SecurityPluginBundle.properties

inspection-message-template=<html><body><a href="https://protsenko.dev/infrastructure-security/{0}/?ref=plugin">[Documentation]</a> {1}</body></html>
# Common
common.group-key=Security and Best practices
common.docker-group-key=Docker
common.docker-compose-group-key=Docker compose
common.kubernetes-group-key=Kubernetes
common.notification-group=Cloud (IaC) Security
# Localization
### ds001 -> dfs001
dfs001.lookup-for-digest=Look up and replace with digest
dfs001.documentation=missing-or-latest-version-tag
dfs001.latest-tag=':latest' tag used\nWhen using image you should use a specific tag to avoid uncontrolled behavior when the image is updated.
dfs001.missing-version-tag=Missing version tag\nWhen using image you should use a specific tag to avoid uncontrolled behavior when the image is updated.
### ds002 -> dfs002
dfs002.add-nobody-user=Add nobody user
dfs002.replace-root-with-nobody=Replace a user with nobody
dfs002.documentation=avoid-default-root-dynamic-user
dfs002.root-user-is-used=Image user should not be 'root'\nRunning containers with 'root' user can lead to a container escape situation.
dfs002.missing-user=User should be declared, often by default it is root\nRunning containers with 'root' user can lead to a container escape situation.
dfs002.arg-in-user=User should be static. Dynamic user assignment can be overridden to root, risking container escape.
### ds011 -> dfs003
dfs003.remove-duplicated-alias=Remove duplicated alias
dfs003.documentation=duplicate-aliases-in-froms
dfs003.no-duplicate-alias=Duplicate aliases defined in different FROMs\nDifferent FROMs can't have the same alias defined.
### ds015 -> dfs004
dfs004.remove-redundant-instruction=Remove redundant instruction
dsf004.documentation=multiple-cmd-entrypoint-instructions
dfs004.only-one-cmd-or-entrypoint=Multiple CMD or ENTRYPOINT instructions listed\nThere can only be one CMD and ENTRYPOINT instruction in a Dockerfile. If you list more than one instruction then only the last one will take effect.
### ds031 -> dfs005
dfs005.replace-with-json-notation=Replace with JSON notation
dfs005.documentation=json-notation-cmd-entrypoint
dfs005.use-json-notation=Use JSON notation for CMD and ENTRYPOINT arguments to ensure proper parsing and avoid unexpected behavior.
### ds005 -> dfs006
dfs006.remove-referring=Remove referring to current the current image
dfs006.documentation=self-referencing-copy-from
dfs006.copy-referring-to-the-current-image=COPY '--from' referring to the current image\nCOPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself.
### ds004 -> dfs007
dfs007.replace-add-with-copy=Replace ADD with COPY
dfs007.documentation=add-instead-of-copy
dfs007.add-instead-copy=ADD instead of COPY\nYou should use COPY instead of ADD unless you want to extract a tar file.
### ds010 -> dfs008
dfs008.documentation=copy-multiple-arguments-slash
dfs008.use-slash-for-copy-args=COPY with more than two arguments not ending with slash\nWhen a COPY command has more than two arguments, the last one should end with a slash.
### ds026 -> dfs009
dfs009.remove-env-with-secret=Remove ENV with secret
dfs009.documentation=possible-secrets-in-env
dfs009.possible-secrets-in-env=Potential secret in ENV key found: {0}
### ds007 -> dfs010
dfs010.remove-broken-port=Remove wrong port
dfs010.documentation=exposed-port-out-of-range
dfs010.port-out-of-range=Exposed port {0} out of range\nUNIX ports outside the range 0-65535 are exposed.
### ds003 -> dfs011
dfs011.remove-dangerous-port-exposed=Remove dangerous port exposed
dfs011.documentation=port-22-exposed
dfs011.ssh-port-exposed=Port 22 exposed\nExposing port 22 might allow users to SSH into the container.
### ds021 -> dfs012
dfs012.remove-redundant-healthcheck=Remove redundant HEALTHCHECK
dfs012.documentation=multiple-healthcheck-defined
dfs012.only-one-healthcheck=Multiple HEALTHCHECK defined\nProviding more than one HEALTHCHECK instruction per stage is confusing and error-prone.
### ds020 -> dfs013
dfs013.replace-maintainer=Replace MAINTAINER with LABEL
dfs013.documentation=deprecated-maintainer-used
dfs013.no-maintainer=Deprecated MAINTAINER used\nMAINTAINER has been deprecated since Docker 1.13.0.
### ds030 -> dfs014
dfs014.documentation=no-install-recommends
dfs014.use-no-install-recommends=Use --no-install-recommends with apt-get to avoid installing unnecessary packages and reduce image size.
### ds032 -> dfs015
dfs015.documentation=avoid-using-apt
dfs015.apt-is-used=Do not use apt as it is meant to be an end-user tool, use apt-get or apt-cache instead.
### ds028 -> dfs016
dfs016.documentation=arg-variables-overridden
dfs016.avoid-arg-in-run=Using ARG variables in RUN commands can be overridden by users, leading to unintended behaviors or security risks.
### ds027 -> dfs017
dfs017.documentation=curl-bashing-detected
dfs017.avoid-curl-bashing=Curl bashing detected\nAvoid using curl or wget with pipe (|) or redirection (>) to directly execute scripts from untrusted sources.
### ds022 -> dfs018
dfs018.documentation=no-dist-upgrade
dfs018.no-dist-upgrade=Package manager `dist-upgrade` used\nPackage manager `dist-upgrade` upgrades a major version so it doesn't make more sense in Dockerfile.
### ds017 -> dfs019
dfs019.documentation=purge-dnf-package-cache
dfs019.purge-dnf-package-cache='dnf clean all' missing\nCached package data should be cleaned after installation to reduce image size.
### ds019 -> dfs020
dfs020.documentation=use-package-manager-auto-confirm
dfs020.use-package-manager-auto-confirm=Package manager with missing '-y' to avoid manual input\nPackage manager calls should use the flag '-y' to avoid manual user input.
### ds016 -> dfs021
dfs021.documentation=update-and-install-single-run
dfs021.no-orphan-package-update='RUN <package-manager> update' instruction alone\nThe instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
### ds009 -> dfs022
dfs022.documentation=run-using-sudo
dfs022.run-using-sudo=RUN using 'sudo'\nAvoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior.
### ds012 -> dfs023
dfs023.documentation=use-workdir-over-cd
dfs023.use-workdir-over-cd='RUN cd ...' to change directory\nUse WORKDIR instead of instructions like 'RUN cd ...', which are hard to read, troubleshoot, and maintain.
### ds013 -> dfs024
dfs024.documentation=purge-yum-package-cache
dfs024.purge-yum-package-cache='yum clean all' missing\nYou should use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size.
### ds018 -> dfs025
dfs025.documentation=purge-zipper-cache
dfs025.purge-zipper-cache='zypper clean' missing\nThe layer and image size should be reduced by deleting unneeded caches after running zypper.
### ds013 -> dfs026
dfs026.documentation=standardise-remote-get
dfs026.standardise-remote-get=RUN using 'wget' and 'curl'\nAvoid using both 'wget' and 'curl' since these tools have the same effect.
### ds008 -> dfs027
dfs027.documentation=workdir-path-not-absolute
dfs027.workdir-path-not-absolute=WORKDIR path not absolute\nFor clarity and reliability, you should always use absolute paths for your WORKDIR.
### ds034 -> dfs028
dfs028.documentation=multiple-consecutive-run-commands
dfs028.multiple-consecutive-run-commands=Multiple consecutive 'RUN' instructions. Consider consolidation.
### ds035 -> dfs029
dfs029.documentation=useradd-missing-l-flag-high-uid
dfs029.useradd-missing-l-flag-high-uid='useradd' without the '-l' flag and a high UID may lead to an excessively large image.
### dfs030
dfs030.documentation=simplify-your-apk-cache-clean-strategy
dfs030.problem-text=Alpine package installation without --no-cache, consider using it to reduce image size.
### dfs031
dfs031.documentation=using-pip-install-without-no-cache-dir
dfs031.problem-text=The pip package installations without --no-cache-dir, consider using it to reduce image size.
### dfs032
dfs032.documentation=avoid-wget-without-progress-or-quiet
dfs032.problem-text=Avoid using wget without a progress/quiet option. Use --progress=dot:giga or consider -q/-nv (--quiet/--no-verbose).

