From c394ad656414ac840d1eb33407cd07b3dada13c4 Mon Sep 17 00:00:00 2001 From: Pilaniya Date: Mon, 24 May 2021 18:24:57 +0530 Subject: [PATCH 1/6] fix(query): fixed issue container_ruuiing_as_root#3412 --- .../k8s/containers_running_as_root/query.rego | 108 +++++++++++------- 1 file changed, 68 insertions(+), 40 deletions(-) diff --git a/assets/queries/k8s/containers_running_as_root/query.rego b/assets/queries/k8s/containers_running_as_root/query.rego index 0eda309ed59..56114bc315b 100644 --- a/assets/queries/k8s/containers_running_as_root/query.rego +++ b/assets/queries/k8s/containers_running_as_root/query.rego @@ -2,6 +2,9 @@ package Cx import data.generic.k8s as k8sLib +types := {"initContainers", "containers"} + +# if the node is Pod type CxPolicy[result] { document := input.document[i] document.kind == "Pod" @@ -9,9 +12,10 @@ CxPolicy[result] { spec := document.spec metadata := document.metadata - result := checkRootParent(spec, "spec", metadata, input.document[i].id) + result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_],"spec", metadata,input.document[i].id) } +# if the node is CronJob type CxPolicy[result] { document := input.document[i] document.kind == "CronJob" @@ -19,7 +23,7 @@ CxPolicy[result] { spec := document.spec.jobTemplate.spec.template.spec metadata := document.metadata - result := checkRootParent(spec, "spec.jobTemplate.spec.template.spec", metadata, input.document[i].id) + result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_], "spec.jobTemplate.spec.template.spec", metadata,input.document[i].id) } CxPolicy[result] { @@ -31,98 +35,122 @@ CxPolicy[result] { spec := document.spec.template.spec metadata := document.metadata - result := checkRootParent(spec, "spec.template.spec", metadata, input.document[i].id) + result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_], "spec.template.spec", metadata,input.document[i].id) } -checkRootParent(spec, path, metadata, id) = result { - nonRootParent := object.get(spec.securityContext, "runAsNonRoot", "undefined") +#if pod runAsNonRoot==true and container runAsNonRoot==true (container not runs as root) +#if pod runAsNonRoot==true and container runAsNonRoot==false + #if container runAsUser>0 (container not runs as root) + #if container runAsUser<=0 (container runs as root) +checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result { + nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined") is_boolean(nonRootParent) nonRootParent == true - result := checkRootContainer(spec, path, metadata, id) + result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) } -checkRootParent(spec, path, metadata, id) = result { - nonRootParent := object.get(spec.securityContext, "runAsNonRoot", "undefined") +#if pod runAsNonRoot==false and pod runAsUser>0 + #if container runAsUser>0 + #if container runAsNonRoot==false (container runs as non root) + #if container runAsNonRoot==true (container runs as non root) + #if container runAsUser<=0 + #if container runAsNonRoot==false (container runs as root) + #if container runAsNonRoot==true (container runs as root) +checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result { + nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined") is_boolean(nonRootParent) nonRootParent == false - userParent := object.get(spec.securityContext, "runAsUser", "undefined") + userParent := object.get(rootSecurityContext, "runAsUser", "undefined") is_number(userParent) userParent > 0 - result := checkUserContainer(spec, path, metadata, id) + result := checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id) } +#if pod runAsNonRoot==false and pod runAsUser<=0 + #if container runAsUser>0 + #if container runAsNonRoot==false (container runs as non root) + #if container runAsNonRoot==true (container runs as non root) + #if container runAsUser<=0 + #if container runAsNonRoot==false (container runs as root) + #if container runAsNonRoot==true (container runs as non root) +checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result { + nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined") + is_boolean(nonRootParent) + + nonRootParent == false + + userParent := object.get(rootSecurityContext, "runAsUser", "undefined") + is_number(userParent) -checkRootParent(spec, path, metadata, id) = result { - object.get(spec.securityContext, "runAsNonRoot", "undefined") == "undefined" - object.get(spec.securityContext, "runAsUser", "undefined") == "undefined" + userParent <= 0 - result := checkRootContainer(spec, path, metadata, id) + result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) } -types := {"initContainers", "containers"} -checkRootContainer(spec, path, metadata, id) = result { - some j - container := spec[types[x]][j] +checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result { + object.get(rootSecurityContext, "runAsNonRoot", "undefined") == "undefined" + object.get(rootSecurityContext, "runAsUser", "undefined") == "undefined" + + result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) +} + +checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) = result { + not container.securityContext.runAsNonRoot uid := container.securityContext.runAsUser to_number(uid) <= 0 result := { "documentId": id, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, types[x], container.name]), + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, containerType, container.