Add description as additional column in Rego validation results

[santoshkal]

This PR adds a column named Description in validation results for regoval.

Currently, as the policies live outside the executable and are provided by the user. It gets complex to infer against the policy content. Hence, The msg value in the policy is fetched and printed on the validation results.
This addition aims to provide users with clearer insights into the validation outcomes by presenting relevant policy messages directly within the results.

Validation results for Dockerfile

Validation results for Kubernetes manifests

Validation results for Terraform

Closes: #26

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

This pull request includes a series of changes across multiple files, primarily focused on improving the security and reliability of the "genval" CLI tool and its associated Rego policies. The changes cover various aspects, such as version information retrieval, policy evaluation result printing, Rego policy implementation, and Kubernetes deployment validation.

From a security perspective, the changes do not introduce any obvious security vulnerabilities. The code modifications are mostly focused on improving code organization, readability, and the enforcement of security best practices. The removal of unused imports, the enhancement of error handling, and the compilation of Rego policies are all positive steps towards maintaining a secure application.

The most notable security-related changes include the enforcement of secure Dockerfile practices, such as the use of trusted base images, the avoidance of the root user, and the preference for the "COPY" instruction over "ADD". Additionally, the Kubernetes deployment validation policies aim to prevent the use of the "latest" tag, the storage of secrets in environment variables, and the use of privileged pods, which are all important security considerations.

Overall, the changes in this pull request demonstrate a proactive approach to improving the security posture of the application, and the application security engineer should continue to monitor the codebase and the implemented Rego policies to ensure the ongoing security and integrity of the system.

Files Changed:

• pkg/utils/utils.go: The changes in this file enhance the version information retrieval and formatting for the "genval" CLI tool, providing more detailed and user-friendly version information.
• pkg/validate/printresults.go: The changes in this file introduce a new PrintResults function that handles the formatting and display of Rego policy evaluation results in a tabular format, improving the readability of the output.
• pkg/validate/regoval.go: The changes in this file simplify the result printing logic, removing the previous table-based implementation and replacing it with a more concise PrintResults function call.
• cmd/root.go: The changes in this file update the initialization of the rootCmd for the "genvalctl" CLI tool, including the removal of the short description and the addition of color formatting for the output and error messages.
• pkg/validate/testdata/rego/dockerfile_policies.rego: This file contains a set of Rego policies for validating the security of Dockerfiles, enforcing best practices such as the use of trusted base images, the avoidance of the root user, and the preference for the "COPY" instruction.
• pkg/validate/testdata/rego/fail.rego: The changes in this file modify the untrusted_base_image Rego rule, which checks if the base image used in a Dockerfile is from the "cgr.dev" registry and ensures that the image has the "latest" tag.
• pkg/validate/testdata/rego/k8s.rego: The changes in this file update the deny_latest Rego rule, which enforces the use of specific, versioned container images in Kubernetes deployments instead of the "latest" tag.
• pkg/validate/validatedockerfile.go: The changes in this file improve the error handling, Rego policy compilation, and Rego query evaluation within the ValidateDockerfile function, enhancing the overall reliability and security of the Dockerfile validation process.
• pkg/validate/validateinputfile.go: The changes in this file remove the table-based printing functionality and simplify the ValidateInput function, which is responsible for validating input data using a Rego policy.
• templates/defaultpolicies/rego/inputfile_policies.rego: The changes in this file simplify the existing Rego policies for validating input files, making the code more concise and readable.
• templates/defaultpolicies/rego/dockerfile_policies.rego: This file contains a set of Rego policies for validating the security of Dockerfiles, enforcing best practices such as the use of trusted base images, the avoidance of the root user, and the preference for the "COPY" instruction.
• templates/defaultpolicies/rego/k8s.rego: The changes in this file update the Rego policies for validating Kubernetes deployments

Powered by DryRun Security