fix: skip images without registry in KSV0125 (#428)

nikpivkin · web-flow · commit 7afea1b738c4 · 2025-05-29T07:45:12.000Z
Signed-off-by: Nikita Pivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/checks/kubernetes/uses_untrusted_registry.rego b/checks/kubernetes/uses_untrusted_registry.rego
@@ -77,17 +77,21 @@ all_trusted_registires := ksv0125.trusted_registries if {
 	count(ksv0125.trusted_registries) > 0
 } else := default_trusted_registries
 
-container_image_from_trusted_registry(container) if {
+container_image_from_untrusted_registry(container) if {
 	image_parts := split(container.image, "/")
 	count(image_parts) > 1
 	registry = image_parts[0]
+	not is_registry_trusted(registry)
+}
+
+is_registry_trusted(registry) if {
 	some trusted in all_trusted_registires
 	endswith(registry, trusted)
 }
 
 deny contains res if {
 	some container in kubernetes.containers
-	not container_image_from_trusted_registry(container)
+	container_image_from_untrusted_registry(container)
 	msg := kubernetes.format(sprintf(
 		"Container %s in %s %s (namespace: %s) uses an image from an untrusted registry.",
 		[container.name, lower(kubernetes.kind), kubernetes.name, kubernetes.namespace],
diff --git a/checks/kubernetes/uses_untrusted_registry_test.rego b/checks/kubernetes/uses_untrusted_registry_test.rego
@@ -14,6 +14,10 @@ test_check_registry[name] if {
 			"image": "foo.io/test:latest",
 			"expected": 1,
 		},
+		"without registry": {
+			"image": "test:latest",
+			"expected": 0,
+		},
 	}
 
 	inp := {
@@ -44,6 +48,10 @@ test_check_registry_custom_registries[name] if {
 			"image": "gcr.io/test:latest",
 			"expected": 1,
 		},
+		"without registry": {
+			"image": "test:latest",
+			"expected": 0,
+		},
 	}
 
 	inp := {
