admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-01-31 13:53:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c76764ef5dcaf53af33cae198ddb47a1314f3873
aquasecurity-trivy/integration/testdata/helm_testchart.overridden.json.golden
simar7 c76764ef5d chore(deps): Bump trivy-checks (#8619)
2025-03-27 07:11:45 +00:00

1678 lines
65 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/helm_testchart",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "templates/deployment.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 88,
"Failures": 12
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV001",
"AVDID": "AVD-KSV-0001",
"Title": "Can elevate its own privileges",
"Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
"Namespace": "builtin.kubernetes.KSV001",
"Query": "data.builtin.kubernetes.KSV001.deny",
"Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv001"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV020",
"AVDID": "AVD-KSV-0020",
"Title": "Runs with UID \u003c= 10000",
"Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the hosts user table.",
"Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.runAsUser' \u003e 10000",
"Namespace": "builtin.kubernetes.KSV020",
"Query": "data.builtin.kubernetes.KSV020.deny",
"Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv020"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV030",
"AVDID": "AVD-KSV-0030",
"Title": "Runtime/Default Seccomp profile not set",
"Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.",
"Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
"Namespace": "builtin.kubernetes.KSV030",
"Query": "data.builtin.kubernetes.KSV030.deny",
"Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv030"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV039",
"AVDID": "AVD-KSV-0039",
"Title": "limit range usage",
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
"Namespace": "builtin.kubernetes.KSV039",
"Query": "data.builtin.kubernetes.KSV039.deny",
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
"https://avd.aquasec.com/misconfig/ksv039"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 13,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 13,
"Content": " replicas: 1",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
"FirstCause": true,
"LastCause": false
},
{
"Number": 14,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 19,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": true
},
{
"Number": 22,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV040",
"AVDID": "AVD-KSV-0040",
"Title": "resource quota usage",
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
"Namespace": "builtin.kubernetes.KSV040",
"Query": "data.builtin.kubernetes.KSV040.deny",
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
"https://avd.aquasec.com/misconfig/ksv040"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 13,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 13,
"Content": " replicas: 1",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
"FirstCause": true,
"LastCause": false
},
{
"Number": 14,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 19,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": true
},
{
"Number": 22,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
"AVDID": "AVD-KSV-0104",
"Title": "Seccomp policies disabled",
"Description": "A program inside the container can bypass Seccomp protection policies.",
"Message": "container \"testchart\" of deployment \"testchart\" in \"default\" namespace should specify a seccomp profile",
"Namespace": "builtin.kubernetes.KSV104",
"Query": "data.builtin.kubernetes.KSV104.deny",
"Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline",
"https://avd.aquasec.com/misconfig/ksv104"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV105",
"AVDID": "AVD-KSV-0105",
"Title": "Containers must not set runAsUser to 0",
"Description": "Containers should be forbidden from running with a root UID.",
"Message": "securityContext.runAsUser should be set to a value greater than 0",
"Namespace": "builtin.kubernetes.KSV105",
"Query": "data.builtin.kubernetes.KSV105.deny",
"Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv105"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 30,
"EndLine": 36,
"Code": {
"Lines": [
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 11,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " helm.sh/chart: testchart-0.1.0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " app.kubernetes.io/version: \"1.16.0\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " app.kubernetes.io/managed-by: Helm",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV117",
"AVDID": "AVD-KSV-0117",
"Title": "Prevent binding to privileged ports",
"Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.",
"Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024",
"Namespace": "builtin.kubernetes.KSV117",
"Query": "data.builtin.kubernetes.KSV117.deny",
"Resolution": "Do not map the container ports to privileged host ports when starting a container.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/",
"https://www.stigviewer.com/stig/kubernetes/2022-12-02/finding/V-242414",
"https://avd.aquasec.com/misconfig/ksv117"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
},
"RenderedCause": {}
}
}
]
},
{
"Target": "templates/service.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 59,
"Failures": 2
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV039",
"AVDID": "AVD-KSV-0039",
"Title": "limit range usage",
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
"Namespace": "builtin.kubernetes.KSV039",
"Query": "data.builtin.kubernetes.KSV039.deny",
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
"https://avd.aquasec.com/misconfig/ksv039"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 13,
"EndLine": 21,
"Code": {
"Lines": [
{
"Number": 13,
"Content": " type: ClusterIP",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
"FirstCause": true,
"LastCause": false
},
{
"Number": 14,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " - port: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " targetPort: http",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " protocol: TCP",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": " name: http",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
"FirstCause": false,
"LastCause": false
},
{
"Number": 19,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV040",
"AVDID": "AVD-KSV-0040",
"Title": "resource quota usage",
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
"Namespace": "builtin.kubernetes.KSV040",
"Query": "data.builtin.kubernetes.KSV040.deny",
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
"https://avd.aquasec.com/misconfig/ksv040"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 13,
"EndLine": 21,
"Code": {
"Lines": [
{
"Number": 13,
"Content": " type: ClusterIP",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
"FirstCause": true,
"LastCause": false
},
{
"Number": 14,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " - port: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " targetPort: http",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " protocol: TCP",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": " name: http",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
"FirstCause": false,
"LastCause": false
},
{
"Number": 19,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
}
]
},
{
"Target": "templates/serviceaccount.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 60,
"Failures": 0
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink