From c76764ef5dcaf53af33cae198ddb47a1314f3873 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Thu, 27 Mar 2025 01:11:45 -0600 Subject: [PATCH] chore(deps): Bump trivy-checks (#8619) --- go.mod | 12 +- go.sum | 32 +- integration/testdata/helm.json.golden | 537 ++++++++++- .../testdata/helm_testchart.json.golden | 894 +++++++++++++++++- .../helm_testchart.overridden.json.golden | 894 +++++++++++++++++- pkg/iac/scanners/helm/test/scanner_test.go | 27 + 6 files changed, 2363 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index 7990741ab9..c726d28d13 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-checks v1.7.1 + github.com/aquasecurity/trivy-checks v1.8.0 github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.7.0 @@ -39,11 +39,11 @@ require ( github.com/bmatcuk/doublestar/v4 v4.8.1 github.com/cenkalti/backoff/v4 v4.3.0 github.com/cheggaaa/pb/v3 v3.1.7 - github.com/containerd/containerd/v2 v2.0.3 + github.com/containerd/containerd/v2 v2.0.4 github.com/containerd/platforms v1.0.0-rc.1 github.com/distribution/reference v0.6.0 github.com/docker/cli v27.5.0+incompatible - github.com/docker/docker v27.5.0+incompatible + github.com/docker/docker v27.5.1+incompatible github.com/docker/go-connections v0.5.0 github.com/docker/go-units v0.5.0 github.com/fatih/color v1.18.0 @@ -53,7 +53,7 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-redis/redis/v8 v8.11.5 github.com/gocsaf/csaf/v3 v3.1.1 - github.com/golang-jwt/jwt/v5 v5.2.1 + github.com/golang-jwt/jwt/v5 v5.2.2 github.com/google/go-containerregistry v0.20.3 github.com/google/go-github/v62 v62.0.0 github.com/google/licenseclassifier/v2 v2.0.0 @@ -189,7 +189,7 @@ require ( github.com/cloudflare/circl v1.6.0 // indirect github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.26 // indirect + github.com/containerd/containerd v1.7.27 // indirect github.com/containerd/containerd/api v1.8.0 // indirect github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect @@ -409,7 +409,7 @@ require ( modernc.org/libc v1.61.13 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.8.2 // indirect - mvdan.cc/sh/v3 v3.10.0 // indirect + mvdan.cc/sh/v3 v3.11.0 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect sigs.k8s.io/kustomize/api v0.18.0 // indirect diff --git a/go.sum b/go.sum index a09797a7d7..a7cb287767 100644 --- a/go.sum +++ b/go.sum @@ -802,8 +802,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-checks v1.7.1 h1:Pn+Mk0SkqY7adfZT6ZsRjCuum3svr7n5z3w+HpGXmbY= -github.com/aquasecurity/trivy-checks v1.7.1/go.mod h1:YhmXAXgRdYIAYIr+/k/oEYUWoW7ZgGctmnJiV17ZcU8= +github.com/aquasecurity/trivy-checks v1.8.0 h1:frMR06SEeDff1oEO6wBaTCqZCTBmZ+j8QAAl5EM1M4w= +github.com/aquasecurity/trivy-checks v1.8.0/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko= github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo= github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= @@ -944,12 +944,12 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.26 h1:3cs8K2RHlMQaPifLqgRyI4VBkoldNdEw62cb7qQga7k= -github.com/containerd/containerd v1.7.26/go.mod h1:m4JU0E+h0ebbo9yXD7Hyt+sWnc8tChm7MudCjj4jRvQ= +github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= +github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= -github.com/containerd/containerd/v2 v2.0.3 h1:zBKgwgZsuu+LPCMzCLgA4sC4MiZzZ59ZT31XkmiISQM= -github.com/containerd/containerd/v2 v2.0.3/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= +github.com/containerd/containerd/v2 v2.0.4 h1:+r7yJMwhTfMm3CDyiBjMBQO8a9CTBxL2Bg/JtqtIwB8= +github.com/containerd/containerd/v2 v2.0.4/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= @@ -980,8 +980,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= -github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= @@ -1017,8 +1017,8 @@ github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvD github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.5.0+incompatible h1:um++2NcQtGRTz5eEgO6aJimo6/JxrTXC941hd05JO6U= -github.com/docker/docker v27.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8= +github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -1201,8 +1201,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= -github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -1412,8 +1412,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hc-install v0.9.1 h1:gkqTfE3vVbafGQo6VZXcy2v5yoz2bE0+nhZXruCuODQ= github.com/hashicorp/hc-install v0.9.1/go.mod h1:pWWvN/IrfeBK4XPeXXYkL6EjMufHkCK5DvwxeLKuBf0= -github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I= -github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= +github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= +github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos= github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= github.com/hashicorp/terraform-exec v0.22.0 h1:G5+4Sz6jYZfRYUCg6eQgDsqTzkNXV+fP8l+uRmZHj64= @@ -2880,8 +2880,8 @@ modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8= -mvdan.cc/sh/v3 v3.10.0 h1:v9z7N1DLZ7owyLM/SXZQkBSXcwr2IGMm2LY2pmhVXj4= -mvdan.cc/sh/v3 v3.10.0/go.mod h1:z/mSSVyLFGZzqb3ZIKojjyqIx/xbmz/UHdCSv9HmqXY= +mvdan.cc/sh/v3 v3.11.0 h1:q5h+XMDRfUGUedCqFFsjoFjrhwf2Mvtt1rkMvVz0blw= +mvdan.cc/sh/v3 v3.11.0/go.mod h1:LRM+1NjoYCzuq/WZ6y44x14YNAI0NK7FLPeQSaFagGg= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden index ecfebabe6e..9b2c98c1d2 100644 --- a/integration/testdata/helm.json.golden +++ b/integration/testdata/helm.json.golden @@ -22,7 +22,7 @@ "Type": "helm", "MisconfSummary": { "Successes": 78, - "Failures": 16 + "Failures": 22 }, "Misconfigurations": [ { @@ -165,6 +165,76 @@ "RenderedCause": {} } }, + { + "Type": "Helm Security