From 6e9258c8e193ce2cca2e10076da4aef8948d4b4b Mon Sep 17 00:00:00 2001
From: Thomas Spear <tspear@conquestcyber.com>
Date: Tue, 21 Jun 2022 09:58:58 -0500
Subject: [PATCH] Improve suspicious env checks

* This improves the suspicious env check by running several checks of the env values and performing some basic parsing of the keys and values to look for anything suspicious while avoiding false positives

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
---
 dockerfile-security.rego | 36 +++++++++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/dockerfile-security.rego b/dockerfile-security.rego
index 02181ed..256ccae 100644
--- a/dockerfile-security.rego
+++ b/dockerfile-security.rego
@@ -14,13 +14,39 @@ secrets_env = [
     "tkn"
 ]
 
-deny[msg] {    
-    input[i].Cmd == "env"
-    val := input[i].Value
-    contains(lower(val[_]), secrets_env[_])
-    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, val])
+deny[msg] {
+    dockerenvs := [val | input[i].Cmd == "env"; val := input[i].Value]
+    dockerenv := dockerenvs[_]
+    envvar := dockerenv[_]
+    lower(envvar) == secrets_env[_]
+    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, envvar])
 }
 
+deny[msg] {
+    dockerenvs := [val | input[i].Cmd == "env"; val := input[i].Value]
+    dockerenv := dockerenvs[_]
+    envvar := dockerenv[_]
+    startswith(lower(envvar), secrets_env[_])
+    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, envvar])
+}
+
+deny[msg] {
+    dockerenvs := [val | input[i].Cmd == "env"; val := input[i].Value]
+    dockerenv := dockerenvs[_]
+    envvar := dockerenv[_]
+    endswith(lower(envvar), secrets_env[_])
+    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, envvar])
+}
+
+deny[msg] {
+    dockerenvs := [val | input[i].Cmd == "env"; val := input[i].Value]
+    dockerenv := dockerenvs[_]
+    envvar := dockerenv[_]
+    parts := regex.split("[ :=_-]", envvar)
+    part := parts[_]
+    lower(part) == secrets_env[_]
+    msg = sprintf("Line %d: Potential secret in ENV key found: %s", [i, envvar])
+
 # Only use trusted base images
 deny[msg] {
     input[i].Cmd == "from"