Back to catalog

Curl in Image

No violationsstackroxlowbuilddeploy

Alert on deployments with curl present

Rationale
Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.
Remediation
Use your package manager's "remove", "purge" or "erase" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.16.3.2

Generated artifacts

1 of 5 targets supported
curl-in-image.rego
# Curl in Image (trivy)
# severity: low
# source: stackrox/1913283f-ce3c-4134-84ef-195c4cd687ae
package trivy.curl_in_image

deny[msg] {
  # rule 1
  some p
  p := input.Packages[_]
  p.Name == {"curl"}[_]
  msg := "[low] Curl in Image: Alert on deployments with curl present"
}
IR (canonical)
{
  "id": "1913283f-ce3c-4134-84ef-195c4cd687ae",
  "name": "Curl in Image",
  "description": "Alert on deployments with curl present",
  "rationale": "Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.",
  "remediation": "Use your package manager's \"remove\", \"purge\" or \"erase\" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.",
  "severity": "low",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "collector",
      "namespace": "stackrox"
    },
    {
      "name": "central",
      "namespace": "stackrox"
    },
    {
      "name": "sensor",
      "namespace": "stackrox"
    },
    {
      "name": "admission-control",
      "namespace": "stackrox"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "image-component",
    "values": [
      "curl="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "1913283f-ce3c-4134-84ef-195c4cd687ae",
  "name": "Curl in Image",
  "description": "Alert on deployments with curl present",
  "rationale": "Leaving download tools like curl in an image makes it easier for attackers to use compromised containers, since they can easily download software.",
  "remediation": "Use your package manager's \"remove\", \"purge\" or \"erase\" command to remove curl from the image build for production containers. Ensure that any configuration files are also removed.",
  "disabled": true,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on StackRox collector",
      "deployment": {
        "name": "collector",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox central",
      "deployment": {
        "name": "central",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox sensor",
      "deployment": {
        "name": "sensor",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox admission controller",
      "deployment": {
        "name": "admission-control",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Image Component",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "curl="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}