Context: Security smells are recurring coding patterns that are indicative of security weakness and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this article is to help practitioners avoid insecure coding practices while developing infrastructure as code scripts through an empirical study of security smells in Ansible and Chef scripts. Methodology: We conduct a replication study where we apply qualitative analysis with 1,956 IaC scripts to identify security smells for IaC scripts written in two languages: Ansible and Chef. We construct a static analysis tool called Security Linter for Ansible and Chef scripts (SLAC) to automatically identify security smells in 50,323 scripts collected from 813 open source software repositories. We also submit bug reports for 1,000 randomly selected smell occurrences. Results: We identify two security smells not reported in prior work: missing default in case statement and no integrity check. By applying SLAC we identify 46,600 occurrences of security smells that include 7,849 hard-coded passwords. We observe agreement for 65 of the responded 94 bug reports, which suggests the relevance of security smells for Ansible and Chef scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in Ansible and Chef scripts, similarly to that of the Puppet scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using (i) code review, and (ii) static analysis tools.

中文翻译：

---

Ansible 和 Chef 脚本中的安全气味

语境：安全气味是反复出现的编码模式，表明存在安全漏洞，需要进一步检查。由于基础架构即代码 (IaC) 脚本（例如 Ansible 和 Chef 脚本）用于大规模配置基于云的服务器和系统，因此 IaC 脚本中的安全气味可用于使恶意用户能够利用已配置系统中的漏洞。目标： 本文的目的是通过对 Ansible 和 Chef 脚本中的安全气味的实证研究，帮助从业者在将基础设施开发为代码脚本时避免不安全的编码实践。 方法：我们进行了一项复制研究，对 1,956 个 IaC 脚本进行了定性分析，以识别用两种语言编写的 IaC 脚本的安全气味：Ansible 和 Chef。我们构建了一个名为 Security Linter for Ansible 和 Chef 脚本 (SLAC) 的静态分析工具，以自动识别从 813 个开源软件存储库收集的 50,323 个脚本中的安全气味。我们还针对 1,000 个随机选择的气味事件提交错误报告。结果：我们发现了之前工作中未报告的两种安全气味：case 语句中缺少默认值和没有完整性检查。通过应用 SLAC，我们识别出 46,600 次安全气味，其中包括 7,849 个硬编码密码。我们观察到在回复的 94 份错误报告中，有 65 份达成了一致，这表明从业者中 Ansible 和 Chef 脚本的安全气味的相关性。结论：我们观察到在 Ansible 和 Chef 脚本中普遍存在安全问题，类似于 Puppet 脚本。我们建议从业人员使用 (i) 代码审查和 (ii) 静态分析工具严格检查 Ansible 和 Chef 脚本中已识别的安全气味的存在。