Missing 'Rescue' section in Ansible block tasks
Description
This policy detects whether each Ansible block contains a rescue section, ensuring proper error handling mechanisms are in place. In Ansible, the block keyword is used to group multiple tasks together, with rescue sections allowing specification of tasks to execute in case of preceding block task errors.
Code Example
yaml
- name: Example
block:
- name: Attempt task
ansible.builtin.command: /bin/false
rescue:
- name: Handle error
ansible.builtin.debug:
msg: "An error occurred."Remediation
Ansible
- Resource Type: block
- Attribute: rescue
To mitigate this risk, ensure that each block in your Ansible playbooks includes a rescue section containing tasks that are executed if any task within the block fails. This provides a mechanism for error recovery or cleanup, enhancing the robustness of your playbooks.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0050 |
| Severity | LOW |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV2_ANSIBLE_3 |