-
trivy【3】自定义扫描策略
1. 简介
您可以在Rego中编写自定义策略。完成编写自定义策略后,您可以通过选项传递存储这些策略的目录–policy。
trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir- 1
2. 文件格式
如果文件名与以下文件模式匹配,Trivy 将解析该文件并将其作为输入传递给您的 Rego 策略。
文件格式 文件模式 JSON *.json YAML .yaml和.yml Dockerfile Dockerfile, Dockerfile., 和.Dockerfile Containerfile Containerfile, Containerfile., 和.Containerfile Terraform .tf和.tf.json 3. 配置语言
在上述通用文件格式中,Trivy 会自动识别以下类型的配置文件:
CloudFormation(JSON/YAML)Kubernetes(JSON/YAML)Helm(YAML)Terraform Plan(JSON)
4. Rego 格式
一个包必须只包含一个策略。
package user.kubernetes.ID001 import lib.result __rego_metadata__ := { "id": "ID001", "title": "Deployment not allowed", "severity": "LOW", "description": "Deployments are not allowed because of some reasons.", } __rego_input__ := { "selector": [ {"type": "kubernetes"}, ], } deny[res] { input.kind == "Deployment" msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name]) res := result.new(msg, input) }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
在此示例中,ID001“不允许部署”在 下定义
user.kubernetes.ID001。如果添加新的自定义策略,则必须在新包下定义它,例如user.kubernetes.ID002.5. rego 结构
-
package(必需的)- 必须遵循 Rego 的规范
- 每个政策必须是唯一的
- 应包含唯一性的策略 ID
- 可以包括组名,例如kubernetes为了清楚起见
- 组名对策略评估没有影响
-
import data.lib.result(可选的)
如果您想用行号和代码突出显示来修饰您的结果,可以定义 -
__rego_metadata__(可选的)
为了清楚起见,应该定义这些值,因为这些值将显示在扫描结果中 -
__rego_input__(可选的)
当你想指定输入格式时可以定义 -
deny(必需的)
应该是deny或开始于deny_
尽管warn,warn_*,violation,violation_也适用于兼容性,但deny建议使用严重性,因为可以__rego_metadata__.
应返回以下之一:
调用的结果result.new(msg, cause)。msg是string描述问题发生的描述,cause是发生问题的属性/对象。提供这一点允许 Trivy 确定行号并突出显示输出中的代码。
A string表示检测到的问题
虽然objectwithmsg字段被接受,但其他字段被丢弃,string如果result.new()不使用,建议使用。
例如{"msg": "deny message", "details": "something"}
5.1 Package
user.kubernetes.ID001- 1
默认情况下,只会
builtin.*评估包。如果您定义自定义包,则必须通过--namespaces选项指定包前缀。trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir- 1
在这种情况下,
user.*将进行评估。允许使用任何包前缀,例如main和user5.2 Metadata
元数据有助于用有用的信息丰富 Trivy 的扫描结果。
__rego_metadata__ := { "id": "ID001", "title": "Deployment not allowed", "severity": "LOW", "description": "Deployments are not allowed because of some reasons.", "recommended_actions": "Remove Deployment", "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
下面的所有字段
__rego_metadata__都是可选的。字段名称 允许值 默认值 在表中 在 JSON 中 id 任何字符 不适用 yes yes title 任何字符 不适用 yes yes severity LOW, MEDIUM, HIGH,CRITICAL 未知 yes yes description 任何字符 no yes recommended_actions 任何字符 no yes url 任何字符 no yes 某些字段会显示在扫描结果中。
k.yaml (kubernetes) ─────────────────── Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0) LOW: Found deployment 'my-deployment' but deployments are not allowed ════════════════════════════════════════════════════════════════════════ Deployments are not allowed because of some reasons. ──────────────────────────────────────────────────────────────────────── k.yaml:1-2 ──────────────────────────────────────────────────────────────────────── 1 ┌ apiVersion: v1 2 └ kind: Deployment ────────────────────────────────────────────────────────────────────────- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
5.3 Input
您可以通过 指定输入格式
__rego_input__。下面的所有字段__rego_input都是可选的。__rego_input__ := { "combine": false, "selector": [ {"type": "kubernetes"}, ], }- 1
- 2
- 3
- 4
- 5
- 6
combine(boolean)设置为 true 时,指定目录下的所有配置文件合并为一个输入数据结构。selector(array)此选项按文件格式或配置语言过滤输入。在上面的示例中,Trivy 仅将 Kubernetes
文件传递给此策略。即使指定目录中存在 Dockerfile,它也不会作为输入传递给策略。当 Kubernetes
等配置语言未识别时,会使用 JSON 等文件格式作为type. 当识别出一种配置语言时,它将覆盖type.type接受kubernetes, dockerfile, cloudformation, terraform,terraformplan, json, 或yaml.
