fix: fail for irrelevant resources

reported in aquasecurity/trivy#4922 since the failRootGroupId rule is given a default value, it doesn't fail the deny rule and results in a false detection. added an explicit check for the failRootGropuId truthiness to resolve.
itaysk · Jan 10, 2024 · 14535b3 · 14535b3
1 parent 8b3cedc
commit 14535b3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego b/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego
@@ -59,6 +59,7 @@ failRootGroupId {
 }
 
 deny[res] {
+	failRootGroupId
 	output := failRootGroupId
 	msg := kubernetes.format(sprintf("%s %s in %s namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", [lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))
 	res := result.new(msg, output)

diff --git a/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID_test.rego b/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID_test.rego
@@ -29,3 +29,13 @@ test_failRootGroupId_failed {
 
 	count(r) > 0
 }
+
+test_failRootGroupId_irrelevant {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "ClusterRole",
+		"metadata": {"name": "hello"}
+	}
+
+	count(r) > 0	
+}