Banned Ports
Type: Rule
ID: images-banned-ports
Source: v2/rules/images/banned-ports.yaml
Rego Source: banned-ports.rego
Labels: SBOM, Images
Ensures that the container image does not expose ports that are disallowed by organizational policy. The rule examines properties in the SBOM metadata and checks each value (expected in the format "port/protocol") against a provided banned ports list. It fails if any banned port is exposed or if no banned ports list is provided.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by target and product.
Usage example
uses: images/banned-ports@v2
with:
banned_ports:
- port: "3000"
protocol: "tcp"
- port: "8080"
protocol: "tcp"
Mitigation
Prevents deployment of container images that expose disallowed ports, reducing the risk of unauthorized network access and potential exploitation. This check ensures that only images with approved port configurations are deployed.
Description
This rule evaluates the CycloneDX SBOM evidence for a container image to verify that no disallowed ports are exposed. It performs the following steps:
- Retrieves all properties from the SBOM's
metadata.component.propertieswhose names start with "imageExposedPorts_". - Expects each property value to be formatted as "port/protocol" (e.g., "3000/tcp") and splits the value into its components.
- Compares each exposed port against the list of banned ports provided in the configuration (
with.banned_ports).- If a banned port (and, if specified, protocol) is detected, the rule flags it as a violation.
- If no banned ports list is provided, the rule also fails.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a
metadata.component.propertiesarray with entries for exposed ports.
Evidence Requirements
| Field | Value |
|---|---|
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['target', 'product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| banned_ports | array | False | A list of banned ports and protocols. Each entry should be a dictionary with 'port' and 'protocol' keys. |