Fix: artifact commands failing due to incorrect userAgent formatting

santoshkal · santoshkal · commit 7b753fd2b69a · 2024-06-03T23:45:03.000+05:30
Signed-off-by: Santosh &lt;ksantosh@intelops.dev&gt;
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -425,5 +425,6 @@ func GetVersion() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("error running git describe: %v", err)
 	}
-	return string(version), nil
+	userAgent := fmt.Sprintf("intelops/genval: %s", string(version))
+	return strings.ReplaceAll(userAgent, "\n", ""), nil
 }
diff --git a/templates/defaultpolicies/contest.rego b/templates/defaultpolicies/contest.rego
@@ -0,0 +1,15 @@
+package main
+
+deny[msg] {
+  input.kind == "Deployment"
+  not input.spec.template.spec.securityContext.runAsNonRoot
+
+  msg := "Containers must not run as root"
+}
+
+deny[msg] {
+  input.kind == "Deployment"
+  not input.spec.selector.matchLabels.app
+
+  msg := "Containers must provide app label for pod selectors"
+}
diff --git a/templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.json b/templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.json
@@ -0,0 +1,12 @@
+{
+  "name": "DenyLatest",
+  "policy_file": "k8s.rego",
+  "policy_name": "deny_latest",
+  "severity": "High",
+  "Description": "Ensure Image does not use 'latest' tag",
+  "Benchmark": "CIS-4.9",
+  "Category": "Infrastructure security"
+}
+
+
+
diff --git a/templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.rego b/templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.rego
@@ -0,0 +1,48 @@
+package validate_k8s
+
+import rego.v1
+
+
+deny_latest contains msg if {
+input.kind ==	"Deployment"
+c:= input.spec.template.spec.containers[i].image
+not endswith(c, "latest")
+msg:= "Image does not use 'latest' tag"
+}
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     not container.envFrom
+#     msg:= "Deployment does not use 'envFrom'"
+# }
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     env := container.envFrom[_]
+#     not env.secretRef
+#     msg:= "Deployment does not use 'secretRef' in ENV"
+# 	}
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     env := container.env[_]
+# 	env.valueFrom != []
+#     msg:= "Deployment does not use 'valueFrom' in ENV"
+# }
+
+# deny_priviliged_pod contains msg if {
+# 	input.kind == "Deployment"
+# 	not input.spec.template.spec.securityContext
+#     msg:= "Deployment does not use priviliged pod"
+# }
+
+# deny_priviliged_pod contains msg if {
+# 	input.kind == "Deployment"
+# 	podSpec := input.spec.template.spec.securityContext
+
+# 	not podSpec.priviliged
+#     msg:= "Deployment does not use priviliged pod"
+# }
diff --git a/templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.json b/templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.json
@@ -0,0 +1,9 @@
+{
+  "name": "DenySecret",
+  "policy_file": "k8s.rego",
+  "policy_name": "deny_priviliged_pod",
+  "severity": "High",
+  "Description": "Ensure Deployment does not use 'secretRef' in ENV",
+  "Benchmark": "CIS-4.9",
+  "Category": "Infrastructure security"
+}
diff --git a/templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.rego b/templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.rego
@@ -0,0 +1,48 @@
+package validate_k8s
+
+import rego.v1
+
+
+# deny_latest contains msg if {
+# input.kind ==	"Deployment"
+# c:= input.spec.template.spec.containers[i].image
+# not endswith(c, "latest")
+# msg:= "Image does not use 'latest' tag"
+# }
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     not container.envFrom
+#     msg:= "Deployment does not use 'envFrom'"
+# }
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     env := container.envFrom[_]
+#     not env.secretRef
+#     msg:= "Deployment does not use 'secretRef' in ENV"
+# 	}
+
+# deny_secret contains msg if {
+#     input.kind == "Deployment"
+#     container := input.spec.template.spec.containers[_]
+#     env := container.env[_]
+# 	env.valueFrom != []
+#     msg:= "Deployment does not use 'valueFrom' in ENV"
+# }
+
+deny_priviliged_pod contains msg if {
+	input.kind == "Deployment"
+	not input.spec.template.spec.securityContext
+    msg:= "Deployment does not use priviliged pod"
+}
+
+# deny_priviliged_pod contains msg if {
+# 	input.kind == "Deployment"
+# 	podSpec := input.spec.template.spec.securityContext
+
+# 	not podSpec.priviliged
+#     msg:= "Deployment does not use priviliged pod"
+# }

Original file line number	Diff line number	Diff line change
`@@ -425,5 +425,6 @@ func GetVersion() (string, error) {`
`425`	`425`	`if err != nil {`
`426`	`426`	`return "", fmt.Errorf("error running git describe: %v", err)`
`427`	`427`	`}`
`428`		`- return string(version), nil`
	`428`	`+ userAgent := fmt.Sprintf("intelops/genval: %s", string(version))`
	`429`	`+ return strings.ReplaceAll(userAgent, "\n", ""), nil`
`429`	`430`	`}`