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, types[x], j]), - "keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, types[x], j]), + "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, containerType]), + "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, containerType]), } } -checkRootContainer(spec, path, metadata, id) = result { - some j - container := spec[types[x]][j] +checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) = result { + not container.securityContext.runAsNonRoot object.get(container.securityContext, "runAsUser", "undefined") == "undefined" result := { "documentId": id, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, types[x], container.name]), + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, containerType, container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is defined", [path, types[x], j]), - "keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is undefined", [path, types[x], j]), + "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]), + "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]), } } -checkUserContainer(spec, path, metadata, id) = result { - some j - container := spec[types[x]][j] +checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id) = result { uid := container.securityContext.runAsUser to_number(uid) <= 0 result := { "documentId": id, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, types[x], container.name]), + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, containerType, container.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, types[x], j]), - "keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, types[x], j]), + "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, containerType]), + "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, containerType]), } } -checkUserContainer(spec, path, metadata, id) = result { - some j - container := spec[types[x]][j] +checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id) = result { not container.securityContext.runAsNonRoot object.get(container.securityContext, "runAsUser", "undefined") == "undefined" result := { "documentId": id, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, types[x], container.name]), + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, containerType, container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is defined", [path, types[x], j]), - "keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is undefined", [path, types[x], j]), + "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]), + "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]), } -} +} \ No newline at end of file From 9550f9c1fe9a0c4a9ae478ef6be3d22198037839 Mon Sep 17 00:00:00 2001 From: Pilaniya Date: Tue, 25 May 2021 11:42:30 +0530 Subject: [PATCH 2/6] fix((query): added positive and negative test cases for pull#3422 --- .../k8s/containers_running_as_root/query.rego | 2 +- .../test/{negative.yaml => negative1.yaml} | 0 .../test/negative2.yaml | 19 +++++++++++++ .../test/negative3.yaml | 14 ++++++++++ .../test/{positive.yaml => positive1.yaml} | 0 .../test/positive2.yaml | 19 +++++++++++++ .../test/positive3.yaml | 14 ++++++++++ .../test/positive_expected_result.json | 27 ++++++++++++++++--- 8 files changed, 91 insertions(+), 4 deletions(-) rename assets/queries/k8s/containers_running_as_root/test/{negative.yaml => negative1.yaml} (100%) create mode 100644 assets/queries/k8s/containers_running_as_root/test/negative2.yaml create mode 100644 assets/queries/k8s/containers_running_as_root/test/negative3.yaml rename assets/queries/k8s/containers_running_as_root/test/{positive.yaml => positive1.yaml} (100%) create mode 100644 assets/queries/k8s/containers_running_as_root/test/positive2.yaml create mode 100644 assets/queries/k8s/containers_running_as_root/test/positive3.yaml diff --git a/assets/queries/k8s/containers_running_as_root/query.rego b/assets/queries/k8s/containers_running_as_root/query.rego index 56114bc315b..d554cc83b8a 100644 --- a/assets/queries/k8s/containers_running_as_root/query.rego +++ b/assets/queries/k8s/containers_running_as_root/query.rego @@ -153,4 +153,4 @@ checkUserContainer(rootSecurityContext, containerType, container, path, metadata "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]), "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]), } -} \ No newline at end of file +} diff --git a/assets/queries/k8s/containers_running_as_root/test/negative.yaml b/assets/queries/k8s/containers_running_as_root/test/negative1.yaml similarity index 100% rename from assets/queries/k8s/containers_running_as_root/test/negative.yaml rename to assets/queries/k8s/containers_running_as_root/test/negative1.yaml diff --git a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml new file mode 100644 index 00000000000..07eefe17455 --- /dev/null +++ b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-1 +spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: true + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 1000 + runAsNonRoot: false + - name: sec-ctx-demo-200 + image: gcr.io/google-samples/node-hedwfwllo:1.0 + securityContext: + runAsUser: 2000 + runAsNonRoot: true \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/negative3.yaml b/assets/queries/k8s/containers_running_as_root/test/negative3.yaml new file mode 100644 index 00000000000..b64f798f4d8 --- /dev/null +++ b/assets/queries/k8s/containers_running_as_root/test/negative3.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: containers-runs-as-root +spec: + securityContext: + runAsUser: 0 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 1000 + runAsNonRoot: false \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive.yaml b/assets/queries/k8s/containers_running_as_root/test/positive1.yaml similarity index 100% rename from assets/queries/k8s/containers_running_as_root/test/positive.yaml rename to assets/queries/k8s/containers_running_as_root/test/positive1.yaml diff --git a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml new file mode 100644 index 00000000000..ddea28de938 --- /dev/null +++ b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 10 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false + - name: sec-ctx-demo-200 + image: gcr.io/google-samples/node-hedwfwllo:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml new file mode 100644 index 00000000000..c67e3bdca5b --- /dev/null +++ b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: containers-runs-as-root +spec: + securityContext: + runAsUser: 0 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index 3dbc9e0fbd6..19fe342d867 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive1.yaml" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 28 + "line": 28, + "fileName": "positive1.yaml" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 41 + "line": 