Merge pull request #2565 from vamshi-stepsecurity/fix/exempt-ImageAndTag

exempt by image and tag

Author: varunsh-coder

remediation/docker/securedockerfile.go

@@ -53,6 +53,12 @@ func SecureDockerFile(inputDockerFile string, opts ...DockerfileConfig) (*Secure
 			var image string
 			var tag string
 			isPinned := false
+
+			// Check if image is exempted (skip pinning)
+			if len(exemptedImages) > 0 && pin.ActionExists(temp, exemptedImages) {
+				continue
+			}
+
 			if strings.Contains(temp, ":") && !strings.Contains(temp, "sha256") {
 				// case activates if image like: python:3.7
 				split := strings.Split(temp, ":")
@@ -76,11 +82,6 @@ func SecureDockerFile(inputDockerFile string, opts ...DockerfileConfig) (*Secure
 				isPinned = true
 			}
 
-			// Check if image is exempted (skip pinning)
-			if len(exemptedImages) > 0 && pin.ActionExists(image, exemptedImages) {
-				continue
-			}
-
 			if !isPinned {
 				sha, err := getSHA(image, tag)
 				if err != nil {

remediation/docker/securedockerfile_test.go

@@ -39,6 +39,14 @@ func TestSecureDockerFile(t *testing.T) {
 
 	httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/python/manifests/3.7", httpmock.NewStringResponder(200, resp))
 
+	httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/amazonlinux/manifests/2", httpmock.NewStringResponder(200, resp))
+	httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/amazonlinux/manifests/2023", httpmock.NewStringResponder(200, resp))
+
+	httpmock.RegisterResponder("GET", "https://public.ecr.aws/v2/",
+		httpmock.NewStringResponder(200, `{
+	}`))
+	httpmock.RegisterResponder("GET", "https://public.ecr.aws/v2/amazonlinux/amazonlinux/manifests/2023", httpmock.NewStringResponder(200, resp))
+
 	tests := []struct {
 		fileName        string
 		isChanged       bool
@@ -48,8 +56,10 @@ func TestSecureDockerFile(t *testing.T) {
 		{fileName: "Dockerfile-not-pinned", isChanged: true, useExemptConfig: false},
 		{fileName: "Dockerfile-not-pinned-as", isChanged: true, useExemptConfig: false},
 		{fileName: "Dockerfile-multiple-images", isChanged: true, useExemptConfig: false},
-		{fileName: "Dockerfile-exempted", isChanged: false, exemptedImages: []string{"python"}, useExemptConfig: true},
-		{fileName: "Dockerfile-exempted-wildcard", isChanged: true, exemptedImages: []string{"amazon*", "alpine"}, useExemptConfig: true},
+		{fileName: "Dockerfile-exempted", isChanged: false, exemptedImages: []string{"python:3.7"}, useExemptConfig: true},
+		{fileName: "Dockerfile-exempted-wildcard", isChanged: true, exemptedImages: []string{"amazon*", "alpine:*"}, useExemptConfig: true},
+		{fileName: "Dockerfile-imageandtag-exempted", isChanged: true, exemptedImages: []string{"amazonlinux:2"}, useExemptConfig: true},
+		{fileName: "Dockerfile-imageandtag-exempted-2", isChanged: true, exemptedImages: []string{"public.ecr.aws/amazonlinux/amazonlinux:2023"}, useExemptConfig: true},
 	}
 
 	for _, test := range tests {

remediation/workflow/pin/pinactions_test.go

@@ -453,10 +453,28 @@ func TestActionExists(t *testing.T) {
 		t.Errorf("ActionExists returned true for actions/checkout/something")
 	}
 
+	result = ActionExists("amazonlinux:2023", []string{"amazonlinux:*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for amazonlinux:2023")
+	}
+
 	result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"})
 	t.Log(result)
 	if !result {
-		t.Errorf("ActionExists returned true for actions/checkout/something")
+		t.Errorf("ActionExists returned true for step-security/checkout-release/something")
+	}
+
+	result = ActionExists("amazonlinux:2023", []string{"amazonlinux:2023"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for amazonlinux:2023")
+	}
+
+	result = ActionExists("amazonlinux:2023", []string{"amazonlinux*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for amazonlinux:2023")
 	}
 
 }

testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted

@@ -0,0 +1,11 @@
+FROM --platform=linux/x86_64 amazonlinux:2
+
+FROM --platform=linux/x86_64 amazonlinux:2023 as build_env
+
+FROM python:3.7
+
+RUN apt-get update && apt-get install -y vim
+
+WORKDIR /app
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023

testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2

@@ -0,0 +1,11 @@
+FROM --platform=linux/x86_64 amazonlinux:2023 as build_env
+
+FROM --platform=linux/x86_64 amazonlinux:2 as base
+
+FROM python:3.7
+
+RUN apt-get update && apt-get install -y vim
+
+WORKDIR /app
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023

testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted

@@ -0,0 +1,11 @@
+FROM --platform=linux/x86_64 amazonlinux:2
+
+FROM --platform=linux/x86_64 amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as build_env
+
+FROM python:3.7@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5
+
+RUN apt-get update && apt-get install -y vim
+
+WORKDIR /app
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5

testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted-2

@@ -0,0 +1,11 @@
+FROM --platform=linux/x86_64 amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as build_env
+
+FROM --platform=linux/x86_64 amazonlinux:2@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as base
+
+FROM python:3.7@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5
+
+RUN apt-get update && apt-get install -y vim
+
+WORKDIR /app
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023