Alpine Linux Package Manager (apk) in Image
No violationsstackroxlowbuilddeployAlert on deployments with the Alpine Linux package manager (apk) present
- Rationale
- Package managers make it easier for attackers to use compromised containers, since they can easily add software.
- Remediation
- Run `apk --purge del apk-tools` in the image build for production containers.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.16.3.2
Generated artifacts
1 of 5 targets supportedalpine-linux-package-manager-apk-in-image.rego
# Alpine Linux Package Manager (apk) in Image (trivy)
# severity: low
# source: stackrox/a5248b33-5027-4aaf-a6b6-896f73fc6d28
package trivy.alpine_linux_package_manager_apk_in_image
deny[msg] {
# rule 1
some p
p := input.Packages[_]
p.Name == {"apk-tools"}[_]
msg := "[low] Alpine Linux Package Manager (apk) in Image: Alert on deployments with the Alpine Linux package manager (apk) present"
}
IR (canonical)
{
"id": "a5248b33-5027-4aaf-a6b6-896f73fc6d28",
"name": "Alpine Linux Package Manager (apk) in Image",
"description": "Alert on deployments with the Alpine Linux package manager (apk) present",
"rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
"remediation": "Run `apk --purge del apk-tools` in the image build for production containers.",
"severity": "low",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "master-etcd-openshift-master-.*",
"namespace": "kube-system"
},
{
"name": "token-refresher",
"namespace": "openshift-monitoring"
},
{
"name": "csi-azuredisk-node-win",
"namespace": "kube-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "image-component",
"values": [
"apk-tools="
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "a5248b33-5027-4aaf-a6b6-896f73fc6d28",
"name": "Alpine Linux Package Manager (apk) in Image",
"description": "Alert on deployments with the Alpine Linux package manager (apk) present",
"rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
"remediation": "Run `apk --purge del apk-tools` in the image build for production containers.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on the master-etcd deployment",
"deployment": {
"name": "master-etcd-openshift-master-.*",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on the token-refresher deployment in namespace openshift-monitoring",
"deployment": {
"name": "token-refresher",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment csi-azuredisk-node-win in kube-system namespace",
"deployment": {
"name": "csi-azuredisk-node-win",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Image Component",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "apk-tools="
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}