docs(rules): add per-rule README.md for all 26 rules#34
Merged
Conversation
Each README follows the SOC-style template from the rule-documentation field design: metadata table, Description, Attack Technique, How It Works, Investigation Steps, Remediation, False Positives. Content shipped as the 'documentation' field on the rule's API representation once consumed by the armo-rulelibrary build. Refs SUB-7177. Signed-off-by: Ben <ben@armosec.io>
📝 WalkthroughWalkthroughThis PR adds comprehensive README documentation for 26 detection rules in the kubescape/rulelibrary. Each file documents a security rule with severity, MITRE mappings, detection logic, investigation workflows, remediation steps, and false-positive scenarios. ChangesDetection Rule Documentation Library
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 20
🧹 Nitpick comments (6)
pkg/rules/r1008-crypto-mining-domain-communication/README.md (1)
23-25: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier. Consider adding
celortext.📝 Proposed fix
-``` +```cel event.name in [<curated list of ~90 mining-pool hostnames>]As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r1008-crypto-mining-domain-communication/README.md` around lines 23 - 25, Update the fenced code block containing the expression "event.name in [<curated list of ~90 mining-pool hostnames>]" to include a language identifier (use "cel" or "text"); specifically change the opening fence to ```cel so the snippet is marked as CEL for markdown linting (MD040) and proper syntax highlighting.pkg/rules/r1007-xmr-crypto-mining/README.md (1)
21-23: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier. Consider adding
celortext.📝 Proposed fix
-``` +```cel event type == 'randomx'As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r1007-xmr-crypto-mining/README.md` around lines 21 - 23, The fenced code block containing the expression "event type == 'randomx'" should include a language identifier to satisfy MD040; update the block so the opening fence includes `cel` (e.g., change "```" to "```cel") so the snippet "event type == 'randomx'" is marked as CEL code in README.md.pkg/rules/r1009-crypto-mining-related-port/README.md (1)
25-30: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier. Consider adding
celortextfor better readability.📝 Proposed fix
-``` +```cel event.proto == 'TCP' AND event.pktType == 'OUTGOING' AND event.dstPort in [3333, 45700]As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r1009-crypto-mining-related-port/README.md` around lines 25 - 30, The fenced code block containing the CEL rule starting with "event.proto == 'TCP' AND event.pktType == 'OUTGOING' AND event.dstPort in [3333, 45700]" should include a language identifier (e.g., ```cel) on the opening fence to satisfy MD040; update the README.md snippet's opening fence to ```cel (or ```text) so the block is properly annotated for syntax/highlighting.pkg/rules/r1003-malicious-ssh-connection/README.md (1)
21-25: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier. Consider adding
celortext.📝 Proposed fix
-``` +```cel event source port in [32768, 60999] AND event destination port NOT in [22, 2022] AND !nn.was_address_in_egress(containerId, event.dstIp)As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r1003-malicious-ssh-connection/README.md` around lines 21 - 25, The fenced code block containing the CEL expression (the lines starting with "event source port in [32768, 60999]" through "!nn.was_address_in_egress(containerId, event.dstIp)") is missing a language identifier; update the opening fence to include a language tag such as ```cel (or ```text) so the block reads e.g. ```cel followed by the three CEL lines and the closing ```, ensuring markdownlint MD040 is satisfied.pkg/rules/r0007-kubernetes-client-executed/README.md (1)
23-32: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier, which reduces readability and prevents syntax highlighting. Consider adding
celortextafter the opening fence.📝 Proposed fix
-``` +```cel exec: (event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) AND !ap.was_executed(containerId, ...)As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r0007-kubernetes-client-executed/README.md` around lines 23 - 32, The fenced code block containing the rules starting with "exec:" and "network:" is missing a language identifier (MD040); update the opening fence to include a language such as "cel" (e.g., change the triple-backtick that precedes the block to ```cel) so the block with expressions like exec:, network:, event.comm, event.exepath.endsWith('/kubectl'), and k8s.is_api_server_address(event.dstAddr) gets proper syntax highlighting.pkg/rules/r0011-unexpected-egress-network-traffic/README.md (1)
23-27: ⚡ Quick winAdd language identifier to fenced code block.