### dcs001 [only docker-compose]
ds033.using-privileged=Using privileged: true grants full root access to the host, bypassing isolation mechanisms.

### kube001
kube001.documentation=non-root-containers
kube001.problem-text=Container runs as root or can gain root privileges.
kube001.qf.fix-run-as-non-root=Set 'runAsNonRoot' to 'true'
kube001.qf.fix-run-as-user-or-group=Set 'runAsRoot/runAsGroup' to '1000'

### kube002
kube002.documentation=insecure-capabilities
kube002.problem-text=Container requests insecure Linux capabilities. Left only necessary.

### kube003
kube003.documentation=host-network-pid-ipc
kube003.problem-text=Sharing the host namespace could lead to security issues.
kube003.qf.fix-value=Set {0} to 'false'

### kube004
kube004.documentation=privileged-containers
kube004.problem-text=Using privileged containers could lead to privilege escalation.
kube004.qf.fix-value=Set value to 'false'

### kube005
kube005.documentation=host-path-volumes
kube005.problem-text=Using hostPath volumes is insecure as it gives access to the node's real file system. Consider removing it.

### kube006
kube006.documentation=hostPort-opens-the-nodes-port
kube006.problem-text=HostPort opens the node's port. Remove hostPort definition and/or use Service/Ingress instead.

### kube007
kube007.documentation=apparmor-disabled-or-override
kube007.problem-text=AppArmor profile disabled or overridden - container loses kernel protection. Use RuntimeDefault or remove a profile type.
kube007.qf.fix-value=Set the value to 'RuntimeDefault'

### kube008
kube008.documentation=setting-selinux-is-restricted
kube008.problem-text=Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.
kube008.qf.fix-value=Set blank value

### kube009
kube009.documentation=insecure-proc-mount
kube009.problem-text=Any procMount value other than 'Default' exposes sensitive kernel interfaces and host-level data to the container.
kube009.qf.fix-value=Set the value to 'Default'

# kube010
kube010.documentation=insecure-seccomp-profile
kube010.problem-text=Seccomp profile set to 'Unconfined' disables syscall filtering and exposes the container to kernel-level attacks.
kube010.qf.fix-value=Set the type to 'RuntimeDefault'

## kube011
kube011.documentation=insecure-sysctls
kube011.problem-text=Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset.

## kube012
kube012.documentation=disallowed-volume-type
kube012.problem-text=This volume type may expose the node or bypass pod isolation. Use Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI instead.

# Not implemented
ds029.missing-healthcheck=Missing HEALTHCHECK instruction
ds023.multiple-exposed-port=Port {0} exposed more than one time.
ds024.wrong-port-definition=Port {0} is incorrect.