syncable_cli/analyzer/hadolint/rules/
dl3026.rs

1//! DL3026: Use only an allowed registry in the FROM image
2//!
3//! Restricts base images to trusted registries configured in the config file.
4
5use crate::analyzer::hadolint::parser::instruction::Instruction;
6use crate::analyzer::hadolint::rules::{SimpleRule, simple_rule};
7use crate::analyzer::hadolint::shell::ParsedShell;
8use crate::analyzer::hadolint::types::Severity;
9
10pub fn rule() -> SimpleRule<impl Fn(&Instruction, Option<&ParsedShell>) -> bool + Send + Sync> {
11    simple_rule(
12        "DL3026",
13        Severity::Error,
14        "Use only an allowed registry in the FROM image.",
15        |instr, _shell| {
16            // This rule requires configuration to be useful
17            // By default, we allow all registries
18            // The actual check is done in lint.rs with config.allowed_registries
19            match instr {
20                Instruction::From(_) => {
21                    // Always pass by default - config-dependent rule
22                    true
23                }
24                _ => true,
25            }
26        },
27    )
28}
29
30#[cfg(test)]
31mod tests {
32    use super::*;
33    use crate::analyzer::hadolint::config::HadolintConfig;
34    use crate::analyzer::hadolint::lint::{LintResult, lint};
35
36    fn lint_dockerfile(content: &str) -> LintResult {
37        lint(content, &HadolintConfig::default())
38    }
39
40    #[test]
41    fn test_docker_hub_default() {
42        // By default, all registries are allowed
43        let result = lint_dockerfile("FROM ubuntu:20.04");
44        assert!(!result.failures.iter().any(|f| f.code.as_str() == "DL3026"));
45    }
46
47    #[test]
48    fn test_custom_registry_default() {
49        // By default, all registries are allowed
50        let result = lint_dockerfile("FROM gcr.io/my-project/my-image:latest");
51        assert!(!result.failures.iter().any(|f| f.code.as_str() == "DL3026"));
52    }
53}