41, + "fileName": "positive1.yaml" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive2.yaml" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive2.yaml" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive3.yaml" } ] From 0e688e1a1e0f3f02299b9960427817f341868df3 Mon Sep 17 00:00:00 2001 From: Pilaniya Date: Tue, 25 May 2021 11:51:48 +0530 Subject: [PATCH 3/6] fix((query): added positive and negative test cases for pull#3422 --- assets/queries/k8s/containers_running_as_root/query.rego | 1 + .../queries/k8s/containers_running_as_root/test/negative2.yaml | 3 ++- .../queries/k8s/containers_running_as_root/test/negative3.yaml | 3 ++- .../queries/k8s/containers_running_as_root/test/positive2.yaml | 3 ++- .../queries/k8s/containers_running_as_root/test/positive3.yaml | 3 ++- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/assets/queries/k8s/containers_running_as_root/query.rego b/assets/queries/k8s/containers_running_as_root/query.rego index d554cc83b8a..5485d1c6b1f 100644 --- a/assets/queries/k8s/containers_running_as_root/query.rego +++ b/assets/queries/k8s/containers_running_as_root/query.rego @@ -153,4 +153,5 @@ checkUserContainer(rootSecurityContext, containerType, container, path, metadata "keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]), "keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]), } + } diff --git a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml index 07eefe17455..ae10f897568 100644 --- a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml @@ -16,4 +16,5 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 2000 - runAsNonRoot: true \ No newline at end of file + runAsNonRoot: true + \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/negative3.yaml b/assets/queries/k8s/containers_running_as_root/test/negative3.yaml index b64f798f4d8..93b6009f037 100644 --- a/assets/queries/k8s/containers_running_as_root/test/negative3.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/negative3.yaml @@ -11,4 +11,5 @@ spec: image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 1000 - runAsNonRoot: false \ No newline at end of file + runAsNonRoot: false + \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml index ddea28de938..a16fcfd1bae 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml @@ -16,4 +16,5 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false \ No newline at end of file + runAsNonRoot: false + \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml index c67e3bdca5b..77fb05c4064 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml @@ -11,4 +11,5 @@ spec: image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false \ No newline at end of file + runAsNonRoot: false + \ No newline at end of file From 0d5b3edffb75ff0bb57aba5989fbb5a3ba20fb57 Mon Sep 17 00:00:00 2001 From: Pilaniya Date: Tue, 25 May 2021 11:59:49 +0530 Subject: [PATCH 4/6] fix((query): added positive and negative test cases for pull#3422 --- .../queries/k8s/containers_running_as_root/test/negative2.yaml | 3 +-- .../queries/k8s/containers_running_as_root/test/positive2.yaml | 3 +-- .../queries/k8s/containers_running_as_root/test/positive3.yaml | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml index ae10f897568..07eefe17455 100644 --- a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml @@ -16,5 +16,4 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 2000 - runAsNonRoot: true - \ No newline at end of file + runAsNonRoot: true \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml index a16fcfd1bae..ddea28de938 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml @@ -16,5 +16,4 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false - \ No newline at end of file + runAsNonRoot: false \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml index 77fb05c4064..c67e3bdca5b 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml @@ -11,5 +11,4 @@ spec: image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false - \ No newline at end of file + runAsNonRoot: false \ No newline at end of file From 0141949ce0bdf76eb200f2e1272d6605ef666a65 Mon Sep 17 00:00:00 2001 From: "pilaniyamukesh0@gmail.com" Date: Tue, 25 May 2021 12:04:16 +0530 Subject: [PATCH 5/6] fix((query): added positive and negative test cases for pull#3422git --- .../queries/k8s/containers_running_as_root/test/negative2.yaml | 3 ++- .../queries/k8s/containers_running_as_root/test/positive2.yaml | 3 ++- .../queries/k8s/containers_running_as_root/test/positive3.yaml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml index 07eefe17455..ae10f897568 100644 --- a/assets/queries/k8s/containers_running_as_root/test/negative2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/negative2.yaml @@ -16,4 +16,5 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 2000 - runAsNonRoot: true \ No newline at end of file + runAsNonRoot: true + \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml index ddea28de938..a16fcfd1bae 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive2.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive2.yaml @@ -16,4 +16,5 @@ spec: image: gcr.io/google-samples/node-hedwfwllo:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false \ No newline at end of file + runAsNonRoot: false + \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml index c67e3bdca5b..77fb05c4064 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml @@ -11,4 +11,5 @@ spec: image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 - runAsNonRoot: false \ No newline at end of file + runAsNonRoot: false + \ No newline at end of file From 6cecc24a8ca6be03b22361cd76d54e46ca3996f7 Mon Sep 17 00:00:00 2001 From: "pilaniyamukesh0@gmail.com" Date: Tue, 25 May 2021 23:32:29 +0530 Subject: [PATCH 6/6] fix((query): added positive and negative test cases --- .../queries/k8s/containers_running_as_root/test/positive3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml index 77fb05c4064..ef09d55f875 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive3.yaml +++ b/assets/queries/k8s/containers_running_as_root/test/positive3.yaml @@ -12,4 +12,5 @@ spec: securityContext: runAsUser: 0 runAsNonRoot: false + \ No newline at end of file