Dangerous Module
Detects usage of dangerous or deprecated Ansible modules
5 rules in dangerous_modules.yml
HIGH: 1 | MEDIUM: 4
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
raw_ | HIGH | Raw Module Usage | Task uses the raw module, which sends commands over SSH without going through Ansible’s Python module layer. Raw bypasses no_log, check mode, and idempotency, and should be reserved for bootstrap only. | |
assemble_ | MEDIUM | Assemble Module with User Input | assemble module’s src: is templated from a user-controlled variable. Attacker-controlled paths can pull files from outside the intended directory and concatenate them into the destination. | |
command_ | MEDIUM | Command Module with Shell Features | Task uses the command module but its arguments contain shell metacharacters (|, ;, &, `, $, ()). Either switch to the shell module deliberately or remove the metacharacters; the current shape silently treats them as literals. | |
fetch_ | MEDIUM | Fetch Module with Unsafe Destination | fetch module’s dest: is templated from a user-controlled variable. A path-traversal payload writes the fetched file outside the controller’s expected directory. | |
script_ | MEDIUM | Script Module with Unsafe Parameters | Script module is invoked with a Jinja2 expression in its argument string, allowing user-controlled input to flow into a remote shell command and enabling injection. |