Restrict Build Scripts
Type: Rule
ID: images-disallowed-build-script
Source: v2/rules/images/blocklist-build-scripts.yaml
Rego Source: blocklist-build-scripts.rego
Labels: SBOM, Images
Verify no build scripts commands appear in block list.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by target and product.
Usage example
uses: images/blocklist-build-scripts@v2
with:
blocklist:
- "wget"
- "curl"
Mitigation
Prevents the execution of unauthorized or insecure build scripts during the image build process, reducing the risk of malicious command injection and ensuring a more secure supply chain.
Description
This rule inspects the SBOM (in CycloneDX JSON format) for each Layer component and specifically looks for a property named "CreatedBy". It then checks whether the value of this property contains any substrings specified in the 'blocklist' parameter. If a match is found, the rule generates a violation indicating that a disallowed build script command was used during the build process.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['target', 'product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| blocklist | array | False | A list of disallowed build script commands. Each entry should be a string representing a command or substring. |