Check", + "ID": "KSV004", + "AVDID": "AVD-KSV-0004", + "Title": "Default capabilities: some containers do not drop any", + "Description": "Security best practices require containers to run with minimal required capabilities.", + "Message": "Container 'nginx' of 'deployment' 'nginx-deployment' in 'default' namespace should set securityContext.capabilities.drop", + "Namespace": "builtin.kubernetes.KSV004", + "Query": "data.builtin.kubernetes.KSV004.deny", + "Resolution": "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv004", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv004" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, { "Type": "Helm Security Check", "ID": "KSV011", @@ -795,6 +865,471 @@ "RenderedCause": {} } }, + { + "Type": "Helm Security Check", + "ID": "KSV032", + "AVDID": "AVD-KSV-0032", + "Title": "All container images must start with the *.azurecr.io domain", + "Description": "Containers should only use images from trusted registries.", + "Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'", + "Namespace": "builtin.kubernetes.KSV032", + "Query": "data.builtin.kubernetes.KSV032.deny", + "Resolution": "Use images from trusted Azure registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032", + "References": [ + "https://avd.aquasec.com/misconfig/ksv032" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV033", + "AVDID": "AVD-KSV-0033", + "Title": "All container images must start with a GCR domain", + "Description": "Containers should only use images from trusted GCR registries.", + "Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries", + "Namespace": "builtin.kubernetes.KSV033", + "Query": "data.builtin.kubernetes.KSV033.deny", + "Resolution": "Use images from trusted GCR registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033", + "References": [ + "https://avd.aquasec.com/misconfig/ksv033" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV035", + "AVDID": "AVD-KSV-0035", + "Title": "All container images must start with an ECR domain", + "Description": "Container images from non-ECR registries should be forbidden.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html", + "Namespace": "builtin.kubernetes.KSV035", + "Query": "data.builtin.kubernetes.KSV035.deny", + "Resolution": "Container image should be used from Amazon container Registry", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035", + "References": [ + "https://avd.aquasec.com/misconfig/ksv035" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV039", + "AVDID": "AVD-KSV-0039", + "Title": "limit range usage", + "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes", + "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure", + "Namespace": "builtin.kubernetes.KSV039", + "Query": "data.builtin.kubernetes.KSV039.deny", + "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/", + "https://avd.aquasec.com/misconfig/ksv039" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " replicas: 3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " app: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " spec:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mspec\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV040", + "AVDID": "AVD-KSV-0040", + "Title": "resource quota usage", + "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace", + "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure", + "Namespace": "builtin.kubernetes.KSV040", + "Query": "data.builtin.kubernetes.KSV040.deny", + "Resolution": "create resource quota policy with mem and cpu quota per each namespace", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/", + "https://avd.aquasec.com/misconfig/ksv040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " replicas: 3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " app: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " spec:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mspec\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, { "Type": "Helm Security Check", "ID": "KSV104", diff --git a/integration/testdata/helm_testchart.json.golden b/integration/testdata/helm_testchart.json.golden index 9d4e2aaef0..469074dccc 100644 --- a/integration/testdata/helm_testchart.json.golden +++ b/integration/testdata/helm_testchart.json.golden @@ -21,8 +21,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 89, - "Failures": 5 + "Successes": 90, + "Failures": 10 }, "Misconfigurations": [ { @@ -283,6 +283,648 @@ "RenderedCause": {} } }, + { + "Type": "Helm Security Check", + "ID": "KSV032", + "AVDID": "AVD-KSV-0032", + "Title": "All container images must start with the *.azurecr.io domain", + "Description": "Containers should only use images from trusted registries.", + "Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'", + "Namespace": "builtin.kubernetes.KSV032", + "Query": "data.builtin.kubernetes.KSV032.deny", + "Resolution": "Use images from trusted Azure registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032", + "References": [ + "https://avd.aquasec.com/misconfig/ksv032" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV033", + "AVDID": "AVD-KSV-0033", + "Title": "All container images must start with a GCR domain", + "Description": "Containers should only use images from trusted GCR registries.", + "Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries", + "Namespace": "builtin.kubernetes.KSV033", + "Query": "data.builtin.kubernetes.KSV033.deny", + "Resolution": "Use images from trusted GCR registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033", + "References": [ + "https://avd.aquasec.com/misconfig/ksv033" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV035", + "AVDID": "AVD-KSV-0035", + "Title": "All