From 2d0e1367da7de6b4ca780dfe148e838388414ec0 Mon Sep 17 00:00:00 2001 From: Omri SirComp Date: Mon, 18 May 2026 17:24:09 +0300 Subject: [PATCH] fix(query): ignore anonymous compose volumes --- .../volume_has_sensitive_host_directory/query.rego | 1 + .../test/negative4.yaml | 7 +++++++ .../test/positive1.yaml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/negative4.yaml diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego index a2aea517042..f4094dda210 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego @@ -8,6 +8,7 @@ CxPolicy[result] { volumes := service_parameters.volumes volume := volumes[v] path := split(volume,":") + count(path) > 1 host_path := path[0] common_lib.isOSDir(host_path) diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/negative4.yaml b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/negative4.yaml new file mode 100644 index 00000000000..d0b0e206fa1 --- /dev/null +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/negative4.yaml @@ -0,0 +1,7 @@ +version: "3.9" + +services: + frontend: + image: node:20 + volumes: + - /usr/src/app/node_modules diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive1.yaml b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive1.yaml index ddf82be8378..0f2007a1e39 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive1.yaml +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive1.yaml @@ -8,7 +8,7 @@ services: backup: image: backup-service volumes: - - /var/lib/backup/data + - /var/lib/backup/data:/backup/data volumes: data-volume: