Merge pull request #2 from pavniii/pavni_docker_policies

new docker policies added for expose and workdir

pkg/policies/opa/rego/docker/docker_expose/AC_DOCKER_0011.json

@@ -0,0 +1,17 @@
+{
+    "name": "UNIXPortsOutOfRange",
+    "file": "UNIXPortsOutOfRange.rego",
+    "policy_type": "docker",
+    "resource_type": "expose",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "UNIXPortsOutOfRange"
+    },
+    "severity": "HIGH",
+    "description": "Ensure range of ports is from 0 to 65535",
+    "reference_id": "AC_DOCKER_0011",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0011",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_expose/UNIXPortsOutOfRange.rego

@@ -0,0 +1,13 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[apt.id]{
+	apt := input.expose[_]
+	conval := apt.config
+    port := split(conval, "/")
+    containsPortOutOfRange(port)
+}
+containsPortOutOfRange(ports) {
+	some i
+	port := ports[i]
+	to_number(port) > 65535
+}

pkg/policies/opa/rego/docker/docker_workdir/AC_DOCKER_0013.json

@@ -0,0 +1,17 @@
+{
+    "name": "workdir",
+    "file": "workdir.rego",
+    "policy_type": "docker",
+    "resource_type": "workdir",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "workdir"
+    },
+    "severity": "HIGH",
+    "description": "Ensure the use absolute paths for your WORKDIR.",
+    "reference_id": "AC_DOCKER_0014",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0014",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_workdir/workdir.rego

@@ -0,0 +1,9 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[apt]{
+	apt := input.workdir[_]
+	conval := apt.config
+
+    not regex.match("(^/[A-z0-9-_+]*)|(^[A-z0-9-_+]:\\\\.*)|(^\\$[{}A-z0-9-_+].*)", conval)
+
+}