fluent-vulnerability_checker

A static analysis tool that detects known security risks in Fluentd configuration files and provides actionable remediation advice.

Fluentdの設定ファイルを解析し、既知の脆弱性につながる危険な設定を検知するセキュリティ監査ツールです。

Features

Detects configurations leading to the following vulnerabilities:

Installation

Install the gem by executing:

fluent-gem install fluent-vulnerability_checker

Usage

Run the fluent-vulnerabilitycheck command and pass the path to your Fluentd configuration file using the -c or --config option.

$ fluent-vulnerabilitycheck -c /path/to/your/fluentd.conf

If no path is provided, it defaults to Fluentd's standard configuration path (/etc/fluent/fluent.conf).

Example Output

When a vulnerable configuration is detected, the tool provides a detailed report:

# Exposure of Sensitive Information via Monitor Agent API
* Severity:   High
* CVSS Score: 7.5
* Location:   <source> - @type monitor_agent
* State:      bind = '0.0.0.0'.
              (Note: In Fluentd 1.19.2 and earlier, the default value of bind is 0.0.0.0.)
* Description:
  * EN: monitor_agent is exposed externally, allowing attackers to read Fluentd configuration details via its API.
  * JA: monitor_agentによって公開されているAPIを悪用して、Fluentdの設定内容を読み取られる危険性があります。
* Workaround:
  * EN: If you cannot immediately update the package, apply mitigations such as restricting access,
        or allowing access only from localhost.
  * JA: すぐにパッケージを更新できない場合、アクセスの制限、ローカルホストからのみのアクセスを受け付けるなどの
        緩和策を適用してください。
===================================================================================================================

Support & Enterprise Services

If you need professional assistance for safe migration, or comprehensive Fluentd support, please contact the ClearCode Fluentd support.

安全な移行計画の策定や包括的なサポートが必要な場合は、クリアコードのFluentdサポートまでご相談ください。 ご相談にはFluentdコアメンテナが対応いたします。

  • Copyright 2026 ClearCode Inc.
  • License
    • Apache License, Version 2.0