# Detection Rules - Shoulder Browse 347 security detection rules across 7 languages - Total rules: 347 - CWE coverage: 94 - Languages: javascript, typescript, python, dockerfile, go, yaml, kubernetes ## Rules ### Docker Secrets and Security Best Practices - ID: docker-secrets-security - Severity: CRITICAL - CWE: Hardcoded Credentials (CWE-798) - Languages: Dockerfile Detects hardcoded secrets in ENV/ARG and piping curl/wget to shell. ### Container runs as root - ID: docker-missing-user - Severity: HIGH - CWE: CWE-250 (CWE-250) - Languages: Dockerfile Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk. ### Docker User and File Permissions - ID: docker-user-permissions - Severity: HIGH - CWE: CWE-250 (CWE-250) - Languages: Dockerfile Detects explicit root user and overly permissive chmod 777 permissions. ### Docker Base Image Security - ID: docker-base-image-security - Severity: MEDIUM - CWE: CWE-1104 (CWE-1104) - Languages: Dockerfile Detects base images using "latest" tag or missing version tags. ### Multiple ENTRYPOINT Instructions - ID: docker-multiple-entrypoint - Severity: MEDIUM - Languages: Dockerfile Detects multiple ENTRYPOINT instructions where only the last one takes effect. ### Dockerfile Uses Outdated Node.js Version - ID: docker-outdated-node-version - Severity: MEDIUM - CWE: CWE-1104 (CWE-1104) - Languages: Dockerfile Detects Dockerfiles using outdated or end-of-life Node.js versions. ### Node.js Version Mismatch Between Configuration Files - ID: nodejs-version-mismatch - Severity: MEDIUM - CWE: CWE-1104 (CWE-1104) - Languages: JavaScript, Dockerfile Detects inconsistent Node.js versions across project configuration files. When .nvmrc specifies one Node.js version but Dockerfile uses a different version, it causes environment drift: - "Works on my machine" bugs (code works locally but fails in production) - Security inconsistencies (development may use patched version while production uses vulnerable version) - Dependency incompatibilities (npm packages may behave differently) - Debugging difficulties (hard to reproduce production issues locally) This rule detects mismatches between: - .nvmrc and Dockerfile - .nvmrc and package.json engines - .tool-versions and Dockerfile NOTE: Detection is handled by internal/frameworks/nodejs/detector.go. The actual recommended version comes from the docker-image-outdated finding which uses the Docker image API for real-time version data. ### Docker apt-get Missing Cache Cleanup - ID: docker-apt-missing-cache-cleanup - Severity: LOW - CWE: CWE-1395 (CWE-1395) - Languages: Dockerfile Detects apt-get commands without cache cleanup in the same RUN layer. ### Docker apt-get Missing --no-install-recommends - ID: docker-apt-missing-no-install-recommends - Severity: LOW - CWE: CWE-1395 (CWE-1395) - Languages: Dockerfile Detects apt-get install commands without --no-install-recommends flag. ### Docker apt-get Missing -y Flag - ID: docker-apt-missing-y-flag - Severity: LOW - CWE: CWE-1395 (CWE-1395) - Languages: Dockerfile Detects apt-get install commands without the -y flag for non-interactive builds. ### Docker Build Optimization and Best Practices - ID: docker-build-optimization - Severity: LOW - Languages: Dockerfile Detects build optimization issues like relative WORKDIR paths. ### Docker Compose Obsolete Version Field - ID: docker-compose-obsolete-version - Severity: LOW - Languages: Dockerfile Detects Docker Compose files using the obsolete 'version' field. ### Docker File Operations Best Practices - ID: docker-file-operations - Severity: LOW - Languages: Dockerfile Detects ADD usage instead of COPY and copying entire build context. ### Missing Healthcheck Configuration - ID: docker-missing-healthcheck - Severity: LOW - CWE: Protection Mechanism Failure (CWE-693) - Languages: Dockerfile Detects Dockerfiles missing HEALTHCHECK instructions for container monitoring. ### Use npm ci for Reproducible Builds - ID: docker-nodejs-npm-ci - Severity: LOW - CWE: CWE-1104 (CWE-1104) - Languages: Dockerfile Detects Dockerfiles using `npm install` instead of `npm ci` for production builds. ### Invalid Port Number in EXPOSE - ID: docker-invalid-port - Severity: ERROR - Languages: Dockerfile Detects invalid port numbers in EXPOSE instructions (valid range: 0-65535). --- Showing 16 of 16 rules (page 1/1)