Static Analysis Rules

Overview

Datadog Static Analysis provides out-of-the-box rules to help detect violations in your CI/CD pipelines in code reviews and identify bugs, security, and maintainability issues. For more information, see the Static Analysis documentation.

Docker rules

Follow best practices with using Docker

Ruleset ID: docker-best-practices

Best practices for using Docker.

use absolute workdirABSOLUTE-WORKDIR from aliases must be uniqueALIAS-MUST-BE-UNIQUE always use -y with apt-get installAPT-GET-YES always pin versions in apt-get installAPT-PIN-VERSION do not give wide permissions on filesAVOID-CHMOD-777 avoid commands not made for containersAVOID-COMMANDS-NOT-RELEVANT avoid fetching data from http endpointAVOID-HTTP always use -y with dnf installDNF-USE-Y do not expose sensitive portsEXPOSE-ADMIN-PORTS expose a valid unix port numberEXPOSE-VALID-PORT do not use the digest to pull an imageIMAGE-AVOID-DIGEST the maintainer entry is deprecatedMAINTAINER-DEPRECATED do not use multiple cmdMULTIPLE-CMD do not use multiple cmdMULTIPLE-ENTRYPOINT do not use multiple healthcheckMULTIPLE-HEALTHCHECK last user should not be rootNO-ROOT-USER do not use cache when installing packagesPIP-NO-CACHE always pin versions with pipPIP-PIN-VERSIONS always tag the version of an imageTAG-IMAGE-VERSION always use -y with yum installYUM-USE-Y always use -y with zypper installZYPPER-USE-Y

JavaScript rules

Follow best practices for writing JavaScript code

Ruleset ID: javascript-best-practices

Rules to enforce JavaScript best practices.

check for loop is moving in the right directionFOR-DIRECTION invoking a constructor must use parenthesesNEW-PARENS avoid the use of alert, confirm, and promptNO-ALERT promise executor cannot be an async functionNO-ASYNC-PROMISE-EXECUTOR avoid the use of arguments.caller or arguments.calleeNO-CALLER avoid lexical declarations in case clausesNO-CASE-DECLARATIONS direct comparison with -0 detectedNO-COMPARE-NEG-ZERO avoid assignment operators in conditional expressionsNO-COND-ASSIGN avoid leaving console debug statementsNO-CONSOLE disallow the use of debuggerNO-DEBUGGER avoid using delete on variables directlyNO-DELETE-VAR function parameters redeclaredNO-DUPE-ARGS avoid duplicate class membersNO-DUPE-CLASS-MEMBERS avoid duplicate keys in object literalsNO-DUPE-KEYS avoid duplicate case labelsNO-DUPLICATE-CASE avoid empty block statementsNO-EMPTY avoid empty character classes in regular expressionsNO-EMPTY-CHARACTER-CLASS avoid empty destructuring patternsNO-EMPTY-PATTERN avoid reassigning exceptions in catch clausesNO-EX-ASSIGN prevent the use methods similar to eval()NO-IMPLIED-EVAL prevent assigning to imported bindingsNO-IMPORT-ASSIGN avoid variable or function declaration in nested blocksNO-INNER-DECLARATIONS avoid the use of the __iterator__ propertyNO-ITERATOR avoid numbers that lose precisionNO-LOSS-OF-PRECISION avoid new statements with the symbol objectNO-NEW-SYMBOL avoid using octal literals to prevent unexpected behaviorNO-OCTAL avoid the use of the __proto__ propertyNO-PROTO avoid using javascript in urlsNO-SCRIPT-URL avoid negating the left operand of relational operatorsNO-UNSAFE-NEGATION the with statement can lead to ambiguous codeNO-WITH require yield in generator functionsREQUIRE-YIELD avoid direct comparison with nanUSE-ISNAN compare typeof expressions against valid stringsVALID-TYPEOF

Security rules for JavaScript web applications

Ruleset ID: javascript-browser-security

Rules focused on finding security issues in your JavaScript web applications.

check origin of eventsEVENT-CHECK-ORIGIN do not modify innerhtml or outerhtmlINNER-OUTER-HTML websockets must use ssl connectionsINSECURE-WEBSOCKET do not store sensitive data to local storageLOCAL-STORAGE-SENSITIVE-DATA avoid manual sanitization of inputsMANUAL-SANITIZATION specify origin in postmessagePOSTMESSAGE-PERMISSIVE-ORIGIN do not inject unsanitized htmlREACT-DANGEROUSLY-INNER-HTML do not use variable for regular expressionsREGEXP-NON-LITERAL

Enforce JavaScript code style

Ruleset ID: javascript-code-style

Rules to enforce JavaScript code style.