The code block lacks a language specifier. Consider adding
celortext.📝 Proposed fix
-``` +```cel event.pktType == 'OUTGOING' AND !net.is_private_ip(event.dstAddr) AND !nn.was_address_in_egress(containerId, event.dstAddr)As per coding guidelines, static analysis tool markdownlint-cli2 flagged this as MD040 (fenced-code-language).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/rules/r0011-unexpected-egress-network-traffic/README.md` around lines 23 - 27, The fenced code block showing the CEL rule lacks a language specifier; update the block opening backticks to include a language (e.g., "cel") so markdownlint MD040 is satisfied. Locate the block containing the rule lines referencing event.pktType, net.is_private_ip(event.dstAddr), and nn.was_address_in_egress(containerId, event.dstAddr) and change the opening "```" to "```cel" (or "```text") so the fenced code block is properly marked.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/rules/r0001-unexpected-process-launched/README.md`:
- Around line 25-28: The fenced code block containing the CEL expression (the
lines using ap.was_executed, parse.get_exec_path, args, comm, and exepath) lacks
a language tag; update the opening triple-backtick to include the language
identifier "cel" (i.e., change ``` to ```cel) so the block is recognized as CEL
and resolves the markdownlint MD040 warning.
In `@pkg/rules/r0002-unexpected-file-access/README.md`:
- Around line 23-29: Update the bare fenced code block containing the logical
lines referencing event.path to include a language tag by changing the opening
fence to ```text so the block starts with ```text and ends with ```, e.g. the
block containing "event.path is under one of the watched prefixes ... AND
!ap.was_path_opened(containerId, event.path)"; ensure the opening fence includes
"text" and the closing fence remains a plain ``` to satisfy MD040.
In `@pkg/rules/r0003-unexpected-system-call/README.md`:
- Around line 23-25: Add a language identifier to the fenced code block
containing the line "!ap.was_syscall_used(containerId, syscallName)" so the
markdown linter (MD040) is satisfied; update the fence that currently is ``` to
```text (or another appropriate language) around the block in the README so the
snippet is annotated as plain text/pseudocode.
In `@pkg/rules/r0004-unexpected-capability-used/README.md`:
- Around line 23-25: The fenced code block containing the expression
"!ap.was_capability_used(containerId, capName)" is missing a language identifier
and triggers MD040; update the block to include the "cel" language identifier
(i.e., change the fence to ```cel) so the snippet is marked as CEL and the
markdown lint will pass.
In `@pkg/rules/r0005-unexpected-domain-request/README.md`:
- Around line 23-26: Update the fenced code block in the README for the r0005
rule so the opening fence includes a language identifier (e.g., change the
opening "```" to "```cel"); specifically modify the block that contains the CEL
expression starting with "!event.name.endsWith('.svc.cluster.local.')" and "AND
!nn.is_domain_in_egress(containerId, event.name)" so the fence is ```cel (or
```text if CEL isn't supported) to satisfy markdownlint-cli2 and enable syntax
highlighting.
In `@pkg/rules/r0006-unexpected-service-account-token-access/README.md`:
- Around line 23-26: The fenced logic block in the README (the triple-backtick
block containing the rule expression `event.path under
/run/secrets/.../serviceaccount/token (or /var/run/.../, or EKS equivalents) AND
!ap.was_path_opened_with_suffix(containerId, '/token')`) is missing a language
tag and triggers MD040; fix it by adding the language identifier `cel` after the
opening backticks (i.e., change the opening fence to ```cel) so the block is
properly annotated while leaving the expression text unchanged.
In `@pkg/rules/r0008-read-environment-variables-procfs/README.md`:
- Around line 23-27: The fenced code block containing the CEL rule snippet (the
block that begins with "event.path.startsWith('/proc/')" and includes the three
AND lines) is missing a language identifier; update the opening backticks to
```cel so the block is fenced as CEL (or `text` if CEL highlighting is
unavailable) to satisfy markdown linting and downstream consumption.
In `@pkg/rules/r0009-ebpf-program-load/README.md`:
- Around line 23-26: The fenced code block containing the CEL expression (the
lines starting with "event.cmd == 5 // BPF_PROG_LOAD" and "AND
!ap.was_syscall_used(containerId, 'bpf')") should include a language identifier
to satisfy markdownlint MD040; update the triple-backtick fence to include "cel"
(i.e., change ``` to ```cel) so the block is annotated as CEL.
