# Protection Mechanism Failure (CWE-693)

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

**Stack:** Docker

- Prevalence: 高 頻繁に悪用される
- Impact: ハイ 1 件の重大度ハイのルール
- Prevention: 文書化済み 8 件の修正例

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.

## Prevention

1 件の Shoulder 検出ルールに基づく Protection Mechanism Failure の予防策。

### Docker

Add a HEALTHCHECK instruction to enable container health monitoring

## Warning Signs

- [LOW] Dockerfile has no HEALTHCHECK instruction for container health monitoring
- [LOW] Dockerfiles missing HEALTHCHECK instructions for container monitoring

## Consequences

- 保護メカニズムの回避
- 未承認コードの実行
- 権限の取得

## Mitigations

- 多層防御 (defense in depth) を実装する
- 独自実装ではなく、業界標準で検証済みのセキュリティメカニズムを使用する
- 保護メカニズムが回避や無効化されないようにする

## Detection

- Total rules: 8
- Languages: dockerfile, go, javascript, typescript

## Rules by Language

### Dockerfile (1 rules)

- **Missing Healthcheck Configuration** [LOW]: Detects Dockerfiles missing HEALTHCHECK instructions for container monitoring.
  - Remediation: Add a HEALTHCHECK instruction to monitor container health.

```dockerfile
HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1
```

Learn more: https://shoulder.dev/learn/docker/cwe-693/missing-healthcheck