admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-01-31 13:53:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c76764ef5dcaf53af33cae198ddb47a1314f3873
aquasecurity-trivy/integration/testdata/helm.json.golden
simar7 c76764ef5d chore(deps): Bump trivy-checks (#8619)
2025-03-27 07:11:45 +00:00

1592 lines
63 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/helm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "testchart.tar.gz:templates/pod.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Failures": 22
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV001",
"AVDID": "AVD-KSV-0001",
"Title": "Can elevate its own privileges",
"Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.allowPrivilegeEscalation' to false",
"Namespace": "builtin.kubernetes.KSV001",
"Query": "data.builtin.kubernetes.KSV001.deny",
"Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv001"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV003",
"AVDID": "AVD-KSV-0003",
"Title": "Default capabilities: some containers do not drop all",
"Description": "The container should drop all default capabilities and add only those that are needed for its execution.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should add 'ALL' to 'securityContext.capabilities.drop'",
"Namespace": "builtin.kubernetes.KSV003",
"Query": "data.builtin.kubernetes.KSV003.deny",
"Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003",
"References": [
"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
"https://avd.aquasec.com/misconfig/ksv003"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV004",
"AVDID": "AVD-KSV-0004",
"Title": "Default capabilities: some containers do not drop any",
"Description": "Security best practices require containers to run with minimal required capabilities.",
"Message": "Container 'nginx' of 'deployment' 'nginx-deployment' in 'default' namespace should set securityContext.capabilities.drop",
"Namespace": "builtin.kubernetes.KSV004",
"Query": "data.builtin.kubernetes.KSV004.deny",
"Resolution": "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv004",
"References": [
"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
"https://avd.aquasec.com/misconfig/ksv004"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV011",
"AVDID": "AVD-KSV-0011",
"Title": "CPU not limited",
"Description": "Enforcing CPU limits prevents DoS via resource exhaustion.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.limits.cpu'",
"Namespace": "builtin.kubernetes.KSV011",
"Query": "data.builtin.kubernetes.KSV011.deny",
"Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011",
"References": [
"https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
"https://avd.aquasec.com/misconfig/ksv011"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV012",
"AVDID": "AVD-KSV-0012",
"Title": "Runs as root user",
"Description": "Force the running image to run as a non-root user to ensure least privileges.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsNonRoot' to true",
"Namespace": "builtin.kubernetes.KSV012",
"Query": "data.builtin.kubernetes.KSV012.deny",
"Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv012"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV014",
"AVDID": "AVD-KSV-0014",
"Title": "Root file system is not read-only",
"Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.readOnlyRootFilesystem' to true",
"Namespace": "builtin.kubernetes.KSV014",
"Query": "data.builtin.kubernetes.KSV014.deny",
"Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014",
"References": [
"https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/",
"https://avd.aquasec.com/misconfig/ksv014"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV015",
"AVDID": "AVD-KSV-0015",
"Title": "CPU requests not specified",
"Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.requests.cpu'",
"Namespace": "builtin.kubernetes.KSV015",
"Query": "data.builtin.kubernetes.KSV015.deny",
"Resolution": "Set 'containers[].resources.requests.cpu'.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015",
"References": [
"https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
"https://avd.aquasec.com/misconfig/ksv015"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV016",
"AVDID": "AVD-KSV-0016",
"Title": "Memory requests not specified",
"Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.requests.memory'",
"Namespace": "builtin.kubernetes.KSV016",
"Query": "data.builtin.kubernetes.KSV016.deny",
"Resolution": "Set 'containers[].resources.requests.memory'.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016",
"References": [
"https://kubesec.io/basics/containers-resources-limits-memory/",
"https://avd.aquasec.com/misconfig/ksv016"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV018",
"AVDID": "AVD-KSV-0018",
"Title": "Memory not limited",
"Description": "Enforcing memory limits prevents DoS via resource exhaustion.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.limits.memory'",
"Namespace": "builtin.kubernetes.KSV018",
"Query": "data.builtin.kubernetes.KSV018.deny",
"Resolution": "Set a limit value under 'containers[].resources.limits.memory'.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018",
"References": [
"https://kubesec.io/basics/containers-resources-limits-memory/",
"https://avd.aquasec.com/misconfig/ksv018"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV020",
"AVDID": "AVD-KSV-0020",
"Title": "Runs with UID \u003c= 10000",
"Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the hosts user table.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsUser' \u003e 10000",
"Namespace": "builtin.kubernetes.KSV020",
"Query": "data.builtin.kubernetes.KSV020.deny",
"Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv020"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV021",
"AVDID": "AVD-KSV-0021",
"Title": "Runs with GID \u003c= 10000",
"Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the hosts user table.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsGroup' \u003e 10000",
"Namespace": "builtin.kubernetes.KSV021",
"Query": "data.builtin.kubernetes.KSV021.deny",
"Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv021"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV030",
"AVDID": "AVD-KSV-0030",
"Title": "Runtime/Default Seccomp profile not set",
"Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.",
"Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
"Namespace": "builtin.kubernetes.KSV030",
"Query": "data.builtin.kubernetes.KSV030.deny",
"Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv030"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV039",
"AVDID": "AVD-KSV-0039",
"Title": "limit range usage",
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
"Namespace": "builtin.kubernetes.KSV039",
"Query": "data.builtin.kubernetes.KSV039.deny",
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
"https://avd.aquasec.com/misconfig/ksv039"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 9,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 9,
"Content": " replicas: 3",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
"FirstCause": true,
"LastCause": false
},
{
"Number": 10,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 12,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " spec:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
"FirstCause": false,
"LastCause": true
},
{
"Number": 18,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV040",
"AVDID": "AVD-KSV-0040",
"Title": "resource quota usage",
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
"Namespace": "builtin.kubernetes.KSV040",
"Query": "data.builtin.kubernetes.KSV040.deny",
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
"https://avd.aquasec.com/misconfig/ksv040"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 9,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 9,
"Content": " replicas: 3",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
"FirstCause": true,
"LastCause": false
},
{
"Number": 10,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 12,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " spec:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
"FirstCause": false,
"LastCause": true
},
{
"Number": 18,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
"AVDID": "AVD-KSV-0104",
"Title": "Seccomp policies disabled",
"Description": "A program inside the container can bypass Seccomp protection policies.",
"Message": "container \"nginx\" of deployment \"nginx-deployment\" in \"default\" namespace should specify a seccomp profile",
"Namespace": "builtin.kubernetes.KSV104",
"Query": "data.builtin.kubernetes.KSV104.deny",
"Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline",
"https://avd.aquasec.com/misconfig/ksv104"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV106",
"AVDID": "AVD-KSV-0106",
"Title": "Container capabilities must only include NET_BIND_SERVICE",
"Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.",
"Message": "container should drop all",
"Namespace": "builtin.kubernetes.KSV106",
"Query": "data.builtin.kubernetes.KSV106.deny",
"Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv106"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment nginx-deployment in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: nginx-deployment",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: nginx-deployment",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV117",
"AVDID": "AVD-KSV-0117",
"Title": "Prevent binding to privileged ports",
"Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.",
"Message": "deployment nginx-deployment in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024",
"Namespace": "builtin.kubernetes.KSV117",
"Query": "data.builtin.kubernetes.KSV117.deny",
"Resolution": "Do not map the container ports to privileged host ports when starting a container.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/",
"https://www.stigviewer.com/stig/kubernetes/2022-12-02/finding/V-242414",
"https://avd.aquasec.com/misconfig/ksv117"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "container nginx-deployment in default namespace is using the default security context",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
},
"RenderedCause": {}
}
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink