Checkmarx · cx-andre-pereira · Mar 23, 2026 · Mar 23, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -70,3 +70,9 @@ check_multi_stage(imageName, images) {
     sortedIndex := sort(unsortedIndex)
     imageName == sortedIndex[minus(count(sortedIndex), 1)].Name
 } 
+
+get_original_from_command(commands) = from_command {
+	commands[i].Cmd == "from"
+	from_command := substring(commands[i].Original, 0, 4)
+}
+
@@ -8,9 +8,11 @@ CxPolicy[result] {
 
 	not dockerLib.arrayContains(resource.Value, {".tar", ".tar."})
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]),
 		"keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]),

@@ -0,0 +1,10 @@
+from openjdk:10-jdk
+volume /tmp
+arg JAR_FILE
+copy ${JAR_FILE} app.jar
+entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]
+add http://source.file/package.file.tar.gz /temp
+run tar -xjf /temp/package.file.tar.gz \
+  && make -C /tmp/package.file \
+  && rm /tmp/ package.file.tar.gz
+# trigger validation
@@ -0,0 +1,9 @@
+from openjdk:10-jdk
+volume /tmp
+add http://source.file/package.file.tar.gz /temp
+run tar -xjf /temp/package.file.tar.gz \
+  && make -C /tmp/package.file \
+  && rm /tmp/ package.file.tar.gz
+arg JAR_FILE
+add ${JAR_FILE} app.jar
+entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]
@@ -1,7 +1,14 @@
 [
-  {
-    "queryName": "Add Instead of Copy",
-    "severity": "MEDIUM",
-    "line": 8
-  }
-]
+	{
+		"queryName": "Add Instead of Copy",
+		"severity": "MEDIUM",
+		"line": 8,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "Add Instead of Copy",
+		"severity": "MEDIUM",
+		"line": 8,
+		"fileName": "positive2.dockerfile"
+	}
+]
@@ -10,9 +10,11 @@ CxPolicy[result] {
 	runCommands := dockerLib.getCommands(command.Value[0])
 	containsApkAddWithoutNoCache(runCommands)
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, command.Original]),
+		"searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch",
 		"keyActualValue": "'RUN' contains 'apk add' command without '--no-cache' switch",

@@ -0,0 +1,7 @@
+from gliderlabs/alpine:3.3
+run apk add --no-cache python
+workdir /app
+onbuild COPY . /app
+onbuild RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
+expose 8080
+cmd ["/env/bin/python", "main.py"]
@@ -0,0 +1,7 @@
+from gliderlabs/alpine:3.3
+run apk add --update-cache python
+workdir /app
+onbuild COPY . /app
+onbuild RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
+expose 8080
+cmd ["/env/bin/python", "main.py"]
@@ -10,5 +10,11 @@
 		"severity": "INFO",
 		"line": 2,
 		"fileName": "positive2.dockerfile"
+	},
+	{
+		"queryName": "Apk Add Using Local Cache Path",
+		"severity": "INFO",
+		"line": 2,
+		"fileName": "positive3.dockerfile"
 	}
-]
+]
@@ -1,5 +1,7 @@
 package Cx
 
+import data.generic.dockerfile as dockerLib
+
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "run"
@@ -10,9 +12,12 @@ CxPolicy[result] {
 
 	not hasClean(resource.Value[0], aptGet[0])
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
+	run_command := substring(resource.Original, 0, 3)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]),
+		"searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]),
 		"issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute"
 		"keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted",
 		"keyActualValue": "After using apt-get install, the apt-get lists were not deleted",

