =
28+ """
29+ RUN --mount=type=cache,target=/var/cache/apk \
30+ apk add curl git
31+ """ .trimIndent()
32+ assertTrue(ApkNoCacheValidator .isValid(multiLineMount))
33+ // Both mount and --no-cache present — must remain valid without double-detection
34+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk apk add --no-cache curl" ))
35+ // Mount covers apk update too
36+ assertTrue(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk apk update && apk add curl" ))
2037 }
2138
2239 fun testInvalidCommands () {
@@ -33,5 +50,12 @@ class ApkNoCacheApkNoCacheValidatorTest : TestCase() {
3350 assertFalse(ApkNoCacheValidator .isValid(multiLineInvalid))
3451 assertFalse(ApkNoCacheValidator .isValid(" apk add --no-cache git" ))
3552 assertFalse(ApkNoCacheValidator .isValid(" " ))
53+ // Mount present but wrong target — still invalid
54+ assertFalse(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/root/.cache apk add curl" ))
55+ // Wrong mount type — only type=cache exempts
56+ assertFalse(ApkNoCacheValidator .isValid(" RUN --mount=type=bind,target=/var/cache/apk apk add curl" ))
57+ assertFalse(ApkNoCacheValidator .isValid(" RUN --mount=type=tmpfs,target=/var/cache/apk apk add curl" ))
58+ // Cache mount + explicit rm defeats caching — still invalid
59+ assertFalse(ApkNoCacheValidator .isValid(" RUN --mount=type=cache,target=/var/cache/apk apk add curl && rm -rf /var/cache/apk/*" ))
3660 }
3761}
0 commit comments