Detecting image usages in circleci pipelines
Description
This policy checks for the usage of images in CircleCI pipelines. It detects the 'image' attribute within 'docker' configurations in 'executors' and 'jobs' sections. The check is important to ensure that the images used are up-to-date, secure, and properly configured. However, the provided code does not actually perform any validation on the images, so the severity is set to LOW. The check seems to be a starting point for more advanced image validation.
Code Example
python
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
# Example validation: check if the image is from a trusted repository
for key, value in conf.items():
if 'docker' in value and 'image' in value['docker']:
image = value['docker']['image']
if not image.startswith('trusted-repo/'):
return CheckResult.FAILED, conf
return CheckResult.PASSED, confRemediation
To properly fix this, implement the scan_conf method to validate the image usage, for example by checking if the image is from a trusted repository or if it has any known vulnerabilities.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0829 |
| Severity | LOW |
| IaC Type | circleci_pipelines |
| Frameworks | executors..docker[].{image: image, startline: startline, endline:endline}, jobs..docker[]. |
| Checkov ID | CKV_CIRCLECIPIPELINES_8 |