Docker Image Scan results for ubuntu/kafka

Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI

Summary

19 Total failed checks. 8 High / 3 Medium / 8 Low.

Details

Rule identifier Severity Documentation
kafka_no_plaintext_listening 5 There is a configuration for the Kafka brokers specifying a communication protocol for each one of them. One of the options is PLAINTEXT, which means that the broker is communicating without any encryption or authorization. A secure Kafka cluster should not be configured in this way.
Remediation: For any listeners directive, the prefix should never be PLAINTEXT.
Source: https://kafka.apache.org/documentation/#brokerconfigs
dockerfile_last_user_should_be_non_root 4 When creating a Docker container, it is possible to set the user who is actually running the application and any command on the container. It is important to specifically use the USER directive in any Dockerfile to ensure that the user is not root and has unnecessary privileges.
Remediation: Have at least one USER directive in your Dockerfile, and the last user directive should not reference the root user or root group.
Source: https://docs.docker.com/engine/reference/builder/#user
kafka_set_client_to_use_tls_when_zookeeper 4 When connecting to Zookeeper, it is recommended to enforce the use of TLS to ensure encryption in transit.
Remediation: Ensure that the zookeeper.ssl.client.enable value is true (default is false).
Source: https://kafka.apache.org/documentation/#configuration
kafka_set_client_to_use_tls_when_zookeeper 4 When connecting to Zookeeper, it is recommended to enforce the use of TLS to ensure encryption in transit.
Remediation: Ensure that the zookeeper.ssl.client.enable value is true (default is false).
Source: https://kafka.apache.org/documentation/#configuration
kafka_inter_broker_protocol_not_plain 4 Kafka is a distributed system. There is a communication from consumers/producers, but there is also inter-broker communication. It needs to be ensured that this is also encrypted.
Remediation: Ensure that the security.inter.broker.protocol value is anything but PLAINTEXT (default) or SASL_PLAINTEXT.
Source: https://kafka.apache.org/documentation/#configuration
kafka_inter_broker_protocol_not_plain 4 Kafka is a distributed system. There is a communication from consumers/producers, but there is also inter-broker communication. It needs to be ensured that this is also encrypted.
Remediation: Ensure that the security.inter.broker.protocol value is anything but PLAINTEXT (default) or SASL_PLAINTEXT.
Source: https://kafka.apache.org/documentation/#configuration
kafka_replication_factors_greater_than_one 4 The data replication among different Kafka brokers is crucial to its stability, as otherwise data losses can occur.
Remediation: Ensure that the values for offsets.topic.replication.factor, transaction.state.log.replication.factor, default.replication.factor, config.storage.replication.factor, offset.storage.replication.factor, status.storage.replication.factor and errors.deadletterqueue.topic.replication.factor are all greater than one.
Source: https://kafka.apache.org/documentation/#configuration
kafka_replication_factors_greater_than_one 4 The data replication among different Kafka brokers is crucial to its stability, as otherwise data losses can occur.
Remediation: Ensure that the values for offsets.topic.replication.factor, transaction.state.log.replication.factor, default.replication.factor, config.storage.replication.factor, offset.storage.replication.factor, status.storage.replication.factor and errors.deadletterqueue.topic.replication.factor are all greater than one.
Source: https://kafka.apache.org/documentation/#configuration
dockerfile_create_volume_for_var_log 3 In linux systems, important operating system logs are stored in the /var/log subfolder. This folder should always be made available to the host through a volume, so that log tracking and log analysis systems can capture them.
Remediation: In every Dockerfile, there should be a VOLUME directive which has /var/log as an argument.
Source: https://docs.docker.com/engine/reference/builder/
kafka_do_not_enable_auto_create_topics 3 When a broker receives a message for a non-existent topic, the default configuration of Kafka states that the topic will be auto-generated. This has many downsides, as a bug in a producer/consumer code can cause pollution of topics, which can slow down the whole cluster. It is generally recommended to only create topics intentionally.
Remediation: Ensure that the auto.create.topics.enable value is false (default is true).
Source: https://kafka.apache.org/documentation/#configuration
kafka_do_not_enable_auto_create_topics 3 When a broker receives a message for a non-existent topic, the default configuration of Kafka states that the topic will be auto-generated. This has many downsides, as a bug in a producer/consumer code can cause pollution of topics, which can slow down the whole cluster. It is generally recommended to only create topics intentionally.
Remediation: Ensure that the auto.create.topics.enable value is false (default is true).
Source: https://kafka.apache.org/documentation/#configuration
dockerfile_copy_command_more_than_two_arguments_slash 2 The COPY directive allows the copying of one or more files on the host machine into the image that is being built. If there is more than one file copied, it is apparent that the destination is a folder, and hence has to end with /.
Remediation: Ensure that every COPY instruction with more than two arguments has the last argument ending with /
Source: https://docs.docker.com/engine/reference/builder/#copy
dockerfile_only_one_cmd_instruction 2 The CMD directive specifies the final command that is executed when running the container. This should be unique.
Remediation: Ensure that there is at most one CMD directive in the Dockerfile.
dockerfile_container_healthcheck_parameter 2 Dockerfiles have an instruction called HEALTHCHECK. It enables a user to define a command to figure out if the program(s) running inside the container are working properly. It is generally advisable to have healthchecks in place to assist monitoring of running containers.
Remediation: Have at least one HEALTHCHECK instruction in your Dockerfile.
Source: https://docs.docker.com/engine/reference/builder/#healthcheck
kafka_do_not_use_default_port 2 Using the standard port makes it easier for intruders to scan for the service from the outside.
Remediation: Either set the deprecated 'port' directive to 9092, or ensure that the listener directive does not have 9092 anywhere defined as port.
kafka_do_not_use_default_port 2 Using the standard port makes it easier for intruders to scan for the service from the outside.
Remediation: Either set the deprecated 'port' directive to 9092, or ensure that the listener directive does not have 9092 anywhere defined as port.
dockerfile_env_and_arg_defined_and_right_away_used 1 When creating Docker images that use environment variables or build arguments, it is advisable to position the ARG or ENV directives close to their actual uses, since otherwise the caching for building the images is not greatly used.
Remediation: Every variable defined by an ENV or ARG directive should be used within the next five commands inside the Dockerfile.
dockerfile_only_one_definition_per_env_statement 1 The ENV statement allows multiple definitions. This should be avoided for readability reasons, as well as pitfalls like variables not being evaluated if defined within the same ENV directive.
Remediation: Ensure that every ENV directive has only one assignment.
dockerfile_do_not_use_add 1 Dockerfiles have two directives that allow you to add files from the machine where you build the image into the image, namely COPY and ADD. Both are technically similar, but ADD also has side-effects like automated decompression of archives. It is generally recommended to only use COPY
Remediation: Remove any ADD directive in your dockerfile and replace it with COPY.
Source: https://docs.docker.com/engine/reference/builder/#copy

Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI