Curl in Image
No violationsstackroxlowbuilddeployAlert on deployments with curl present
- Rationale
- Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.
- Remediation
- Use your package manager's "remove", "purge" or "erase" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.16.3.2
Generated artifacts
1 of 5 targets supportedcurl-in-image.rego
# Curl in Image (trivy)
# severity: low
# source: stackrox/1913283f-ce3c-4134-84ef-195c4cd687ae
package trivy.curl_in_image
deny[msg] {
# rule 1
some p
p := input.Packages[_]
p.Name == {"curl"}[_]
msg := "[low] Curl in Image: Alert on deployments with curl present"
}
IR (canonical)
{
"id": "1913283f-ce3c-4134-84ef-195c4cd687ae",
"name": "Curl in Image",
"description": "Alert on deployments with curl present",
"rationale": "Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.",
"remediation": "Use your package manager's \"remove\", \"purge\" or \"erase\" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.",
"severity": "low",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "collector",
"namespace": "stackrox"
},
{
"name": "central",
"namespace": "stackrox"
},
{
"name": "sensor",
"namespace": "stackrox"
},
{
"name": "admission-control",
"namespace": "stackrox"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "image-component",
"values": [
"curl="
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "1913283f-ce3c-4134-84ef-195c4cd687ae",
"name": "Curl in Image",
"description": "Alert on deployments with curl present",
"rationale": "Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.",
"remediation": "Use your package manager's \"remove\", \"purge\" or \"erase\" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.",
"disabled": true,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on StackRox collector",
"deployment": {
"name": "collector",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on StackRox central",
"deployment": {
"name": "central",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on StackRox sensor",
"deployment": {
"name": "sensor",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on StackRox admission controller",
"deployment": {
"name": "admission-control",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Image Component",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "curl="
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}