Checkmarx
diff --git a/‎docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md‎
Lines changed: 65 additions & 0 deletions b/‎docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md‎
Lines changed: 143 additions & 7 deletions b/‎docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md‎
Lines changed: 143 additions & 7 deletions
diff --git a/‎docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md‎
Lines changed: 72 additions & 0 deletions b/‎docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md‎
Lines changed: 72 additions & 0 deletions
@@ -845,3 +845,68 @@ Outputs:
 }
 
 ```
+```yaml title="Negative test num. 3 - yaml file"
+Resources:
+  TaskDef54694570:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        - Environment:
+            - Name: DEPLOYMENT_TIMESTAMP
+              Value: "2024-08-20T00:41:57.620Z"
+          Essential: true
+          HealthCheck:
+            Command:
+              - CMD-SHELL
+              - curl -f http://localhost:3000/health || exit
+            Interval: 30
+            Retries: 3
+            StartPeriod: 30
+            Timeout: 5
+          Image:
+            Fn::Join:
+              - ""
+              - - 123456789012.dkr.ecr.us-west-2.
+                - Ref: AWS::URLSuffix
+                - /example-nms:latest
+      ExecutionRoleArn:
+        Fn::GetAtt:
+          - TaskDefExecutionRoleB4775C97
+          - Arn
+      RequiresCompatibilities:
+        - EC2
+      Tags:
+        - Key: classification
+          Value: internal
+        - Key: component
+          Value: example-nms
+        - Key: env
+          Value: development
+        - Key: owner
+          Value: example@owner.com
+        - Key: product
+          Value: internal_tools
+      TaskRoleArn:
+        Fn::GetAtt:
+          - EcsTaskRole8DFA0181
+          - Arn
+  ExampleNameMatchService0992A2E7:
+    Type: AWS::ECS::Service
+    Properties:
+      Cluster: example-ecs
+      SchedulingStrategy: REPLICA
+      Tags:
+        - Key: classification
+          Value: internal
+        - Key: component
+          Value: example-nms
+        - Key: env
+          Value: development
+        - Key: owner
+          Value: example@owner.com
+        - Key: product
+          Value: internal_tools
+      TaskDefinition:
+        Ref: TaskDef54694570
+
+```
@@ -1526,6 +1526,38 @@ tags: []
 </details>
 <details><summary>Positive test num. 47 - dockerfile file</summary>
 
+```dockerfile hl_lines="4"
+FROM baseImage
+
+ENV ARTEMIS_USER artemis
+ENV ARTEMIS_PASSWORD artemis
+
+RUN apk add --no-cache git \
+    && git config \
+    --global \
+    url."https://${GIT_USER}:${GIT_TOKEN}@github.com".insteadOf \
+    "https://github.com"
+
+```
+</details>
+<details><summary>Positive test num. 48 - dockerfile file</summary>
+
+```dockerfile hl_lines="4"
+FROM baseImage
+
+ENV ARTEMIS_USER=artemis
+ENV ARTEMIS_PASSWORD=artemis
+
+RUN apk add --no-cache git \
+    && git config \
+    --global \
+    url."https://${GIT_USER}:${GIT_TOKEN}@github.com".insteadOf \
+    "https://github.com"
+
+```
+</details>
+<details><summary>Positive test num. 49 - dockerfile file</summary>
+
 ```dockerfile hl_lines="3 7"
 FROM baseImage
 
@@ -1537,7 +1569,7 @@ ARG password=pass!1213Fs
 
 ```
 </details>
-<details><summary>Positive test num. 48 - tf file</summary>
+<details><summary>Positive test num. 50 - tf file</summary>
 
 ```tf hl_lines="8"
 resource "google_container_cluster" "primary2" {
@@ -1562,7 +1594,7 @@ resource "google_container_cluster" "primary2" {
 
 ```
 </details>
-<details><summary>Positive test num. 49 - json file</summary>
+<details><summary>Positive test num. 51 - json file</summary>
 