In `@pkg/rules/r0010-unexpected-sensitive-file-access/README.md`:
- Around line 23-26: Update the fenced code block containing the CEL expression
(the lines with event.path.startsWith('/etc/shadow') and AND
!ap.was_path_opened(containerId, event.path)) to include a language specifier
(use "cel") after the opening backticks so the block becomes ```cel and enables
proper syntax highlighting and satisfies the MD040 lint rule.
In `@pkg/rules/r1000-exec-from-malicious-source/README.md`:
- Around line 23-29: The fenced code block containing the CEL-like snippet using
symbols exepath, cwd and parse.get_exec_path(args, comm) needs a language
identifier to satisfy MD040; update the opening triple-backtick to include "cel"
(i.e., ```cel) so the snippet is treated as CEL/inline code without modifying
the expressions themselves.
In `@pkg/rules/r1001-exec-binary-not-in-base-image/README.md`:
- Around line 21-25: The fenced code block showing the CEL rule (the lines
beginning with "(event.upperlayer..." through "event.exepath))") lacks a
language tag; update the opening backticks to include the language identifier
`cel` so the block starts with ```cel to satisfy markdownlint MD040 and enable
proper syntax highlighting.
In `@pkg/rules/r1002-kernel-module-load/README.md`:
- Around line 23-25: Add a language tag to the fenced code block that contains
the CEL expression "event.syscallName == 'init_module' || event.syscallName ==
'finit_module'": change the opening triple-backtick to include a language hint
(e.g., use "cel") so the fence becomes ```cel, leaving the block contents
unchanged.
In `@pkg/rules/r1004-exec-from-mount/README.md`:
- Around line 23-26: The fenced code block containing the rule description
starting with "binary not in application profile (same dual-path check as R0001)
AND the binary's path or argv[0] starts with any of the container's mount paths"
needs a language hint to satisfy MD040; update the opening triple-backtick to
include a language (for example "cel" or "text") so it reads ```cel (or ```text)
before that block, leaving the block content unchanged.
In `@pkg/rules/r1005-fileless-execution/README.md`:
- Around line 23-27: The fenced code block containing the CEL expression using
event.exepath (lines with event.exepath.contains, event.exepath.startsWith,
event.exepath.matches) needs a language tag to satisfy markdownlint MD040;
update the opening triple-backtick to include a language (e.g., ```cel) so the
snippet is fenced as a CEL code block in
pkg/rules/r1005-fileless-execution/README.md.
In `@pkg/rules/r1006-unshare-syscall/README.md`:
- Around line 21-24: The fenced code block containing the CEL expression
"event.pcomm != 'runc' AND !ap.was_syscall_used(containerId, 'unshare')" is
missing a language tag; update that fenced block by adding the "cel" language
identifier after the opening triple backticks (i.e., change "```" to "```cel")
so markdownlint MD040 is satisfied.
In `@pkg/rules/r1010-symlink-created-over-sensitive-file/README.md`:
- Around line 21-24: The fenced code block containing the CEL expression is
missing a language identifier which triggers MD040; update the fence in
README.md around the snippet that uses event.oldPath and ap.was_path_opened (the
CEL rule referencing containerId) by adding the language label "cel" immediately
after the opening triple backticks so the block begins with ```cel and the rest
of the snippet remains unchanged.
In `@pkg/rules/r1011-ld-preload-hook/README.md`:
- Around line 23-32: The fenced code block that begins with "exec:" is missing a
language tag and triggers markdownlint MD040; update the opening fence to
include a language (e.g., use ```yaml) for the block containing "exec:",
"open:", and rules referencing process.get_ld_hook_var(event.pid) and event.path
== '/etc/ld.so.preload' so the snippet is fenced as a YAML block.
In `@pkg/rules/r1012-hardlink-created-over-sensitive-file/README.md`:
- Around line 21-24: The code fence in the README's CEL logic block is missing a
language label which triggers MD040; update the fenced code block around the
expression using event.oldPath and ap.was_path_opened to use the `cel` language
label (i.e., replace the triple backticks with ```cel before the lines
containing "(event.oldPath.startsWith('/etc/shadow') OR
event.oldPath.startsWith('/etc/sudoers')) AND !ap.was_path_opened(containerId,
event.oldPath)"), leaving the logic unchanged so the renderer recognizes it as
CEL.
