Welcome to the IntelliJ IDEA Cloud (IaC) Security (source code) plugin documentation site. This plugin provides capabilities to detect Docker and Kubernetes security misconfiguration. The IntelliJ IDEA plugin is not limited to security misconfiguration. It also covers other maintainability problems, including trivy and most of the hadolint rules written in pure Kotlin, utilizing JetBrains IDE features.
Working on that plugin started almost one year ago, and with constant improvement, I added many rules to provide more IDEA security features. If you’re interested in my journey into security plugin development, you could read my story about IntelliJ Plugin: Building Docker Security Analysis Tools.
On that page, you can find information about plugin inspections and Docker and Kubernetes (Security) Best Practices:
- Dockerfile Security: Avoid Default, Root, or Dynamic User
- Dockerfile Security: Avoid Exposing Port 22
- Dockerfile Security: Avoid Exposing Ports Outside Allowed Range
- Dockerfile Security: Avoid Missing or ‘latest’ Version Tags
- Dockerfile Security: Avoid Piping Curl Into Bash
- Dockerfile Security: Avoid Potential Secrets in ENV Keys
- Dockerfile Security: Avoid Using ARG Vars in RUN Commands
- Dockerfile: Avoid Deprecated MAINTAINER Instruction
- Dockerfile: Avoid Duplicate Aliases in FROM Instructions
- Dockerfile: Avoid Multiple CMD or ENTRYPOINT Instructions
- Dockerfile: Avoid Multiple HEALTHCHECK Instructions
- Dockerfile: Avoid Self-Referencing COPY –from Instructions
- Dockerfile: Avoid Using ‘dist-upgrade’ in Package Management
- Dockerfile: Avoid Using RUN with sudo
- Dockerfile: Avoid wget Without Progress or Quiet Mode
- Dockerfile: Clean DNF Package Cache to Reduce Image Size
- Dockerfile: Clean YUM Package Cache to Reduce Image Size
- Dockerfile: Clean Zypper Cache to Reduce Image Size
- Dockerfile: Combine Update and Install in One RUN Instruction
- Dockerfile: Consolidate Multiple RUN Instructions
- Dockerfile: Simplify Your APK Cache Clean Strategy
- Dockerfile: Standardise Remote GET Tools
- Dockerfile: Trailing Slash for COPY with Multiple Arguments
- Dockerfile: Use –no-install-recommends with apt-get
- Dockerfile: Use ‘-l’ Flag with useradd to Prevent High UID Issues
- Dockerfile: Use Absolute Paths for WORKDIR
- Dockerfile: Use apt-get or apt-cache Instead of apt
- Dockerfile: Use JSON Notation for CMD and ENTRYPOINT
- Dockerfile: Use Package Manager Auto-Confirm Flag ‘-y’
- Dockerfile: Use pip –no-cache-dir to Reduce Image Size
- Dockerfile: Use WORKDIR Instead of ‘RUN cd …’
- Dockerfile: Why You Should Use COPY Instead of ADD
- Kubernetes Security: hostPort opens the node’s port
- Kubernetes Security: Insecure securityContext Capabilities
- Kubernetes Security: Override AppArmor Profile is a Bad Idea
- Kubernetes Security: Restricting Volume Types
- Kubernetes Security: Sharing the host namespace
- Kubernetes Security: Unconfined seccomp profile
- Kubernetes Security: Using hostPath volumes
- Kubernetes Security: Using insecure sysctls
- Kubernetes Security: Using non-default procMount
- Kubernetes Security: Using non-root containers
- Kubernetes Security: Using privileged containers
- Kubernetes Security: Why overriding SELinux is danger