Check Untrust Flag

Description

The use of --allow-untrusted flag in a Dockerfile is generally not recommended. Allowing untrusted packages can introduce security risks, as it means that the authenticity and integrity of the packages cannot be guaranteed. This policy ensures that Dockerfile do not contain the --allow-untrusted flag.

Kyverno policy

Refer to the Nirmata curated policies - check-untrust-flag.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM alpine:latest

RUN apk update && \
    apk add --no-cache curl

WORKDIR /app

COPY . /app

CMD ["echo", "Container is running!"]