 ```json hl_lines="4 7"
 {
@@ -1578,7 +1610,7 @@ resource "google_container_cluster" "primary2" {
 
 ```
 </details>
-<details><summary>Positive test num. 50 - tf file</summary>
+<details><summary>Positive test num. 52 - tf file</summary>
 
 ```tf hl_lines="8"
 resource "google_container_cluster" "primary4" {
@@ -2794,11 +2826,115 @@ data "template_file" "sci_integration_app_properties_secret_template" {
 ```dockerfile
 FROM baseImage
 
+ENV ARTEMIS_USER artemis
+
+RUN apk add --no-cache git \
+    && git config \
+    --global \
+    url."https://${GIT_USER}:${GIT_TOKEN}@github.com".insteadOf \
+    "https://github.com"
+
+
+```
+</details>
+<details><summary>Negative test num. 45 - dockerfile file</summary>
+
+```dockerfile
+FROM baseImage
+
 RUN command
 
 ```
 </details>
-<details><summary>Negative test num. 45 - json file</summary>
+<details><summary>Negative test num. 46 - dockerfile file</summary>
+
+```dockerfile
+FROM baseImage
+
+ENV ARTEMIS_USER=artemis
+
+RUN apk add --no-cache git \
+    && git config \
+    --global \
+    url."https://${GIT_USER}:${GIT_TOKEN}@github.com".insteadOf \
+    "https://github.com"
+
+
+```
+</details>
+<details><summary>Negative test num. 47 - yml file</summary>
+
+```yml
+stages:
+- template: templates/main-stage.yml
+  parameters:
+    environment:                      'foo'
+    isSm9ChangeRequired:              true
+  
+    isDedicatedSubscription:          'true'
+    setResourceLock:                  'true'
+    nameResourceLock:                 'PrdPreventAccidentalDeletion'
+    isDevelopment:                    'false'
+    # example 1 (placeholders)
+    vmAdminPassword:                  '$(VM_ADMIN_PASSWORD)'                 # SET IN PIPELINE
+    sqlAdminPassword:                 '$(SQL_ADMIN_PASSWORD)'                # SET IN PIPELINE
+    yetanotherAdminPassword:          '${{SQL_ADMIN_PASSWORD}}'                # SET IN PIPELINE
+    andyetanotherAdminPassword:       '${{ SQL_ADMIN_PASSWORD }}'                # SET IN PIPELINE
+
+    # example 2 (empty string value)
+    anotherAdminPassword:             ''                 # SET IN PIPELINE
+
+    serviceConnectionName:            'foo' 
+    subscriptionId:                   'foo'
+    organisationalGroup:              'foo'        # Replace this with your own Organisational Group name.
+    devOrganisationalGroup:           'foo'                                     # should be empty for none DEV env
+    sm9ApplicationCi:                 'foo'                                  # Replace this with your own SM9 Application CI name.
+    resourceGroupBaseName:            'foo'                 # This is used to construct a Resource Group name. Replace this with your desired resource group name.
+    resourceGroupNameSuffix:          'foo'                                    # This is suffixed to the Resource Group name in a Shared subscription (must be an integer). Can be left as-is.
+    location:                         'foo'                           # Replace this with your desired Azure region.
+    linuxAgentPoolName:               'foo'                # Agent pool name of Linux agents. Can be left as-is.
+    windowsAgentPoolName:             'foo'              # Agent pool name of Windows agents. Can be left as-is.
+    System.Debug:                     'foo'                                 # Set to 'foo' to enable debug logging. Can be left as-is.
+
+    skipAdditionalResources:          'foo'                                # if true skip creating additional resources
+    skipSQL:                          'foo'
+
+    #####################################################################################
+    # ADF                                                                               #
+    #####################################################################################
+    adfName:                          'foo'
+    adfDeveloperGroup:                'foo'        # Group has access to ADF
+    irName:                           'foo'
+    irDescription:                    'foo'
+
+
+
+```
+</details>
+<details><summary>Negative test num. 48 - yml file</summary>
+
+```yml
+version: '3.7'
+
+services:
+  apis:
+    image: ""
+    env_file:
+      - .env
+    environment:
+      env: "dev"
+
+      # this value is a Docker Compose secrets path, its contents are not exposed
+      PrivateKey: /run/secrets/SOME_AUTHORIZATION_PRIVATE_KEY
+
+secrets:
+  SOME_AUTHORIZATION_PRIVATE_KEY:
+    external: true
+
+
+```
+</details>
+<details><summary>Negative test num. 49 - json file</summary>
 
 ```json
 {
@@ -2818,7 +2954,7 @@ RUN command
 