In `@pkg/rules/r1015-malicious-ptrace-usage/README.md`:
- Around line 23-25: The fenced code block containing the CEL snippet "event
type == 'ptrace'" lacks a language tag and triggers MD040; update the README.md
fenced block by adding an appropriate language marker (e.g., cel or text) to the
opening triple-backticks so the snippet reads as a labeled CEL code block
(reference the fenced snippet containing "event type == 'ptrace'").
In `@pkg/rules/r1030-unexpected-io_uring-operation/README.md`:
- Around line 21-24: Add the language label to the fenced code block so
markdownlint MD040 is satisfied: update the triple-backtick opening fence that
currently precedes "event type == 'iouring'" to include "cel" (i.e., ```cel) and
leave the block contents unchanged; target the code block in the README section
containing the lines "event type == 'iouring'" and the comment "// implicit: not
in application profile syscall set".
---
Nitpick comments:
In `@pkg/rules/r0007-kubernetes-client-executed/README.md`:
- Around line 23-32: The fenced code block containing the rules starting with
"exec:" and "network:" is missing a language identifier (MD040); update the
opening fence to include a language such as "cel" (e.g., change the
triple-backtick that precedes the block to ```cel) so the block with expressions
like exec:, network:, event.comm, event.exepath.endsWith('/kubectl'), and
k8s.is_api_server_address(event.dstAddr) gets proper syntax highlighting.
In `@pkg/rules/r0011-unexpected-egress-network-traffic/README.md`:
- Around line 23-27: The fenced code block showing the CEL rule lacks a language
specifier; update the block opening backticks to include a language (e.g.,
"cel") so markdownlint MD040 is satisfied. Locate the block containing the rule
lines referencing event.pktType, net.is_private_ip(event.dstAddr), and
nn.was_address_in_egress(containerId, event.dstAddr) and change the opening
"```" to "```cel" (or "```text") so the fenced code block is properly marked.
In `@pkg/rules/r1003-malicious-ssh-connection/README.md`:
- Around line 21-25: The fenced code block containing the CEL expression (the
lines starting with "event source port in [32768, 60999]" through
"!nn.was_address_in_egress(containerId, event.dstIp)") is missing a language
identifier; update the opening fence to include a language tag such as ```cel
(or ```text) so the block reads e.g. ```cel followed by the three CEL lines and
the closing ```, ensuring markdownlint MD040 is satisfied.
In `@pkg/rules/r1007-xmr-crypto-mining/README.md`:
- Around line 21-23: The fenced code block containing the expression "event type
== 'randomx'" should include a language identifier to satisfy MD040; update the
block so the opening fence includes `cel` (e.g., change "```" to "```cel") so
the snippet "event type == 'randomx'" is marked as CEL code in README.md.
In `@pkg/rules/r1008-crypto-mining-domain-communication/README.md`:
- Around line 23-25: Update the fenced code block containing the expression
"event.name in [<curated list of ~90 mining-pool hostnames>]" to include a
language identifier (use "cel" or "text"); specifically change the opening fence
to ```cel so the snippet is marked as CEL for markdown linting (MD040) and
proper syntax highlighting.
In `@pkg/rules/r1009-crypto-mining-related-port/README.md`:
- Around line 25-30: The fenced code block containing the CEL rule starting with
"event.proto == 'TCP' AND event.pktType == 'OUTGOING' AND event.dstPort in
[3333, 45700]" should include a language identifier (e.g., ```cel) on the
opening fence to satisfy MD040; update the README.md snippet's opening fence to
```cel (or ```text) so the block is properly annotated for syntax/highlighting.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c2ea7dab-339a-43f8-9101-07503c26afa4
📒 Files selected for processing (26)
pkg/rules/r0001-unexpected-process-launched/README.mdpkg/rules/r0002-unexpected-file-access/README.mdpkg/rules/r0003-unexpected-system-call/README.mdpkg/rules/r0004-unexpected-capability-used/README.mdpkg/rules/r0005-unexpected-domain-request/README.mdpkg/rules/r0006-unexpected-service-account-token-access/README.mdpkg/rules/r0007-kubernetes-client-executed/README.mdpkg/rules/r0008-read-environment-variables-procfs/README.mdpkg/rules/r0009-ebpf-program-load/README.mdpkg/rules/r0010-unexpected-sensitive-file-access/README.mdpkg/rules/r0011-unexpected-egress-network-traffic/README.mdpkg/rules/r1000-exec-from-malicious-source/README.mdpkg/rules/r1001-exec-binary-not-in-base-image/README.mdpkg/rules/r1002-kernel-module-load/README.mdpkg/rules/r1003-malicious-ssh-connection/README.mdpkg/rules/r1004-exec-from-mount/README.mdpkg/rules/r1005-fileless-execution/README.mdpkg/rules/r1006-unshare-syscall/README.mdpkg/rules/r1007-xmr-crypto-mining/README.mdpkg/rules/r1008-crypto-mining-domain-communication/README.mdpkg/rules/r1009-crypto-mining-related-port/README.mdpkg/rules/r1010-symlink-created-over-sensitive-file/README.mdpkg/rules/r1011-ld-preload-hook/README.mdpkg/rules/r1012-hardlink-created-over-sensitive-file/README.mdpkg/rules/r1015-malicious-ptrace-usage/README.mdpkg/rules/r1030-unexpected-io_uring-operation/README.md
Comment on lines
+25
to
+28
| ``` | ||
| !ap.was_executed(containerId, parse.get_exec_path(args, comm)) | ||
| && (exepath == "" || !ap.was_executed(containerId, exepath)) | ||
| ``` |
There was a problem hiding this comment.
Specify language for the CEL block
Line 25 starts a fenced block without a language, so markdownlint flags MD040.
Suggested fix
-```
+```cel
!ap.was_executed(containerId, parse.get_exec_path(args, comm))
&& (exepath == "" || !ap.was_executed(containerId, exepath))</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>
[warning] 25-25: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @pkg/rules/r0001-unexpected-process-launched/README.md around lines 25 - 28,
The fenced code block containing the CEL expression (the lines using
ap.was_executed, parse.get_exec_path, args, comm, and exepath) lacks a language
tag; update the opening triple-backtick to include the language identifier "cel"
(i.e., change tocel) so the block is recognized as CEL and resolves the
markdownlint MD040 warning.
</details>
<!-- fingerprinting:phantom:triton:hawk -->
<!-- d98c2f50 -->
<!-- This is an auto-generated comment by CodeRabbit -->
Comment on lines
+23
to
+29
| ``` | ||
| event.path is under one of the watched prefixes | ||
| AND event.path is NOT under /run/secrets/kubernetes.io/serviceaccount | ||
| AND event.path is NOT under /var/run/secrets/kubernetes.io/serviceaccount | ||
| AND event.path is NOT under /tmp | ||
| AND !ap.was_path_opened(containerId, event.path) | ||
| ``` |
There was a problem hiding this comment.
Specify a fenced-code language for MD040 compliance
Line 23 uses a bare code fence. Add a language tag (text fits here since this is explanatory logic, not strict CEL syntax).
Suggested fix
-```
+```text
event.path is under one of the watched prefixes
AND event.path is NOT under /run/secrets/kubernetes.io/serviceaccount
AND event.path is NOT under /var/run/secrets/kubernetes.io/serviceaccount
AND event.path is NOT under /tmp
AND !ap.was_path_opened(containerId, event.path)</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r0002-unexpected-file-access/README.md` around lines 23 - 29,
Update the bare fenced code block containing the logical lines referencing
event.path to include a language tag by changing the opening fence to ```text so
the block starts with ```text and ends with ```, e.g. the block containing
"event.path is under one of the watched prefixes ... AND
!ap.was_path_opened(containerId, event.path)"; ensure the opening fence includes
"text" and the closing fence remains a plain ``` to satisfy MD040.
Comment on lines
+23
to
+25
| ``` | ||
| !ap.was_syscall_used(containerId, syscallName) | ||
| ``` |
There was a problem hiding this comment.
Add a language to the fenced block to satisfy markdown lint
Line 23 opens a fenced block without a language, which triggers MD040. Please annotate it (e.g., text if it’s pseudocode).