在“combine”模式下,input文档变成一个数组,其中每个元素都是一个具有两个字段的对象:
- “
path”: “path/to/file”:相应文件的相对文件路径 - “
contents”: …:相应文件的解析内容
现在,您可以确保重复值在整个配置文件中匹配。
5.4 Return value
在“combine”模式下,deny入口点必须返回一个带有两个键的对象
filepath(必需的):正在评估的文件的相对文件路径msg(必需的):描述问题的消息
deny[res] { resource := input[i].contents ... some logic ... res := { "filepath": input[i].path, "msg": "something bad", } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
6. 自定义 data
自定义策略可能需要额外的数据才能确定答案。
例如,允许创建的资源列表。Trivy 允许将路径传递到带有
--data标志的数据文件,而不是在策略中硬编码这些信息。给定以下 yaml 文件
$ cd examples/misconf/custom-data $ cat data/ports.yaml [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data] services: ports: - "20" - "20/tcp" - "20/udp" - "23" - "23/tcp"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
这可以导入您的策略:
import data.services ports := services.ports- 1
- 2
- 3
然后,您需要通过
--data选项传递数据路径。Trivy 递归搜索JSON ( *.json)和YAML ( *.yaml)文件的指定路径。$ trivy conf --policy ./policy --data data --namespaces user ./configs- 1
6. rego 测试
为了帮助您验证自定义策略的正确性,OPA 为您提供了一个框架,您可以使用该框架为您的策略编写测试。通过为您的自定义策略编写测试,您可以加快新规则的开发过程,并减少随着需求的发展而修改规则所需的时间。
有关更多详细信息,请参阅策略测试。
Trivy 的核心库Fanal可以作为 Go 库导入。您可以扫描 Go 中的配置文件并使用 Go 的测试方法(例如表驱动测试)测试您的自定义策略。这允许您使用实际的配置文件作为输入,从而轻松准备测试数据并确保您的自定义策略在实践中有效。
特别是 Dockerfile 和 HCL 需要转换为结构化数据作为输入,这可能与预期的输入格式不同。
我们建议同时编写 OPA 和 Go 测试,因为它们具有不同的角色,例如单元测试和集成测试。
以下示例将允许和拒绝的配置文件存储在目录中。
Successes包含成功的结果,也Failures包含失败的结果。{ name: "disallowed ports", input: "configs/", fields: fields{ policyPaths: []string{"policy"}, dataPaths: []string{"data"}, namespaces: []string{"user"}, }, want: []types.Misconfiguration{ { FileType: types.Dockerfile, FilePath: "Dockerfile.allowed", Successes: types.MisconfResults{ { Namespace: "user.dockerfile.ID002", PolicyMetadata: types.PolicyMetadata{ ID: "ID002", Type: "Docker Custom Check", Title: "Disallowed ports exposed", Severity: "HIGH", }, }, }, }, { FileType: types.Dockerfile, FilePath: "Dockerfile.denied", Failures: types.MisconfResults{ { Namespace: "user.dockerfile.ID002", Message: "Port 23 should not be exposed", PolicyMetadata: types.PolicyMetadata{ ID: "ID002", Type: "Docker Custom Check", Title: "Disallowed ports exposed", Severity: "HIGH", }, }, }, }, }, },- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
Dockerfile.allowed有一个成功的结果Successes,而Dockerfile.denied有一个失败的结果Failures。7. debug 策略
在处理更复杂的查询时(或在学习 Rego 时),准确了解策略是如何应用的很有用。为此,您可以使用该–trace标志。这将从 Open Policy Agent 输出一个大的跟踪,只有失败的策略才会显示痕迹。如果要调试已通过的策略,则需要故意使其失败。如下所示:
$ trivy conf --trace configs/ 2022-05-16T13:47:58.853+0100 INFO Detected config files: 1 Dockerfile (dockerfile) ======================= Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0) MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine' ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. See https://avd.aquasec.com/misconfig/ds001 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Dockerfile:1 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 [ FROM alpine:latest ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: Last USER command in Dockerfile should not be 'root' ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Dockerfile:3 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 3 [ USER root ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ID: DS001 File: Dockerfile Namespace: builtin.dockerfile.DS001 Query: data.builtin.dockerfile.DS001.deny Message: Specify a tag in the 'FROM' statement for image 'alpine' TRACE Enter data.builtin.dockerfile.DS001.deny = _ TRACE | Eval data.builtin.dockerfile.DS001.deny = _ TRACE | Index data.builtin.dockerfile.DS001.deny (matched 1 rule) TRACE | Enter data.builtin.dockerfile.DS001.deny TRACE | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_] TRACE | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule) TRACE | | Enter data.builtin.dockerfile.DS001.fail_latest TRACE | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_] TRACE | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules) TRACE | | | Enter data.builtin.dockerfile.DS001.image_tags TRACE | | | | Eval from = data.lib.docker.from[_] TRACE | | | | Index data.lib.docker.from (matched 1 rule) TRACE | | | | Enter data.lib.docker.from TRACE | | | | | Eval instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Exit data.lib.docker.from TRACE | | | | Redo data.lib.docker.from TRACE | | | | | Redo instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Fail instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Fail instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | Eval name = from.Value[0] TRACE | | | | Eval not startswith(name, "$") TRACE | | | | Enter startswith(name, "$") TRACE | | | | | Eval startswith(name, "$") TRACE | | | | | Fail startswith(name, "$") TRACE | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__) TRACE | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules) TRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag TRACE | | | | | Eval split(name, ":", __local504__) TRACE | | | | | Eval [img, tag] = __local504__ TRACE | | | | | Exit data.builtin.dockerfile.DS001.parse_tag TRACE | | | | Eval [img, tag] = __local505__ TRACE | | | | Eval output = {"cmd": from, "img": img, "tag": tag} TRACE | | | | Exit data.builtin.dockerfile.DS001.image_tags TRACE | | | Redo data.builtin.dockerfile.DS001.image_tags TRACE | | | | Redo output = {"cmd": from, "img": img, "tag": tag} TRACE | | | | Redo [img, tag] = __local505__ TRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__) TRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag TRACE | | | | | Redo [img, tag] = __local504__ TRACE | | | | | Redo split(name, ":", __local504__) TRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag TRACE | | | | | Eval tag = "latest" TRACE | | | | | Eval not contains(img, ":") TRACE | | | | | Enter contains(img, ":") TRACE | | | | | | Eval contains(img, ":") TRACE | | | | | | Exit contains(img, ":") TRACE | | | | | Redo contains(img, ":") TRACE | | | | | | Redo contains(img, ":") TRACE | | | | | Fail not contains(img, ":") TRACE | | | | | Redo tag = "latest" TRACE | | | | Redo name = from.Value[0] TRACE | | | | Redo from = data.lib.docker.from[_] TRACE | | | Enter data.builtin.dockerfile.DS001.image_tags TRACE | | | | Eval from = data.lib.docker.from[i] TRACE | | | | Index data.lib.docker.from (matched 1 rule) TRACE | | | | Eval name = from.Value[0] TRACE | | | | Eval cmd_obj = input.stages[j][k] TRACE | | | | Eval possibilities = {"arg", "env"} TRACE | | | | Eval cmd_obj.Cmd = possibilities[l] TRACE | | | | Fail cmd_obj.Cmd = possibilities[l] TRACE | | | | Redo possibilities = {"arg", "env"} TRACE | | | | Redo cmd_obj = input.stages[j][k] TRACE | | | | Eval possibilities = {"arg", "env"} TRACE | | | | Eval cmd_obj.Cmd = possibilities[l] TRACE | | | | Fail cmd_obj.Cmd = possibilities[l] TRACE | | | | Redo possibilities = {"arg", "env"} TRACE | | | | Redo cmd_obj = input.stages[j][k] TRACE | | | | Eval possibilities = {"arg", "env"} TRACE | | | | Eval cmd_obj.Cmd = possibilities[l] TRACE | | | | Fail cmd_obj.Cmd = possibilities[l] TRACE | | | | Redo possibilities = {"arg", "env"} TRACE | | | | Redo cmd_obj = input.stages[j][k] TRACE | | | | Redo name = from.Value[0] TRACE | | | | Redo from = data.lib.docker.from[i] TRACE | | | Eval __local752__ = output.img TRACE | | | Eval neq(__local752__, "scratch") TRACE | | | Eval __local753__ = output.img TRACE | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__) TRACE | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__) TRACE | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__) TRACE | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit) TRACE | | | | Enter data.builtin.dockerfile.DS001.is_alias TRACE | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_] TRACE | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule) TRACE | | | | | Enter data.builtin.dockerfile.DS001.get_aliases TRACE | | | | | | Eval from_cmd = data.lib.docker.from[_] TRACE | | | | | | Index data.lib.docker.from (matched 1 rule) TRACE | | | | | | Eval __local749__ = from_cmd.Value TRACE | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__) TRACE | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule) TRACE | | | | | | Enter data.builtin.dockerfile.DS001.get_alias