@@ -0,0 +1,15 @@
+from busyboxneg1
+run apt-get update && apt-get install --no-install-recommends -y python \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+from busyboxneg2
+run apt-get update && apt-get install --no-install-recommends -y python && apt-get clean
+
+from busyboxneg3
+run apt-get update && apt-get install --no-install-recommends -y python \
+  && apt-get clean
+
+from busyboxneg4
+run apt-get update && apt-get install --no-install-recommends -y python \
+  && rm -rf /var/lib/apt/lists/*
@@ -0,0 +1,14 @@
+from busybox1
+run apt-get update && apt-get install --no-install-recommends -y python
+
+from busybox2
+run apt-get install python
+
+from busybox3
+run apt-get update && apt-get install --no-install-recommends -y python
+run rm -rf /var/lib/apt/lists/*
+
+from busybox4
+run apt-get update && apt-get install --no-install-recommends -y python
+run rm -rf /var/lib/apt/lists/*
+run apt-get clean
@@ -1,32 +1,56 @@
 [
-  {
-    "queryName": "Apt Get Install Lists Were Not Deleted",
-    "severity": "INFO",
-    "line": 2,
-    "fileName": "positive.dockerfile"
-  },
-  {
-    "queryName": "Apt Get Install Lists Were Not Deleted",
-    "severity": "INFO",
-    "line": 5,
-    "fileName": "positive.dockerfile"
-  },
-  {
-    "queryName": "Apt Get Install Lists Were Not Deleted",
-    "severity": "INFO",
-    "line": 8,
-    "fileName": "positive.dockerfile"
-  },
-  {
-    "queryName": "Apt Get Install Lists Were Not Deleted",
-    "severity": "INFO",
-    "line": 12,
-    "fileName": "positive.dockerfile"
-  },
-  {
-    "queryName": "Apt Get Install Lists Were Not Deleted",
-    "severity": "INFO",
-    "line": 2,
-    "fileName": "positive2.dockerfile"
-  }
-]
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 2,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 5,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 8,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 12,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 2,
+		"fileName": "positive2.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 2,
+		"fileName": "positive3.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 5,
+		"fileName": "positive3.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 8,
+		"fileName": "positive3.dockerfile"
+	},
+	{
+		"queryName": "Apt Get Install Lists Were Not Deleted",
+		"severity": "INFO",
+		"line": 12,
+		"fileName": "positive3.dockerfile"
+	}
+]
@@ -18,9 +18,12 @@ CxPolicy[result] {
 	packageName := packages[j]
 	analyzePackages(j, packageName, packages, length)
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
+	run_command := substring(resource.Original, 0, 3)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]),
+		"searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]),
 		"searchValue": packageName,
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]),
@@ -44,9 +47,11 @@ CxPolicy[result] {
 	regex.match("^[a-zA-Z]", packageName) == true
 	not dockerLib.withVersion(packageName)
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]),
 		"searchValue": packageName,
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]),

@@ -0,0 +1,2 @@
+from busybox
+run apt-get install python=2.7
@@ -0,0 +1,14 @@
+from busybox
+run apt-get install python
+run ["apt-get", "install", "python"]
+
+from busybox2
+run apt-get install -y -t python
+
+from busybox3
+run apt-get update && apt-get install -y \
+    python-qt4 \
+    python-pyside \
+    python-pip \
+    python3-pip \
+    python3-pyqt5
@@ -94,5 +94,53 @@
     "severity": "MEDIUM",
     "line": 9,
     "fileName": "positive2.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 2,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 3,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 6,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Apt Get Install Pin Version Not Defined",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive3.dockerfile"
   }
 ]
@@ -15,9 +15,11 @@ CxPolicy[result] {
 
 	not avoidManualInput(command)
 
+	stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]),
 		"keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]),
@@ -33,10 +35,12 @@ CxPolicy[result] {
     dockerLib.arrayContains(resource.Value, {"apt-get", "install"})
 
     not avoidManualInputInList(resource.Value)
-
+
+    stage := input.document[i].command[name]
+	from_command := dockerLib.get_original_from_command(stage)
     result := {
         "documentId": input.document[i].id,
-        "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+        "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]),
         "issueType": "IncorrectValue",
         "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]),
         "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]),

@@ -0,0 +1,4 @@
+from node:12
+run apt-get -y install apt-utils
+run apt-get -qy install git gcc
+run ["apt-get", "-y", "install", "apt-utils"]
@@ -0,0 +1,4 @@
+from node:12
+run apt-get install python=2.7
+run apt-get install apt-utils
+run ["apt-get", "install", "apt-utils"]