 ```
 </details>
-<details><summary>Negative test num. 46 - tf file</summary>
+<details><summary>Negative test num. 50 - tf file</summary>
 
 ```tf
 resource "google_container_cluster" "primary3" {
@@ -2843,7 +2979,7 @@ resource "google_container_cluster" "primary3" {
 
 ```
 </details>
-<details><summary>Negative test num. 47 - tf file</summary>
+<details><summary>Negative test num. 51 - tf file</summary>
 
 ```tf
 resource "google_container_cluster" "primary5" {
@@ -2868,7 +3004,7 @@ resource "google_container_cluster" "primary5" {
 
 ```
 </details>
-<details><summary>Negative test num. 48 - tf file</summary>
+<details><summary>Negative test num. 52 - tf file</summary>
 
 ```tf
 resource "google_secret_manager_secret" "secret-basic" {
 
@@ -56,6 +56,46 @@ RUN dnf in docker-ce
 RUN dnf clean all
 
 ```
+```dockerfile title="Positive test num. 3 - dockerfile file" hl_lines="2"
+FROM fedora:27
+RUN microdnf install \
+    openssl-libs-1:1.1.1k-6.el8_5.x86_64 \
+    zlib-1.2.11-18.el8_5.x86_64 \
+ && microdnf clean all
+
+```
+<details><summary>Positive test num. 4 - dockerfile file</summary>
+
+```dockerfile hl_lines="21"
+ARG BASE_CONTAINER_REGISTRY
+
+# Base the installer on the Azure CLI image as we require the tool
+# to download the psa-check from the UniversalPackage feed.
+# Additionally, the script to retrieve the Kubernetes schemas
+# requires Python (yaml & requests) which are included by
+# default in the Azure CLI image.
+# hadolint ignore=DL3006
+FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer
+
+ARG AZP_URL
+ARG AZP_TOKEN
+
+ARG DCP_INSTALLATION=infra-test
+
+ARG HADOLINT_VERSION=2.12.0
+ARG KUSTOMIZE_VERSION=5.5.0
+ARG KUBECONFORM_VERSION=0.6.7
+ARG FLYWAY_VERSION=11.1.0
+
+RUN tdnf install \
+    jq \
+    tar \
+    libicu \
+    python3-requests \
+    python3-yaml
+
+```
+</details>
 
 
 #### Code samples without security vulnerabilities
@@ -82,3 +122,35 @@ RUN microdnf install -y \
  && microdnf clean all
 
 ```
+<details><summary>Negative test num. 4 - dockerfile file</summary>
+
+```dockerfile
+ARG BASE_CONTAINER_REGISTRY
+
+# Base the installer on the Azure CLI image as we require the tool
+# to download the psa-check from the UniversalPackage feed.
+# Additionally, the script to retrieve the Kubernetes schemas
+# requires Python (yaml & requests) which are included by
+# default in the Azure CLI image.
+# hadolint ignore=DL3006
+FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer
+
+ARG AZP_URL
+ARG AZP_TOKEN
+
+ARG DCP_INSTALLATION=infra-test
+
+ARG HADOLINT_VERSION=2.12.0
+ARG KUSTOMIZE_VERSION=5.5.0
+ARG KUBECONFORM_VERSION=0.6.7
+ARG FLYWAY_VERSION=11.1.0
+
+RUN tdnf install -y \
+    jq \
+    tar \
+    libicu \
+    python3-requests \
+    python3-yaml
+
+```
+</details>