TRACE | | | | | | | Eval __local748__ = values[i] TRACE | | | | | | | Eval lower(__local748__, __local501__) TRACE | | | | | | | Eval "as" = __local501__ TRACE | | | | | | | Fail "as" = __local501__ TRACE | | | | | | | Redo lower(__local748__, __local501__) TRACE | | | | | | | Redo __local748__ = values[i] TRACE | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__) TRACE | | | | | | Redo __local749__ = from_cmd.Value TRACE | | | | | | Redo from_cmd = data.lib.docker.from[_] TRACE | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_] TRACE | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__) TRACE | | | Eval output.tag = "latest" TRACE | | | Exit data.builtin.dockerfile.DS001.fail_latest TRACE | | Redo data.builtin.dockerfile.DS001.fail_latest TRACE | | | Redo output.tag = "latest" TRACE | | | Redo __local753__ = output.img TRACE | | | Redo neq(__local752__, "scratch") TRACE | | | Redo __local752__ = output.img TRACE | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_] TRACE | | Eval __local754__ = output.img TRACE | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__) TRACE | | Eval msg = __local509__ TRACE | | Eval __local755__ = output.cmd TRACE | | Eval data.lib.docker.result(msg, __local755__, __local510__) TRACE | | Index data.lib.docker.result (matched 1 rule) TRACE | | Enter data.lib.docker.result TRACE | | | Eval object.get(cmd, "EndLine", 0, __local470__) TRACE | | | Eval object.get(cmd, "Path", "", __local471__) TRACE | | | Eval object.get(cmd, "StartLine", 0, __local472__) TRACE | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__} TRACE | | | Exit data.lib.docker.result TRACE | | Eval res = __local510__ TRACE | | Exit data.builtin.dockerfile.DS001.deny TRACE | Redo data.builtin.dockerfile.DS001.deny TRACE | | Redo res = __local510__ TRACE | | Redo data.lib.docker.result(msg, __local755__, __local510__) TRACE | | Redo data.lib.docker.result TRACE | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__} TRACE | | | Redo object.get(cmd, "StartLine", 0, __local472__) TRACE | | | Redo object.get(cmd, "Path", "", __local471__) TRACE | | | Redo object.get(cmd, "EndLine", 0, __local470__) TRACE | | Redo __local755__ = output.cmd TRACE | | Redo msg = __local509__ TRACE | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__) TRACE | | Redo __local754__ = output.img TRACE | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_] TRACE | Exit data.builtin.dockerfile.DS001.deny = _ TRACE Redo data.builtin.dockerfile.DS001.deny = _ TRACE | Redo data.builtin.dockerfile.DS001.deny = _ TRACE ID: DS002 File: Dockerfile Namespace: builtin.dockerfile.DS002 Query: data.builtin.dockerfile.DS002.deny Message: Last USER command in Dockerfile should not be 'root' TRACE Enter data.builtin.dockerfile.DS002.deny = _ TRACE | Eval data.builtin.dockerfile.DS002.deny = _ TRACE | Index data.builtin.dockerfile.DS002.deny (matched 2 rules) TRACE | Enter data.builtin.dockerfile.DS002.deny TRACE | | Eval data.builtin.dockerfile.DS002.fail_user_count TRACE | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit) TRACE | | Enter data.builtin.dockerfile.DS002.fail_user_count TRACE | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user TRACE | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule) TRACE | | | Enter data.builtin.dockerfile.DS002.get_user TRACE | | | | Eval user = data.lib.docker.user[_] TRACE | | | | Index data.lib.docker.user (matched 1 rule) TRACE | | | | Enter data.lib.docker.user TRACE | | | | | Eval instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "user" TRACE | | | | | Fail instruction.Cmd = "user" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "user" TRACE | | | | | Exit data.lib.docker.user TRACE | | | | Redo data.lib.docker.user TRACE | | | | | Redo instruction.Cmd = "user" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "user" TRACE | | | | | Fail instruction.Cmd = "user" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | Eval username = user.Value[_] TRACE | | | | Exit data.builtin.dockerfile.DS002.get_user TRACE | | | Redo data.builtin.dockerfile.DS002.get_user