Adding a security-oriented rulepack (#126)

sample_rules/security_rules.yaml

@@ -0,0 +1,49 @@
+---
+profile:
+  name: "Security Rules"
+  description: "Set of rules focus on security aspects of Dockerfiles"
+line_rules:
+  ADD:
+    paramSyntaxRegex: /^~?([\w-.~:/?#\[\]\\\/*@!$&'()*+,;=.{}"]+[\s]*)+$/
+    rules:
+      -
+        label: "no_add_without_https"
+        regex: /http\:\/\/.*/
+        level: "warn"
+        message: "ADD is using a non-HTTPS url as source"
+        description: "Using a URL without HTTPS can lead to MITM attacks on your infrastructure"
+  RUN:
+    paramSyntaxRegex: /.+/
+    rules:
+      -
+        label: "no_run_without_https"
+        regex: /http\:\/\/.*/g
+        level: "warn"
+        message: "RUN is referencing a non-HTTPS url"
+        description: "Using a URL without HTTPS can lead to MITM attacks on your infrastructure"
+      -
+        label: "no_run_with_sudo"
+        regex: /sudo/
+        level: "warn"
+        message: "Sudo has dangerous side effects"
+        description: "Using sudo may lead to privilige escalation"
+  USER:
+    paramSyntaxRegex: /^[a-z0-9_][a-z0-9_]{0,40}$/
+    rules:
+      -
+        label: "root_user"
+        regex: /root|0/
+        level: "error"
+        message: "Running as a root user"
+        description: "Containers should not run as root. Create a separate user instead."
+        reference_url:
+          - "https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b"
+required_instructions:
+  -
+    instruction: "USER"
+    count: 1
+    level: "warn"
+    message: "No 'USER' instruction in the file"
+    description: "If a USER command is not specified, the container may be running as the root user"
+    reference_url:
+      - "https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b"