File size: 3,321 Bytes
ffd0776 |
1 2 3 4 5 6 7 8 |
text
- Finding Category/Rule: Functionality Verification\n - Errored Code (with Task Name and File Name):\n [Example Task] in playbook.yml\n command: echo 'Hello World'\n - Issue Description: Inappropriate usage of 'command' for simple task.\n - Recommended Solution: Use the 'debug' module for printing messages.\n Example:\n - name: Example Task\n debug:\n msg: 'Hello World'
"- Finding Category/Rule: Code Readability & Error Handling\n - Errored Code (with Task Name and File Name):\n [Check Disk Usage] in disk_check.yml\n shell: df -h\n - Issue Description: Usage of 'shell' instead of native module and lack of proper error handling mechanisms.\n - Recommended Solution: Use 'ansible.builtin.command' module where possible, and handle errors with appropriate conditions.\n Example:\n - name: Check Disk Usage\n command: df -h\n register: disk_usage\n - name: Fail if Disk Usage Check Fails\n fail:\n msg: 'Disk usage check failed'\n when: disk_usage.rc != 0"
"- Finding Category/Rule: Secret Management\n - Errored Code (with Task Name and File Name):\n [Store Password] in secret_storage.yml\n command: echo 'password123' > /tmp/password.txt\n - Issue Description: Sensitive information is stored in plaintext, and 'no_log' is set to 'false'.\n - Recommended Solution: Use Ansible Vault to store sensitive information securely and set 'no_log' to 'true' for any sensitive operations.\n Example:\n - name: Store Password Securely\n ansible.builtin.debug:\n msg: 'Sensitive data managed using vault'\n no_log: true"
"- Finding Category/Rule: Privilege Management\n - Errored Code (with Task Name and File Name):\n [Run as Root] in security_update.yml\n become: yes\n - Issue Description: Elevated privileges are used without justification, violating the principle of least privilege.\n - Recommended Solution: Only elevate privileges when absolutely necessary. Ensure that permissions are restricted where possible.\n Example:\n - name: Update Packages\n become: yes\n command: apt-get update\n when: update_needed | bool"
"- Finding Category/Rule: Resource Protection\n - Errored Code (with Task Name and File Name):\n [Check Service Status] in resource_check.yml\n command: while true; do systemctl is-active apache2; done\n - Issue Description: Potential infinite loop without exit conditions, which can lead to resource exhaustion.\n - Recommended Solution: Use a conditionally looping structure or set a retry mechanism with a timeout.\n Example:\n - name: Check Service Status with Retry\n ansible.builtin.command:\n cmd: systemctl is-active apache2\n retries: 5\n delay: 10"
"- Finding Category/Rule: Module Selection\n - Errored Code (with Task Name and File Name):\n [Custom Backup] in backup_playbook.yml\n command: tar -czvf /tmp/backup.tar.gz /data\n - Issue Description: Usage of 'command' instead of the appropriate Ansible module for archiving, leading to poor readability and maintenance.\n - Recommended Solution: Use 'ansible.builtin.archive' module for better readability and compliance.\n Example:\n - name: Archive Data\n ansible.builtin.archive:\n path: /data\n dest: /tmp/backup.tar.gz"
|