Initial setup and configuration for Docker Fluent Bit Collector #1
Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| FROM fluent/fluent-bit:1.9.10 AS fluent-bit | ||
|
|
||
| # Copy Fluent Bit binary to the base image | ||
| FROM base |
There was a problem hiding this comment.
❗Cycode: Infrastructure configuration issue: 'Specific user should be defined'.
Severity: High
Description
The image will run as root unless a lesser privileged user is defined
Cycode Remediation Guideline
Ensure that at least one USER instruction is defined before or in any none 'FROM scratch' build stage)
|
|
||
| def save_config_file(config_content, filename): | ||
| os.makedirs(os.path.dirname(filename), exist_ok=True) | ||
| with open(filename, 'w') as file: |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized dynamic input in file path'.
Severity: High
Description
Using unsanitized dynamic input to determine file paths can allow attackers to gain access to files and folders outside of the intended scope. This vulnerability occurs when input provided by users is directly used to access the filesystem without proper validation or sanitization.
Cycode Remediation Guideline
✅ Do
- Do sanitize external input used in file paths. Use
os.path.normpathto normalize paths and remove any redundant separators in order to prevent path traversal attacks.os.path.normpath(os.path.join(base_directory, user_input))
- Do use absolute path checks to confirm that the constructed path is within the expected directory
base = os.path.abspath(base_directory) user_path = os.path.abspath(os.path.join(base_directory, user_input)) if user_path.startswith(base) # Handle or reject the input
❌ Don't
- Do not directly use external input to construct file paths. This can lead to unauthorized file access.
📋 References
Tell us what how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_sast_ignore_here | Ignore this violation — applies to this violation only |
| #cycode_sast_false_positive | Mark as false positive — applies to this violation only |
Overview This pull request establishes the foundational setup for the Docker Fluent Bit Collector project, which integrates log collection with Logz.io using Fluent Bit. This initial commit includes the core components, configuration files, and Docker setup necessary to begin collecting and shipping logs from Docker containers.