#yaml

docker-compose

r2c

Security checks for docker-compose configuration files.

github-actions

Grayson Hardaway

Security rules for GitHub Actions workflow files

kubernetes

r2c

Security checks for kubernetes configuration files.

semgrep-rule-lints

r2c

Rules for linting Semgrep rule YAML files for errors or performance problems

r2c

Collection of rules preventing semgrep misconfigurations

you use multiple times the same pattern

you use multiple times the same id

You have an empty message

Please include a language field for your rule!

You can not use $A and not $A together; this will always be empty

Include a message to explain what the rule does

Unnecessary parent operator. Remove one to fix.

The cwe tag in rule metadata should always be in the format "CWE-000: Title".

The owasp tag in rule metadata should always be in the format "A0: Title".

The references in rule metadata should always be a list, even if there's only one.

When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'bash' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'csharp' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'elixir' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'go' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'python' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'regex' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'solidity' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'dockerfile' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'hcl' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'js' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'kotlin' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'ts' instead.

returntocorp

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'cpp' instead.

returntocorp

This Gitlab CI YAML will never run on default branches due to a `changes` rule with `when:never`. To fix this, make sure the triggering event is a push event. You can do this with `if: '$CI_PIPELINE_SOURCE == "push"'`. See https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges

returntocorp

When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.

returntocorp

Two identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses.

returntocorp

This rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed.

returntocorp

This Semgrep rule is missing a valid 'category' field in the 'metadata'. 'category' must be one of 'security', 'correctness', 'best-practice', 'performance', 'maintainability', or 'portability'.

returntocorp

$...CWE The cwe tag in rule metadata should always be in the format "CWE-000: Title".

returntocorp

The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

returntocorp

The references in rule metadata should always be a list, even if there's only one.

returntocorp

This Semgrep rule is missing a 'technology' field in the 'metadata'. Consider adding a list of technologies based on the rule's associated library or framework, or another piece of relevant information.

returntocorp

This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use `message: >-`, not `message: |`.

returntocorp

Using the ellipsis operator `...` at the top of the pattern drastically slows down the rule performance.

returntocorp

Unnecessary parent operator. Remove one to fix.

returntocorp

You can not use 'pattern' $A and 'pattern-not' $A together; this will always be empty.

returntocorp

The 'id' field $X was used multiple times. The 'id' field needs to be unique.

returntocorp

This rule does not have a message. Semgrep requires that rules have a message. Include a message to explain what the rule does. Consider writing a message that explains why this is an issue and how to fix it.

returntocorp

Please include a 'languages' field for your rule $RULEID!

returntocorp

Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.

returntocorp

Spring Boot Actuator "$ACTUATOR" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.

returntocorp

$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.

returntocorp

Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality.

returntocorp

Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.

returntocorp

Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.

returntocorp

Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this.

returntocorp

Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.

returntocorp

Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.

returntocorp

Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.

returntocorp

Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.

returntocorp

Service '$SERVICE' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.

returntocorp

Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

returntocorp

Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

returntocorp

This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.

returntocorp

Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

returntocorp

Container $CONTAINER allows for privilege escalation via setuid or setgid binaries. Add 'allowPrivilegeEscalation: false' in 'securityContext' to prevent this.

returntocorp

Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.

returntocorp

Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.

returntocorp

Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.

returntocorp

Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets.

returntocorp

Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.

returntocorp

Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.

returntocorp

Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this.

returntocorp

This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.

returntocorp

Semgrep rule confidence: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

This Semgrep rule is missing a valid 'confidence' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

Semgrep rule impact: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.

returntocorp

Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run.

returntocorp

This Semgrep rule is missing a valid 'impact' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

Semgrep rule likelihood: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

This Semgrep rule is missing a valid 'likelihood' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

Semgrep rule likelihood: $VALUE detected, but the value must be vuln, audit, or guardrail. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'. which should be either audit, vuln, or guardrail. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

returntocorp

The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.

returntocorp

This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.

returntocorp

Do not set FLASK_ENV to "development" since that sets `debug=True` in Flask. Use "dev" or a similar term instead.

returntocorp

Using patterns like `function (...) {...}` is too general it will probably slow down the rule performance.

returntocorp

Using patterns like `$X.$Y` may be too general and may slow down the rule performance.

returntocorp

The 'branches' field (in the push event configuration) contains no branches. This causes all branches to be scanned and may result in unneccessary duplicate findings across the entire codebase.

returntocorp

Container allows for running applications as root. This can result in privilege escalation attacks. Change 'runAsNonRoot:' to 'true' in 'securityContext' to prevent this.

returntocorp

Container allows for running applications as root. This can result in privilege escalation attacks. Add 'runAsNonRoot: true' in 'securityContext' to prevent this.

returntocorp

We no longer support `deepsemgrep: true`, please use `interfile:true`