#yaml

docker-compose

Security checks for docker-compose configuration files.

github-actions

Grayson Hardaway

Security rules for GitHub Actions workflow files

kubernetes

Security checks for kubernetes configuration files.

semgrep-rule-lints

Rules for linting Semgrep rule YAML files for errors or performance problems

Collection of rules preventing semgrep misconfigurations

semgrep

In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

`interfile: true` should be under the `options` field, not the `metadata` field.

semgrep

`interfile: true` should be under the `options` field, not the `metadata` field.

semgrep

We no longer support `deepsemgrep: true`, please use `interfile:true`

semgrep

This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.

semgrep

This Gitlab CI YAML will never run on default branches due to a `changes` rule with `when:never`. To fix this, make sure the triggering event is a push event. You can do this with `if: '$CI_PIPELINE_SOURCE == "push"'`. See https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges

semgrep

Insufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.

semgrep

Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.

semgrep

Spring Boot Actuator "$ACTUATOR" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.

semgrep

$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.

semgrep

Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

semgrep

Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this.

semgrep

Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.

semgrep

Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.

semgrep

Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.

semgrep

Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.

semgrep

Service '$SERVICE' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.

semgrep

The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.

semgrep

Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

semgrep

This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.

semgrep

Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

semgrep

This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.

semgrep

The 'branches' field (in the push event configuration) contains no branches. This causes all branches to be scanned and may result in unneccessary duplicate findings across the entire codebase.

semgrep

When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.

semgrep

In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.

semgrep

Do not set FLASK_ENV to "development" since that sets `debug=True` in Flask. Use "dev" or a similar term instead.

semgrep

Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.

semgrep

Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality.

semgrep

Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.

semgrep

Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.

semgrep

Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.

semgrep

When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.

semgrep

Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets.

semgrep

Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.

semgrep

Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.

semgrep

Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'bash' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'cpp' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'csharp' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'dockerfile' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'elixir' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'go' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'hcl' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'js' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'kotlin' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'python' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'regex' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'solidity' instead.

semgrep

Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'ts' instead.

semgrep

The 'id' field $X was used multiple times. The 'id' field needs to be unique.

semgrep

In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

semgrep

This rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed.

semgrep

It looks like you have an YAML indentation issue -- instead of writing `$KEY`, put a space between the hyphen and what comes after! Otherwise, it reads as a single string.

semgrep

It looks like you have an additional space in your rule message, this can look awkward in the finding output, please remove the additional whitespace!

semgrep

This Semgrep rule is missing a valid 'category' field in the 'metadata'. 'category' must be one of 'security', 'correctness', 'best-practice', 'performance', 'maintainability', or 'portability'.

semgrep

Semgrep rule confidence: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

This Semgrep rule is missing a valid 'confidence' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

$...CWE The cwe tag in rule metadata should always be in the format "CWE-000: Title".

semgrep

Semgrep rule impact: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

This Semgrep rule is missing a valid 'impact' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

Semgrep rule likelihood: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

This Semgrep rule is missing a valid 'likelihood' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

semgrep

The references in rule metadata should always be a list, even if there's only one.

semgrep

Semgrep rule likelihood: $VALUE detected, but the value must be vuln, audit, or guardrail. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'. which should be either audit, vuln, or guardrail. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

semgrep

This Semgrep rule is missing a 'technology' field in the 'metadata'. Consider adding a list of technologies based on the rule's associated library or framework, or another piece of relevant information.

semgrep

Please include a 'languages' field for your rule $RULEID!

semgrep

This rule does not have a message. Semgrep requires that rules have a message. Include a message to explain what the rule does. Consider writing a message that explains why this is an issue and how to fix it.

semgrep

This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use `message: >-`, not `message: |`.

semgrep

Looks like this value is deconstructing a const/var/let you need to use all three `const {...} =` `var {...} =` and `let {...} =` to provide accurate coverage consider adding the missing patterns in a `pattern-inside` for better coverage.

semgrep

Using patterns like `function (...) {...}` is too general it will probably slow down the rule performance.

semgrep

Using patterns like `$X.$Y` may be too general and may slow down the rule performance.

semgrep

Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run.

semgrep

Using the ellipsis operator `...` at the top of the pattern drastically slows down the rule performance.

semgrep

Unnecessary parent operator. Remove one to fix.

semgrep

You can not use 'pattern' $A and 'pattern-not' $A together; this will always be empty.

semgrep

The parameter `$VALUE` to this WorkflowEventBinding includes hyphens, which will, very confusingly, throw an error when Argo Workflows tries to invoke the workflow. Set the payload value to use underscores instead.

semgrep

Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace.

semgrep

Two identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses.

semgrep

It looks like $KEY is not in the default list of expected options, if this is a new key update this rule

trailofbits

Found apt key download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found apt key with SSL verification disabled

trailofbits

Found apt deb with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found dnf download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found dnf with SSL verification disabled

trailofbits

Found file download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found file download with SSL verification disabled

trailofbits

Found RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found RPM key with SSL verification disabled

trailofbits

Found unarchive download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found unarchive download with SSL verification disabled

trailofbits

Found Windows Remote Management connection with certificate validation disabled

trailofbits

Found yum download with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found yum with SSL verification disabled

trailofbits

Found Zypper repository with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Found Zypper package with unencrypted URL (e.g. HTTP, FTP, etc.)

trailofbits

Service port is exposed on all interfaces

semgrep

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

semgrep

Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.