apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: dockerfile-disallow-apt
  labels:
    dockerfile.tags.kyverno.io: 'dockerfile'
  annotations:
    title.policy.kyverno.io: Ensure apt is not used in Dockerfile
    description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
spec:
  rules:
    - name: dockerfile-disallow-apt
      assert:
        any:
        - message: "apt not allowed"
          check:
            ~.(Stages[].Commands[].CmdLine[]):
              (contains(@, 'apt ')) : false