Back to catalog

Insecure specified in CMD

No violationsstackroxlowbuilddeploy

Alert on deployments using 'insecure' in the command

Rationale
Using insecure in a command implies accessing or providing data from a server on an unencrypted connection.
Remediation
Use a certificate manager and certificate rotation routinely to ensure secure service-to-service communication.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

1 of 5 targets supported
insecure-specified-in-cmd.rego
# Insecure specified in CMD (trivy)
# severity: low
# source: stackrox/657f4d37-55ab-42f2-bdce-9a4b74a67328
package trivy.insecure_specified_in_cmd

deny[msg] {
  # rule 1
  some inst
  inst := input.Misconfigurations[_].Message
  contains(inst, {"CMD=.*insecure.*"}[_])
  msg := "[low] Insecure specified in CMD: Alert on deployments using 'insecure' in the command"
}
IR (canonical)
{
  "id": "657f4d37-55ab-42f2-bdce-9a4b74a67328",
  "name": "Insecure specified in CMD",
  "description": "Alert on deployments using 'insecure' in the command",
  "rationale": "Using insecure in a command implies accessing or providing data from a server on an unencrypted connection.",
  "remediation": "Use a certificate manager and certificate rotation routinely to ensure secure service-to-service communication.",
  "severity": "low",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "dockerfile-line",
    "values": [
      "CMD=.*insecure.*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "657f4d37-55ab-42f2-bdce-9a4b74a67328",
  "name": "Insecure specified in CMD",
  "description": "Alert on deployments using 'insecure' in the command",
  "rationale": "Using insecure in a command implies accessing or providing data from a server on an unencrypted connection.",
  "remediation": "Use a certificate manager and certificate rotation routinely to ensure secure service-to-service communication.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Dockerfile Line",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "CMD=.*insecure.*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}