Add more rego policies policies

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	:white_check_mark:	0 findings
IDOR Analyzer	:white_check_mark:	0 findings
Sensitive Files Analyzer	:white_check_mark:	0 findings
Authn/Authz Analyzer	:white_check_mark:	0 findings
SQL Injection Analyzer	:white_check_mark:	0 findings
Secrets Analyzer	:white_check_mark:	0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)
The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. **Summary:** The code changes in this pull request focus on introducing new Rego policies for validating Docker containers and Dockerfiles. These policies are designed to improve the security and reliability of containerized applications by enforcing best practices and reducing the risk of potential vulnerabilities. The key changes include: 1. **Enforcement of Single CMD and ENTRYPOINT Instructions**: The `check_cmd.rego` and `check_entrypoint.rego` policies ensure that Dockerfiles have only a single `CMD` and `ENTRYPOINT` instruction, respectively. This helps maintain consistency and predictability in the container's execution, reducing the risk of unintended consequences or security issues. 2. **HEALTHCHECK Validation**: The `check_healthcheck.rego` policy checks if the Dockerfile includes a `HEALTHCHECK` instruction, which is an important security measure for detecting and mitigating potential issues with the running container. 3. **Rego-based Policy Approach**: The use of Rego, a declarative policy language, allows for the creation of reusable and maintainable security policies that can be applied to various Docker-related assets, such as Dockerfiles, container images, and runtime configurations. 4. **Informative Policy Messages**: The policy configurations include descriptive messages that explain the purpose and importance of the specific security checks, which can be helpful for developers reviewing the policy results. Overall, these code changes represent a security-focused enhancement to the Docker policy validation process, helping to ensure the security and reliability of the containerized application. As an application security engineer, I would recommend approving this pull request, as it contributes to improving the security posture of the project. **Files Changed:** 1. `genval/defaultpolicies/rego/docker_policies/check_cmd/check_cmd.json` and `genval/defaultpolicies/rego/docker_policies/check_cmd/check_cmd.rego`: These files introduce a new policy named "CheckSingleCMD" that checks for the presence of multiple `CMD` instructions in a Dockerfile, ensuring that there is only one `CMD` instruction. 2. `.gitignore`: The changes made to the `.gitignore` file are routine and do not raise any significant application security concerns, as the new pattern added (`results*.*`) is a common practice for ignoring temporary or intermediate data files. 3. `genval/defaultpolicies/rego/docker_policies/check_entrypoint/check_entrypoint.json` and `genval/defaultpolicies/rego/docker_policies/check_entrypoint/check_entrypoint.rego`: These files introduce a new policy named "CheckSingleENTRYPOINT" that checks for the presence of multiple `ENTRYPOINT` instructions in a Dockerfile, ensuring that there is only one `ENTRYPOINT` instruction. 4. `genval/defaultpolicies/rego/docker_policies/check_healthchek/check_healthcheck.rego` and `genval/defaultpolicies/rego/docker_policies/check_healthchek/check_healthcheck.json`: These files introduce a new policy named "CheckHealthCheck" that checks if the Dockerfile includes a `HEALTHCHECK` instruction, which is an important security measure for detecting and mitigating potential issues with the running container.

intelops / policyhub

Add more rego policies policies #12