TRACE | | | | Redo username = user.Value[_] TRACE | | | | Redo user = data.lib.docker.user[_] TRACE | | | Eval count(__local771__, __local536__) TRACE | | | Eval lt(__local536__, 1) TRACE | | | Fail lt(__local536__, 1) TRACE | | | Redo count(__local771__, __local536__) TRACE | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user TRACE | | Fail data.builtin.dockerfile.DS002.fail_user_count TRACE | Enter data.builtin.dockerfile.DS002.deny TRACE | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_] TRACE | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule) TRACE | | Enter data.builtin.dockerfile.DS002.fail_last_user_root TRACE | | | Eval stage_users = data.lib.docker.stage_user[_] TRACE | | | Index data.lib.docker.stage_user (matched 1 rule) TRACE | | | Enter data.lib.docker.stage_user TRACE | | | | Eval stage = input.stages[stage_name] TRACE | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"] TRACE | | | | Enter cmd = stage[_]; cmd.Cmd = "user" TRACE | | | | | Eval cmd = stage[_] TRACE | | | | | Eval cmd.Cmd = "user" TRACE | | | | | Fail cmd.Cmd = "user" TRACE | | | | | Redo cmd = stage[_] TRACE | | | | | Eval cmd.Cmd = "user" TRACE | | | | | Exit cmd = stage[_]; cmd.Cmd = "user" TRACE | | | | Redo cmd = stage[_]; cmd.Cmd = "user" TRACE | | | | | Redo cmd.Cmd = "user" TRACE | | | | | Redo cmd = stage[_] TRACE | | | | | Eval cmd.Cmd = "user" TRACE | | | | | Fail cmd.Cmd = "user" TRACE | | | | | Redo cmd = stage[_] TRACE | | | | Exit data.lib.docker.stage_user TRACE | | | Redo data.lib.docker.stage_user TRACE | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"] TRACE | | | | Redo stage = input.stages[stage_name] TRACE | | | Eval count(stage_users, __local537__) TRACE | | | Eval len = __local537__ TRACE | | | Eval minus(len, 1, __local538__) TRACE | | | Eval last = stage_users[__local538__] TRACE | | | Eval user = last.Value[0] TRACE | | | Eval user = "root" TRACE | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root TRACE | | Redo data.builtin.dockerfile.DS002.fail_last_user_root TRACE | | | Redo user = "root" TRACE | | | Redo user = last.Value[0] TRACE | | | Redo last = stage_users[__local538__] TRACE | | | Redo minus(len, 1, __local538__) TRACE | | | Redo len = __local537__ TRACE | | | Redo count(stage_users, __local537__) TRACE | | | Redo stage_users = data.lib.docker.stage_user[_] TRACE | | Eval msg = "Last USER command in Dockerfile should not be 'root'" TRACE | | Eval data.lib.docker.result(msg, cmd, __local540__) TRACE | | Index data.lib.docker.result (matched 1 rule) TRACE | | Enter data.lib.docker.result TRACE | | | Eval object.get(cmd, "EndLine", 0, __local470__) TRACE | | | Eval object.get(cmd, "Path", "", __local471__) TRACE | | | Eval object.get(cmd, "StartLine", 0, __local472__) TRACE | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__} TRACE | | | Exit data.lib.docker.result TRACE | | Eval res = __local540__ TRACE | | Exit data.builtin.dockerfile.DS002.deny TRACE | Redo data.builtin.dockerfile.DS002.deny TRACE | | Redo res = __local540__ TRACE | | Redo data.lib.docker.result(msg, cmd, __local540__) TRACE | | Redo data.lib.docker.result TRACE | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__} TRACE | | | Redo object.get(cmd, "StartLine", 0, __local472__) TRACE | | | Redo object.get(cmd, "Path", "", __local471__) TRACE | | | Redo object.get(cmd, "EndLine", 0, __local470__) TRACE | | Redo msg = "Last USER command in Dockerfile should not be 'root'" TRACE | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_] TRACE | Exit data.builtin.dockerfile.DS002.deny = _ TRACE Redo data.builtin.dockerfile.DS002.deny = _ TRACE | Redo data.builtin.dockerfile.DS002.deny = _ TRACE- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
参考:
-
相关阅读:
actuator--基础--6.2--端点解析--metrics端点
Linux网络部分
【毕业季·进击的技术er】 什么是微信小程序,带你推开小程序的大门
html5 LocalStorage本地存储介绍
fscanf/fscanf_s和fgets使用差异
【网络教程】Iptables官方教程-学习笔记6-IPTABLES TARGETS
有想法就去设计吧!——《好玩的好设计》读书笔记
Android平台下奔溃Crash和无响应ANR日志抓取分析
如何查找GNU C语言参考手册
学python怎么选方向?
- 原文地址:https://blog.csdn.net/xixihahalelehehe/article/details/126035306
