Back to catalog

Alpine Linux Package Manager (apk) in Image

No violationsstackroxlowbuilddeploy

Alert on deployments with the Alpine Linux package manager (apk) present

Rationale
Package managers make it easier for attackers to use compromised containers, since they can easily add software.
Remediation
Run `apk --purge del apk-tools` in the image build for production containers.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.16.3.2

Generated artifacts

1 of 5 targets supported
alpine-linux-package-manager-apk-in-image.rego
# Alpine Linux Package Manager (apk) in Image (trivy)
# severity: low
# source: stackrox/a5248b33-5027-4aaf-a6b6-896f73fc6d28
package trivy.alpine_linux_package_manager_apk_in_image

deny[msg] {
  # rule 1
  some p
  p := input.Packages[_]
  p.Name == {"apk-tools"}[_]
  msg := "[low] Alpine Linux Package Manager (apk) in Image: Alert on deployments with the Alpine Linux package manager (apk) present"
}
IR (canonical)
{
  "id": "a5248b33-5027-4aaf-a6b6-896f73fc6d28",
  "name": "Alpine Linux Package Manager (apk) in Image",
  "description": "Alert on deployments with the Alpine Linux package manager (apk) present",
  "rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
  "remediation": "Run `apk --purge del apk-tools` in the image build for production containers.",
  "severity": "low",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "master-etcd-openshift-master-.*",
      "namespace": "kube-system"
    },
    {
      "name": "token-refresher",
      "namespace": "openshift-monitoring"
    },
    {
      "name": "csi-azuredisk-node-win",
      "namespace": "kube-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "image-component",
    "values": [
      "apk-tools="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "a5248b33-5027-4aaf-a6b6-896f73fc6d28",
  "name": "Alpine Linux Package Manager (apk) in Image",
  "description": "Alert on deployments with the Alpine Linux package manager (apk) present",
  "rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
  "remediation": "Run `apk --purge del apk-tools` in the image build for production containers.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on the master-etcd deployment",
      "deployment": {
        "name": "master-etcd-openshift-master-.*",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on the token-refresher deployment in namespace openshift-monitoring",
      "deployment": {
        "name": "token-refresher",
        "scope": {
          "cluster": "",
          "namespace": "openshift-monitoring",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment csi-azuredisk-node-win in kube-system namespace",
      "deployment": {
        "name": "csi-azuredisk-node-win",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Image Component",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "apk-tools="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}