Disallow Specific Users in SBOM
Type: Rule
ID: sbom-disallowed-users
Source: v2/rules/images/banned-users.yaml
Rego Source: banned-users.rego
Labels: SBOM, Image
Verify specific users are not allowed in an SBOM.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by target and product.
Usage example
uses: images/banned-users@v2
with:
users:
- root
Mitigation
Prevents the execution of container images with default or disallowed user accounts reducing the risk of privilege escalation and ensuring that only secure, non-privileged user configurations are used.
Description
This rule inspects the CycloneDX SBOM evidence for a container image to ensure that the image is not configured
to run with a banned default user. It does so by examining the metadata.component.properties array for a property
with the name "user". The value of this property is then compared against a list of disallowed users specified in
the configuration (via with.users). If the image is found to be running as a banned user (for example, "root"),
a violation is recorded.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a
metadata.component.propertiesarray with an entry where the property name is "user". - The disallowed user list (e.g., ["root"]) must be provided in the
with.usersparameter.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['target', 'product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| users | array | False | A list of disallowed users. Each entry should be a string representing a username. |