assigment name should use camelcaseASSIGNMENT-NAME class name should be pascalcaseCLASS-NAME enforce the use of === and !==EQEQEQ function names must match the name of the assignation.FUNC-NAME-MATCHING enforce named function expressionsFUNC-NAMES function name should use camelcase or pascalcaseFUNCTION-NAMING classes must be less than 100 linesMAX-CLASS-LINES functions must be less than 200 linesMAX-FUNCTION-LINES enforce a maximum number of parameters in a functionMAX-PARAMS method name should use camelcaseMETHOD-NAME avoid array constructorsNO-ARRAY-CONSTRUCTOR avoid equal signs at the beginning of regular expressionsNO-DIV-REGEX avoid duplicate module importsNO-DUPLICATE-IMPORTS avoid leading or trailing decimal points in numbersNO-FLOATING-DECIMAL avoid if statements as the only statement in else blocksNO-LONELY-IF avoid the use of chained assignment expressionsNO-MULTI-ASSIGN avoid new operators outside of assignments or comparisonsNO-NEW avoid new operators with the function objectNO-NEW-FUNC avoid object constructorsNO-NEW-OBJECT avoid assignment operators in return statementsNO-RETURN-ASSIGN avoid comparisons where both sides are exactly the sameNO-SELF-COMPARE require let or const instead of varNO-VAR parameter name should use camelcasePARAMETER-NAME consistent use of the radix argument using parseintRADIX

Common security rules for JavaScript

Ruleset ID: javascript-common-security

Rules focused on finding security issues in your JavaScript code.

avoid insecure http requests with axiosAXIOS-AVOID-INSECURE-HTTP function argument names should be uniqueUNIQUE-FUNCTION-ARGUMENTS do not use external xml entitiesXML-NO-EXTERNAL-ENTITIES

Check for Express.js best practices and security

Ruleset ID: javascript-express

Rules specifically for Express.js best practices and security.

limit exposure to sensitive directories and filesACCESS-RESTRICTION enforce overriding default configDEFAULT-SESSION-CONFIG avoid using unsanitized user input with sendfileEXTERNAL-FILENAME-UPLOAD avoid rendering resource based on unsanitized user inputEXTERNAL-RESOURCE avoid using a hard-coded secretHARDCODED-SECRET use `https` protocol over `http`HTTPS-PROTOCOL-MISSING avoid using an insecure access-control-allow-origin headerINSECURE-ALLOW-ORIGIN avoid setting insecure cookie settingsINSECURE-COOKIE ensure an isrevoked method is used for tokensJWT-NOT-REVOKED express application should use helmetMISSING-HELMET avoid allowing access to unintended directories or filesPATH-TRAVERSAL server fingerprinting misconfigurationREDUCE-SERVER-FINGERPRINTING avoid sending unsanitized user input in responseXSS-VULNERABILITY

Check JavaScript code for wording issues

Ruleset ID: javascript-inclusive

Rules for JavaScript to avoid inappropriate wording in the code and comments.

check comments for wording issuesCOMMENTS check declaration names for wording issuesDECLARATIONS check parameter names for wording issuesFORMAL-PARAMETERS check identifier names for wording issuesIDENTIFIERS

Identify potential security hotspots in Node

Ruleset ID: javascript-node-security

Rules to identify potential security hotspots in Node. This may include false positives that require further triage.

use strong security mechanisms with argon2ARGON2 avoid rc4AVOID-CRYPTO-RC4 avoid sha1 security protocolAVOID-CRYPTO-SHA1 avoid des and 3desAVOID-DES do not give 777 permissions to a fileCHMOD-PERMISSIONS avoid command injectionCOMMAND-INJECTION avoid weak hash algorithm from cryptojsCRYPTO-AVOID-WEAK-HASH avoid calls to 'buffer' with 'noassert' flag setDETECT-BUFFER-NOASSERT avoid instances of 'child_process' and non-literal 'exec()'DETECT-CHILD-PROCESS avoid `eval` with expressionsDETECT-EVAL-WITH-EXPRESSION avoid buffer(argument) with non-literal valuesDETECT-NEW-BUFFER avoid variables in 'fs' calls filename argumentDETECT-NON-LITERAL-FS-FILENAME detects non-literal values in regular expressionsDETECT-NON-LITERAL-REGEXP avoid require with non-literal valuesDETECT-NON-LITERAL-REQUIRE detects hardcoded jwt tokens within the codebase.DETECTED-JWT-TOKEN avoid hardcoded hmac keysHARDCODED-HMAC-KEY do not use weak hash functionsINSECURE-HASH insecure usage of a static secret in jwt signingINSECURE-JWT-SECRET-USAGE do not use hardcoded secret with a jwtJWT-HARDCODED-SECRET do not put sensitive data in objectsJWT-SENSITIVE-DATA use default encryption from the jwt libraryJWT-WEAK-ENCRYPTION avoid logging sensitive dataLOG-SENSITIVE-DATA do not use hardcoded secret for oauth2 providersOAUTH2-HARDCODED-SECRET avoid sql injectionSQL-INJECTION avoid sql injectionsVARIABLE-SQL-STATEMENT-INJECTION

React specific linting rules

Ruleset ID: jsx-react

This plugin exports a recommended configuration that enforces React good practices.

prevent missing key props in iterators/collection literalsJSX-KEY avoid comments from being inserted as text nodesJSX-NO-COMMENT-TEXTNODES ensures unique key propJSX-NO-DUPLICATE-KEY avoid duplicate properties in jsxJSX-NO-DUPLICATE-PROPS