Suggested fix
-```
+```text
!ap.was_syscall_used(containerId, syscallName)</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r0003-unexpected-system-call/README.md` around lines 23 - 25, Add a
language identifier to the fenced code block containing the line
"!ap.was_syscall_used(containerId, syscallName)" so the markdown linter (MD040)
is satisfied; update the fence that currently is ``` to ```text (or another
appropriate language) around the block in the README so the snippet is annotated
as plain text/pseudocode.
Comment on lines
+23
to
+25
| ``` | ||
| !ap.was_capability_used(containerId, capName) | ||
| ``` |
There was a problem hiding this comment.
Add a language identifier to the fenced code block.
Line 23 uses a fenced block without a language, which triggers MD040 and may break markdown lint gates.
Suggested fix
-```
+```cel
!ap.was_capability_used(containerId, capName)</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r0004-unexpected-capability-used/README.md` around lines 23 - 25,
The fenced code block containing the expression
"!ap.was_capability_used(containerId, capName)" is missing a language identifier
and triggers MD040; update the block to include the "cel" language identifier
(i.e., change the fence to ```cel) so the snippet is marked as CEL and the
markdown lint will pass.
Comment on lines
+23
to
+26
| ``` | ||
| !event.name.endsWith('.svc.cluster.local.') | ||
| AND !nn.is_domain_in_egress(containerId, event.name) | ||
| ``` |
There was a problem hiding this comment.
Specify language identifier for the fenced code block.
The code fence should include a language identifier to enable syntax highlighting and improve documentation consistency. Consider using cel (Common Expression Language) or text if CEL is not supported by the renderer.
📝 Proposed fix
-```
+```cel
!event.name.endsWith('.svc.cluster.local.')
AND !nn.is_domain_in_egress(containerId, event.name)
</details>
As per coding guidelines and static analysis tool markdownlint-cli2, fenced code blocks should have a language specified.
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r0005-unexpected-domain-request/README.md` around lines 23 - 26,
Update the fenced code block in the README for the r0005 rule so the opening
fence includes a language identifier (e.g., change the opening "```" to
"```cel"); specifically modify the block that contains the CEL expression
starting with "!event.name.endsWith('.svc.cluster.local.')" and "AND
!nn.is_domain_in_egress(containerId, event.name)" so the fence is ```cel (or
```text if CEL isn't supported) to satisfy markdownlint-cli2 and enable syntax
highlighting.
Comment on lines
+21
to
+24
| ``` | ||
| (event.oldPath.startsWith('/etc/shadow') OR event.oldPath.startsWith('/etc/sudoers')) | ||
| AND !ap.was_path_opened(containerId, event.oldPath) | ||
| ``` |
There was a problem hiding this comment.
Add a language identifier to the fenced CEL snippet.
The unlabeled fence at Line 21 triggers MD040 and can fail docs lint checks.
Proposed fix
-```
+```cel
(event.oldPath.startsWith('/etc/shadow') OR event.oldPath.startsWith('/etc/sudoers'))
AND !ap.was_path_opened(containerId, event.oldPath)</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 21-21: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r1010-symlink-created-over-sensitive-file/README.md` around lines
21 - 24, The fenced code block containing the CEL expression is missing a
language identifier which triggers MD040; update the fence in README.md around
the snippet that uses event.oldPath and ap.was_path_opened (the CEL rule
referencing containerId) by adding the language label "cel" immediately after
the opening triple backticks so the block begins with ```cel and the rest of the
snippet remains unchanged.
Comment on lines
+23
to
+32
| ``` | ||
| exec: | ||
| event.comm != 'java' | ||
| AND event.containerName != 'matlab' | ||
| AND process.get_ld_hook_var(event.pid) != '' | ||
|
|
||
| open: | ||
| event.path == '/etc/ld.so.preload' | ||
| AND event.flagsRaw is set and non-zero | ||
| ``` |
There was a problem hiding this comment.
Add a language tag to the fenced code block (markdownlint MD040).
At Line 23, the fence is missing a language identifier, which triggers lint warning MD040.
Proposed fix
-```
+```yaml
exec:
event.comm != 'java'
AND event.containerName != 'matlab'
AND process.get_ld_hook_var(event.pid) != ''
open:
event.path == '/etc/ld.so.preload'
AND event.flagsRaw is set and non-zero</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r1011-ld-preload-hook/README.md` around lines 23 - 32, The fenced
code block that begins with "exec:" is missing a language tag and triggers
markdownlint MD040; update the opening fence to include a language (e.g., use
```yaml) for the block containing "exec:", "open:", and rules referencing
process.get_ld_hook_var(event.pid) and event.path == '/etc/ld.so.preload' so the
snippet is fenced as a YAML block.
Comment on lines
+21
to
+24
| ``` | ||
| (event.oldPath.startsWith('/etc/shadow') OR event.oldPath.startsWith('/etc/sudoers')) | ||
| AND !ap.was_path_opened(containerId, event.oldPath) | ||
| ``` |
There was a problem hiding this comment.
Specify the fenced-code language for the CEL logic block.
Line 21 currently uses an unlabeled fence, which triggers MD040.
Proposed fix
-```
+```cel
(event.oldPath.startsWith('/etc/shadow') OR event.oldPath.startsWith('/etc/sudoers'))
AND !ap.was_path_opened(containerId, event.oldPath)</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 21-21: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r1012-hardlink-created-over-sensitive-file/README.md` around lines
21 - 24, The code fence in the README's CEL logic block is missing a language
label which triggers MD040; update the fenced code block around the expression
using event.oldPath and ap.was_path_opened to use the `cel` language label
(i.e., replace the triple backticks with ```cel before the lines containing
"(event.oldPath.startsWith('/etc/shadow') OR
event.oldPath.startsWith('/etc/sudoers')) AND !ap.was_path_opened(containerId,
event.oldPath)"), leaving the logic unchanged so the renderer recognizes it as
CEL.
Comment on lines
+23
to
+25
| ``` | ||
| event type == 'ptrace' | ||
| ``` |
There was a problem hiding this comment.
Add a language tag to the fenced CEL snippet
Line 23 uses an unlabeled fenced code block, which triggers MD040. Add a language marker (for example text or cel) to keep markdown lint clean.
Suggested fix
-```
+```cel
event type == 'ptrace'</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>
[warning] 23-23: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @pkg/rules/r1015-malicious-ptrace-usage/README.md around lines 23 - 25, The
fenced code block containing the CEL snippet "event type == 'ptrace'" lacks a
language tag and triggers MD040; update the README.md fenced block by adding an
appropriate language marker (e.g., cel or text) to the opening triple-backticks
so the snippet reads as a labeled CEL code block (reference the fenced snippet
containing "event type == 'ptrace'").
</details>
<!-- fingerprinting:phantom:triton:hawk -->
<!-- d98c2f50 -->
<!-- This is an auto-generated comment by CodeRabbit -->
Comment on lines
+21
to
+24
| ``` | ||
| event type == 'iouring' | ||
| // implicit: not in application profile syscall set | ||
| ``` |
There was a problem hiding this comment.
Mark the snippet language in the fenced block
Line 21 should include a language label to satisfy markdownlint MD040.
Suggested fix
-```
+```cel
event type == 'iouring'
// implicit: not in application profile syscall set</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 21-21: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/rules/r1030-unexpected-io_uring-operation/README.md` around lines 21 -
24, Add the language label to the fenced code block so markdownlint MD040 is
satisfied: update the triple-backtick opening fence that currently precedes
"event type == 'iouring'" to include "cel" (i.e., ```cel) and leave the block
contents unchanged; target the code block in the README section containing the
lines "event type == 'iouring'" and the comment "// implicit: not in application
profile syscall set".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
README.mdto each of the 26 rule directories underpkg/rules/.Test plan
bash scripts/check_readmes.sh pkg/rules→check_readmes: OK(all 26 rules satisfy the existence gate)bash gen.sh→Successfully generated rules-crd.yaml with 26 rulesUnblocks
This PR makes the README-presence gate from #33 satisfiable. Merging this PR before (or alongside) #33 is recommended so
mainis never red.The README content also feeds the downstream
armo-rulelibrarybuild, which embeds this repo as a submodule and ships the README content as the rule's `documentation` field in `rules.json`.Refs: SUB-7177
Summary by CodeRabbit
Release Notes