Merge pull request #96 from fawdyinc/feat/allow-nproc-docker-stats

jonchun · web-flow · commit 28007d957493 · 2026-03-01T15:39:28.000-08:00
Allow nproc and docker stats
diff --git a/manifest/manifest_test.go b/manifest/manifest_test.go
@@ -20,7 +20,7 @@ func mustLoadEmbedded(t *testing.T) map[string]*Manifest {
 func TestLoadEmbeddedCountAndNameMatch(t *testing.T) {
 	registry := mustLoadEmbedded(t)
 
-	if got, want := len(registry), 178; got != want {
+	if got, want := len(registry), 180; got != want {
 		t.Fatalf("len(registry) = %d, want %d", got, want)
 	}
 
diff --git a/manifest/manifests/docker_stats.yaml b/manifest/manifests/docker_stats.yaml
@@ -0,0 +1,10 @@
+name: docker_stats
+description: Display a live stream of container resource usage statistics
+category: containers
+flags:
+  - flag: "--no-stream"
+  - flag: "--all"
+  - flag: "--format"
+    takes_value: true
+stdin: false
+stdout: true
diff --git a/manifest/manifests/nproc.yaml b/manifest/manifests/nproc.yaml
@@ -0,0 +1,9 @@
+name: nproc
+description: Print the number of processing units available
+category: system
+flags:
+  - flag: "--all"
+  - flag: "--ignore"
+    takes_value: true
+stdin: false
+stdout: true
diff --git a/security_pipeline_test.go b/security_pipeline_test.go
@@ -794,6 +794,7 @@ func TestSubcommandBypass_DockerDangerous(t *testing.T) {
 	mustAccept(t, registry, "docker ps -a")
 	mustAccept(t, registry, "docker logs container_id")
 	mustAccept(t, registry, "docker inspect container_id")
+	mustAccept(t, registry, "docker stats --no-stream container_id")
 }
 
 func TestSubcommandBypass_SystemctlDangerous(t *testing.T) {
diff --git a/validator/attack_vectors_test.go b/validator/attack_vectors_test.go
@@ -621,6 +621,11 @@ func TestSubcommandBypass(t *testing.T) {
 		expectAllow(t, err, "docker inspect is allowed")
 	})
 
+	t.Run("docker_stats_allowed", func(t *testing.T) {
+		err := validateOne(t, "docker", "stats", "--no-stream", "container")
+		expectAllow(t, err, "docker stats is allowed")
+	})
+
 	t.Run("kubectl_get_allowed", func(t *testing.T) {
 		err := validateOne(t, "kubectl", "get", "pods", "-n", "default")
 		expectAllow(t, err, "kubectl get is allowed")
diff --git a/validator/validator_test.go b/validator/validator_test.go
@@ -118,6 +118,10 @@ func TestValidatesSubcommands(t *testing.T) {
 		t.Fatalf("validate docker ps --format: %v", err)
 	}
 
+	if err := validateOne(t, "docker", "stats", "--no-stream"); err != nil {
+		t.Fatalf("validate docker stats --no-stream: %v", err)
+	}
+
 	err := validateOne(t, "docker", "run", "alpine")
 	if err == nil {
 		t.Fatal("expected docker run to be rejected")

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func mustLoadEmbedded(t testing.T) map[string]Manifest {`
`20`	`20`	`func TestLoadEmbeddedCountAndNameMatch(t *testing.T) {`
`21`	`21`	`registry := mustLoadEmbedded(t)`
`22`	`22`
`23`		`- if got, want := len(registry), 178; got != want {`
	`23`	`+ if got, want := len(registry), 180; got != want {`
`24`	`24`	`t.Fatalf("len(registry) = %d, want %d", got, want)`
`25`	`25`	`}`
`26`	`26`
Original file line number	Diff line number	Diff line change
`@@ -794,6 +794,7 @@ func TestSubcommandBypass_DockerDangerous(t *testing.T) {`
`794`	`794`	`mustAccept(t, registry, "docker ps -a")`
`795`	`795`	`mustAccept(t, registry, "docker logs container_id")`
`796`	`796`	`mustAccept(t, registry, "docker inspect container_id")`
	`797`	`+ mustAccept(t, registry, "docker stats --no-stream container_id")`
`797`	`798`	`}`
`798`	`799`
`799`	`800`	`func TestSubcommandBypass_SystemctlDangerous(t *testing.T) {`