Skip to content

Add Chef/BestPractice/HardcodedPortNumbers cop#1042

Open
Dhyanms wants to merge 1 commit intochef:mainfrom
Dhyanms:add-hardcoded-ports-cop
Open

Add Chef/BestPractice/HardcodedPortNumbers cop#1042
Dhyanms wants to merge 1 commit intochef:mainfrom
Dhyanms:add-hardcoded-ports-cop

Conversation

@Dhyanms
Copy link
Copy Markdown

@Dhyanms Dhyanms commented Jan 4, 2026

Description

This PR adds a new cop Chef/BestPractice/HardcodedPortNumbers that
detects hardcoded port numbers in Chef cookbooks and suggests using
node attributes instead.

Motivation

Hardcoding port numbers reduces flexibility and makes it difficult to
reconfigure applications across different environments. Node attributes
provide a cleaner approach to port management that allows configuration
without code changes.

Implementation

  • Detects integers in the dynamic port range (1024-65535)
  • Skips very small numbers (1-1023) to avoid false positives
  • Includes comprehensive test coverage with 5 test cases

Examples

Incorrect

service 'nginx' do
  port 8080
  action :start
end

Correct

service 'nginx' do
  port node['myapp']['port']
  action :start
end

Testing

All 5 tests pass:

  • ✅ Detects hardcoded ports 8080 and 5432
  • ✅ Doesn't flag node attributes
  • ✅ Doesn't flag small numbers (1, 2, 3)
  • ✅ Detects ports in service resources
  • ✅ Works with real cookstyle validation

Checklist

  • Code follows Cookstyle conventions
  • Tests are comprehensive and passing
  • Configuration added to enable cop
  • Documentation/error messages are clear
  • No regressions or breaking changes

@Dhyanms
Add Chef/BestPractice/HardcodedPortNumbers cop
5cb1b3c 
This cop detects hardcoded port numbers in Chef recipes and suggests
using node attributes instead for better flexibility and configuration
management across different environments.

Detects port numbers in the dynamic port range (1024-65535) to avoid
false positives on small integers used for other purposes.

Examples:
- BAD: port 8080
- GOOD: port node['myapp']['port']
@Dhyanms Dhyanms requested review from a team and jaymzh as code owners January 4, 2026 13:45
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jan 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tas50
Copy link
Copy Markdown
Contributor

tas50 commented Jan 6, 2026

The idea here is really neat, but I think you want to approach it a different way so it's less likely to produce false positives. First I'd highly suggest this be an opt-in cop that's off by default. It's useful for publishing community cookbooks, but probably less helpful for a lot of internal teams that are very confident in their port usage. Secondly I'd update this to look for properties call "port" and then flag and int value from there. That's going to require quite a bit more complex AST parsing of the cookbook, but it'll avoid a huge number of false positives that will happen otherwise.

jaymzh
jaymzh requested changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jaymzh jaymzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As Tim said, lets make this opt in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaymzh jaymzh jaymzh requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Dhyanms @tas50 @jaymzh