container images must start with an ECR domain", + "Description": "Container images from non-ECR registries should be forbidden.", + "Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html", + "Namespace": "builtin.kubernetes.KSV035", + "Query": "data.builtin.kubernetes.KSV035.deny", + "Resolution": "Container image should be used from Amazon container Registry", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035", + "References": [ + "https://avd.aquasec.com/misconfig/ksv035" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV039", + "AVDID": "AVD-KSV-0039", + "Title": "limit range usage", + "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes", + "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure", + "Namespace": "builtin.kubernetes.KSV039", + "Query": "data.builtin.kubernetes.KSV039.deny", + "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/", + "https://avd.aquasec.com/misconfig/ksv039" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " replicas: 1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 22, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV040", + "AVDID": "AVD-KSV-0040", + "Title": "resource quota usage", + "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace", + "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure", + "Namespace": "builtin.kubernetes.KSV040", + "Query": "data.builtin.kubernetes.KSV040.deny", + "Resolution": "create resource quota policy with mem and cpu quota per each namespace", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/", + "https://avd.aquasec.com/misconfig/ksv040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " replicas: 1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 22, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, { "Type": "Helm Security Check", "ID": "KSV104", @@ -547,9 +1189,251 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 61, - "Failures": 0 - } + "Successes": 59, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV039", + "AVDID": "AVD-KSV-0039", + "Title": "limit range usage", + "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes", + "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure", + "Namespace": "builtin.kubernetes.KSV039", + "Query": "data.builtin.kubernetes.KSV039.deny", + "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/", + "https://avd.aquasec.com/misconfig/ksv039" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " type: ClusterIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - port: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " targetPort: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " name: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV040", + "AVDID": "AVD-KSV-0040", + "Title": "resource quota usage", + "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace", + "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure", + "Namespace": "builtin.kubernetes.KSV040", + "Query": "data.builtin.kubernetes.KSV040.deny", + "Resolution": "create resource quota policy with mem and cpu quota per each namespace", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/", + "https://avd.aquasec.com/misconfig/ksv040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " type: ClusterIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - port: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " targetPort: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " name: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + } + ] }, { "Target": "templates/serviceaccount.yaml", diff --git a/integration/testdata/helm_testchart.overridden.json.golden b/integration/testdata/helm_testchart.overridden.json.golden index 1635d89c1a..aa00873d1d 100644 --- a/integration/testdata/helm_testchart.overridden.json.golden +++ b/integration/testdata/helm_testchart.overridden.json.golden @@ -21,8 +21,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 87, - "Failures": 7 + "Successes": 88, + "Failures": 12 }, "Misconfigurations": [ { @@ -412,6 +412,648 @@ "RenderedCause": {} } }, + { + "Type": "Helm Security Check", + "ID": "KSV032", + "AVDID": "AVD-KSV-0032", + "Title": "All container images must start with the *.azurecr.io domain", + "Description": "Containers should only use images from trusted registries.", + "Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'", + "Namespace": "builtin.kubernetes.KSV032", + "Query": "data.builtin.kubernetes.KSV032.deny", + "Resolution": "Use images from trusted Azure registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032", + "References": [ + "https://avd.aquasec.com/misconfig/ksv032" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV033", + "AVDID": "AVD-KSV-0033", + "Title": "All container images must start with a GCR domain", + "Description": "Containers should only use images from trusted GCR registries.", + "Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries", + "Namespace": "builtin.kubernetes.KSV033", + "Query": "data.builtin.kubernetes.KSV033.deny", + "Resolution": "Use images from trusted GCR registries.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033", + "References": [ + "https://avd.aquasec.com/misconfig/ksv033" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV035", + "AVDID": "AVD-KSV-0035", + "Title": "All container images must start with an ECR domain", + "Description": "Container images from non-ECR registries should be forbidden.", + "Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html", + "Namespace": "builtin.kubernetes.KSV035", + "Query": "data.builtin.kubernetes.KSV035.deny", + "Resolution": "Container image should be used from Amazon container Registry", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035", + "References": [ + "https://avd.aquasec.com/misconfig/ksv035" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": " - name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " capabilities:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " drop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - ALL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ALL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " readOnlyRootFilesystem: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " runAsGroup: 10001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 37, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV039", + "AVDID": "AVD-KSV-0039", + "Title": "limit range usage", + "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes", + "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure", + "Namespace": "builtin.kubernetes.KSV039", + "Query": "data.builtin.kubernetes.KSV039.deny", + "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/", + "https://avd.aquasec.com/misconfig/ksv039" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " replicas: 1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 22, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV040", + "AVDID": "AVD-KSV-0040", + "Title": "resource quota usage", + "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace", + "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure", + "Namespace": "builtin.kubernetes.KSV040", + "Query": "data.builtin.kubernetes.KSV040.deny", + "Resolution": "create resource quota policy with mem and cpu quota per each namespace", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/", + "https://avd.aquasec.com/misconfig/ksv040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " replicas: 1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 22, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + }, + "RenderedCause": {} + } + }, { "Type": "Helm Security Check", "ID": "KSV104", @@ -776,9 +1418,251 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 61, - "Failures": 0 - } + "Successes": 59, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV039", + "AVDID": "AVD-KSV-0039", + "Title": "limit range usage", + "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes", + "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure", + "Namespace": "builtin.kubernetes.KSV039", + "Query": "data.builtin.kubernetes.KSV039.deny", + "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/", + "https://avd.aquasec.com/misconfig/ksv039" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " type: ClusterIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - port: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " targetPort: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " name: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV040", + "AVDID": "AVD-KSV-0040", + "Title": "resource quota usage", + "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace", + "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure", + "Namespace": "builtin.kubernetes.KSV040", + "Query": "data.builtin.kubernetes.KSV040.deny", + "Resolution": "create resource quota policy with mem and cpu quota per each namespace", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040", + "References": [ + "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/", + "https://avd.aquasec.com/misconfig/ksv040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " type: ClusterIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - port: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " targetPort: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " name: http", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: http", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} + } + } + ] }, { "Target": "templates/serviceaccount.yaml", diff --git a/pkg/iac/scanners/helm/test/scanner_test.go b/pkg/iac/scanners/helm/test/scanner_test.go index 1ac8a18791..41fc1b5abf 100644 --- a/pkg/iac/scanners/helm/test/scanner_test.go +++ b/pkg/iac/scanners/helm/test/scanner_test.go @@ -36,6 +36,13 @@ func TestScanner_ScanFS(t *testing.T) { "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018", "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0104", "AVD-KSV-0106", + "AVD-KSV-0032", + "AVD-KSV-0040", + "AVD-KSV-0039", + "AVD-KSV-0004", + "AVD-KSV-0035", + "AVD-KSV-0033", + "AVD-KSV-0034", }), }, { @@ -49,6 +56,12 @@ func TestScanner_ScanFS(t *testing.T) { "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0104", "AVD-KSV-0106", "AVD-KSV-0117", "AVD-KSV-0110", + "AVD-KSV-0032", + "AVD-KSV-0040", + "AVD-KSV-0039", + "AVD-KSV-0004", + "AVD-KSV-0035", + "AVD-KSV-0033", })(t, results) ignored := results.GetIgnored() @@ -68,6 +81,11 @@ func TestScanner_ScanFS(t *testing.T) { "AVD-KSV-0118", "AVD-KSV-0012", "AVD-KSV-0106", "AVD-KSV-0016", "AVD-KSV-0001", "AVD-KSV-0011", "AVD-KSV-0015", "AVD-KSV-0021", "AVD-KSV-0110", "AVD-KSV-0020", + "AVD-KSV-0032", + "AVD-KSV-0040", + "AVD-KSV-0039", + "AVD-KSV-0004", + "AVD-KSV-0035", }), }, { @@ -102,6 +120,13 @@ deny[res] { "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018", "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0104", "AVD-KSV-0106", "AVD-USR-ID001", + "AVD-KSV-0032", + "AVD-KSV-0040", + "AVD-KSV-0039", + "AVD-KSV-0004", + "AVD-KSV-0035", + "AVD-KSV-0033", + "AVD-KSV-0034", }), }, { @@ -196,6 +221,8 @@ deny[res] { func assertIds(expected []string) func(t *testing.T, results scan.Results) { return func(t *testing.T, results scan.Results) { + t.Helper() + errorCodes := set.New[string]() for _, result := range results.GetFailed() { errorCodes.Append(result.Rule().AVDID)