chore: improve issue title for kube-linter

README.md

@@ -14,6 +14,48 @@ Hub of all open-sourced third-party static analyzers supported by DeepSource.
 
 ## Development Guide
 
+### Adding a new analyzer
+
+To add a new analyzer, create a new directory with the analyzer shortcode under the `analyzers` folder.
+The following are very important to sync analyzers with DeepSource:
+
+1. `.deepsource/analyzer` directory under `analyzer/<analyzer-shortcode>` directory.
+
+    a. It should contain an `analyzer.toml` file with the following fields:
+
+      - `category`: One of "conf" (Configuration-as-code), "lang" (Language), "covg" (Coverage), "sec" (security)
+      - `name`: Name for the Analyzer. Analyzer on DeepSource dashboard and the checks on VCS would show up as this name.
+      - `shortcode`: shortcode for the analyzer. This should be same as of the analyzer's directory name. This is the name of the analyzer in the `.deepsource.toml` file.
+      - `status`: "active" if analyzer should be live else "draft".
+      - `tool_latest_version`: Analyzer's latest version for which issues are synced on DeepSource.
+      - `description`: A readable descrioption for this analyzer.
+
+    b. It should contain am `example.toml` file with a snippet to activate this analyzer in `.deepsource.toml` config.
+
+    c. `logo.svg` file.
+
+
+2. `.deepsource/issues` directory. This contains all issues detected by the analyzer. Each issue's filemane should be `<issue-shortcode>.toml` or `<issue-shortcode.md>` with the following fields:
+
+    - `title`: Title of the issue. No periods are allowed in the title.
+    - `category`: Category of the issue. Allowed values are: "bug-risk", "doc", "style", "antipattern", "coverage", "security", "performance", "typecheck", and, "secrets".
+    - `description`: Description of the issue. This showld explain the problem in as much detail as possible with possible remediation steps.
+    - `severity`: Severity of the issue. Allowed values are: "critical", "major" and "minor".
+
+3. `CI` directory:
+
+Put example configs of all CIs under this directory. These worlflow / CI configs should run the analyzer, create a sarif report and send it to DeepSource.
+Each file should be names as `<provider>.<extention>`. Example: `github.yml`, `circleci.yml`, etc.`
+
+4. `utils` directory:
+
+It should contain all the utilities required for the analyzer like issue genrator, issue-map, etc.
+For example, please check out `analyzers/kube-linter/utils`.
+
+### Syncing analyzers and their issues with DeepSource
+
+Push a tag after merging all the changes to the default (master) branch. The `Sync community analyzers` workflow triggers on tag pushes matching `v*` and will sync the analyzers and their issues with DeepSource.
+
 ### Running tests
 
 - Create and activate a virtual environment

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1001.toml

@@ -1,5 +1,5 @@
 
-title = "access-to-create-pods"
+title = "Unrestricted access to create pods"
 severity = "major"
 category = "antipattern"
 weight = 70

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1002.toml

@@ -1,13 +1,13 @@
-
-title = "access-to-secrets"
+title = "Unrestricted access to Secrets"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
 
 <!--more-->
 
 ## Remediation
 Where possible, remove get, list and watch access to secret objects in the cluster.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1003.toml

@@ -1,13 +1,13 @@
-
-title = "cluster-admin-role-binding"
+title = "`cluster admin` role should be used only where required"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required
 
 <!--more-->
 
 ## Remediation
 Create and assign a separate role that has access to specific resources/actions needed for the service account.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1004.toml

@@ -1,13 +1,13 @@
-
-title = "dangling-horizontalpodautoscaler"
+title = "Missing `scaleTargetRef` in `HorizontalPodAutoscaler`"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when HorizontalPodAutoscalers target a missing resource.
 
 <!--more-->
 
 ## Remediation
 Confirm that your HorizontalPodAutoscaler's scaleTargetRef correctly matches one of your deployments.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1005.toml

@@ -1,13 +1,13 @@
-
-title = "dangling-ingress"
+title = "Ingress without associated services"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when ingress do not have any associated services.
 
 <!--more-->
 
 ## Remediation
 Confirm that your ingress's backend correctly matches the name and port on one of your services.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1006.toml

@@ -1,13 +1,13 @@
-
-title = "dangling-networkpolicy"
+title = "NetworkPolicy without associated deployments"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when networkpolicies do not have any associated deployments.
 
 <!--more-->
 
 ## Remediation
 Confirm that your networkPolicy's podselector correctly matches the labels on one of your deployments.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1007.toml

@@ -1,13 +1,13 @@
-
-title = "dangling-networkpolicypeer-podselector"
+title = "Misconfigured NetworkPolicyPeer podSelectors"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when NetworkPolicyPeer in Egress/Ingress rules -in the Spec of NetworkPolicy- do not have any associated deployments. Applied on peer specified with podSelectors only.
 
 <!--more-->
 
 ## Remediation
 Confirm that your NetworkPolicy's Ingress/Egress peer's podselector correctly matches the labels on one of your deployments.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1008.toml

@@ -1,13 +1,13 @@
-
-title = "dangling-service"
+title = "Missing deployment for service"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when services do not have any associated deployments.
 
 <!--more-->
 
 ## Remediation
 Confirm that your service's selector correctly matches the labels on one of your deployments.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1009.toml

@@ -1,13 +1,13 @@
-
-title = "default-service-account"
+title = "Pods using default service account"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when pods use the default service account.
 
 <!--more-->
 
 ## Remediation
 Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1010.toml

@@ -1,13 +1,13 @@
-
-title = "deprecated-service-account-field"
+title = "Use of deprecated `serviceAccount` field in deployments"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when deployments use the deprecated serviceAccount field.
 
 <!--more-->
 
 ## Remediation
 Use the serviceAccountName field instead. If you must specify serviceAccount, ensure values for serviceAccount and serviceAccountName match.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1011.toml

@@ -1,13 +1,13 @@
-
-title = "dnsconfig-options"
+title = "Missing `dnsConfig` options in deployments"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Alert on deployments that have no specified dnsConfig options
 
 <!--more-->
 
 ## Remediation
 Specify dnsconfig options in your Pod specification to ensure the expected DNS setting on the Pod. Refer to https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for details.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1012.toml

@@ -1,13 +1,13 @@
-
-title = "docker-sock"
+title = "`docker.sock` volume mounted in containers"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
-Alert on deployments with docker.sock mounted in containers. 
+Alert on deployments with docker.sock mounted in containers.
 
 <!--more-->
 
 ## Remediation
 Ensure the Docker socket is not mounted inside any containers by removing the associated  Volume and VolumeMount in deployment yaml specification. If the Docker socket is mounted inside a container it could allow processes running within  the container to execute Docker commands which would effectively allow for full control of the host.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1013.toml

@@ -1,13 +1,13 @@
-
-title = "drop-net-raw-capability"
+title = "Container with `NET_RAW` capability"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when containers do not drop NET_RAW capability
 
 <!--more-->
 
 ## Remediation
 NET_RAW makes it so that an application within the container is able to craft raw packets, use raw sockets, and bind to any address. Remove this capability in the containers under containers security contexts.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1014.toml

@@ -1,13 +1,13 @@
-
-title = "duplicate-env-var"
+title = "Duplicate env vars dedicated"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Check that duplicate named env vars aren't passed to a deployment like.
 
 <!--more-->
 
 ## Remediation
 Confirm that your DeploymentLike doesn't have duplicate env vars names.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1015.toml

@@ -1,13 +1,13 @@
-
-title = "env-var-secret"
+title = "Insecure use of secrets in environment variables"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when objects use a secret in an environment variable.
 
 <!--more-->
 
 ## Remediation
+
 Do not use raw secrets in environment variables. Instead, either mount the secret as a file or use a secretKeyRef. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for details.
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1016.toml

@@ -1,13 +1,13 @@
-
-title = "exposed-services"
+title = "Forbidden service types for exposed services"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Alert on services for forbidden types
 
 <!--more-->
 
 ## Remediation
 Ensure containers are not exposed through a forbidden service type such as NodePort or LoadBalancer.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1017.toml

@@ -1,13 +1,13 @@
-
-title = "host-ipc"
+title = "Sharing host's IPC namespace"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Alert on pods/deployment-likes with sharing host's IPC namespace
 
 <!--more-->
 
 ## Remediation
 Ensure the host's IPC namespace is not shared.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1018.toml

@@ -1,5 +1,4 @@
-
-title = "host-network"
+title = "Pods sharing host's network namespace"
 severity = "major"
 category = "antipattern"
 weight = 70

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1019.toml

@@ -1,13 +1,13 @@
-
-title = "host-pid"
+title = "Sharing host's process namespace"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Alert on pods/deployment-likes with sharing host's process namespace
 
 <!--more-->
 
 ## Remediation
 Ensure the host's process namespace is not shared.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1020.toml

@@ -1,13 +1,13 @@
-
-title = "hpa-minimum-three-replicas"
+title = "Insufficient `minReplicas` in `HorizontalPodAutoscaler`"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when a HorizontalPodAutoscaler specifies less than three minReplicas
 
 <!--more-->
 
 ## Remediation
 Increase the number of replicas in the HorizontalPodAutoscaler to at least three to increase fault tolerance.
+
 """

analyzers/kube-linter/.deepsource/issues/KUBELIN-W1021.toml

@@ -1,13 +1,13 @@
-
-title = "invalid-target-ports"
+title = "Invalid port names in deployments or services"
+weight = 70
 severity = "major"
 category = "antipattern"
-weight = 70
 description = """
 Indicates when deployments or services are using port names that are violating specifications.
 
 <!--more-->
 
 ## Remediation
 Ensure that port naming is in conjunction with the specification. For more information, please look at the Kubernetes Service specification on this page: https://kubernetes.io/docs/reference/_print/#ServiceSpec. And additional information about IANA Service naming can be found on the following page: https://www.rfc-editor.org/rfc/rfc6335.html#section-5.1.
+
 """