mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 07:40:48 -08:00
chore(deps): Update trivy-checks (#8798)
This commit is contained in:
simar7
4
go.mod
4
go.mod
@@ -24,7 +24,7 @@ require (
|
||||
github.com/aquasecurity/table v1.8.0
|
||||
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
|
||||
github.com/aquasecurity/tml v0.6.1
|
||||
github.com/aquasecurity/trivy-checks v1.8.1
|
||||
github.com/aquasecurity/trivy-checks v1.10.0
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
|
||||
github.com/aquasecurity/trivy-kubernetes v0.8.2
|
||||
@@ -98,7 +98,7 @@ require (
|
||||
github.com/package-url/packageurl-go v0.1.3
|
||||
github.com/quasilyte/go-ruleguard/dsl v0.3.22
|
||||
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c
|
||||
github.com/samber/lo v1.49.1
|
||||
github.com/samber/lo v1.50.0
|
||||
github.com/sassoftware/go-rpmutils v0.4.0
|
||||
github.com/secure-systems-lab/go-securesystemslib v0.9.0
|
||||
github.com/sigstore/rekor v1.3.10
|
||||
|
||||
8
go.sum
8
go.sum
@@ -802,8 +802,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
|
||||
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
|
||||
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
|
||||
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
|
||||
github.com/aquasecurity/trivy-checks v1.8.1 h1:7df8KhZ0du2WAdGCUNcKYdz74iubAmP89+vaCUmxGbU=
|
||||
github.com/aquasecurity/trivy-checks v1.8.1/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko=
|
||||
github.com/aquasecurity/trivy-checks v1.10.0 h1:Q0FWsYy/uwvr/icRSOzNu55yDZ1ME8hZlpglNs62ZfE=
|
||||
github.com/aquasecurity/trivy-checks v1.10.0/go.mod h1:/b633SOFNp8RjkxSq+FOg4SgxjklUp+BIQEyTWCnN1k=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8=
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
|
||||
@@ -1776,8 +1776,8 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
|
||||
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
|
||||
github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
|
||||
github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
|
||||
github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew=
|
||||
github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
|
||||
github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
|
||||
github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
|
||||
github.com/samber/oops v1.15.0 h1:/mF33KAqA2TugU6y/tomFpK6G6mJB7g0aqRyHkaSIeg=
|
||||
github.com/samber/oops v1.15.0/go.mod h1:9LpLZkpjojEt/of7EpG5o65i/Lp23ddDvGhg2L871Ow=
|
||||
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
|
||||
|
||||
260
integration/testdata/helm.json.golden
vendored
260
integration/testdata/helm.json.golden
vendored
@@ -22,7 +22,7 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 78,
|
||||
"Failures": 22
|
||||
"Failures": 20
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -1072,264 +1072,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 9,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 9,
|
||||
"Content": " replicas: 3",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 10,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 11,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 12,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " spec:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 9,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 9,
|
||||
"Content": " replicas: 3",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 10,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 11,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 12,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " spec:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
|
||||
508
integration/testdata/helm_testchart.json.golden
vendored
508
integration/testdata/helm_testchart.json.golden
vendored
@@ -22,7 +22,7 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 90,
|
||||
"Failures": 10
|
||||
"Failures": 8
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -667,264 +667,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
@@ -1190,257 +932,15 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 59,
|
||||
"Failures": 2
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
"Failures": 0
|
||||
}
|
||||
},
|
||||
{
|
||||
"Target": "templates/serviceaccount.yaml",
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 60,
|
||||
"Successes": 58,
|
||||
"Failures": 0
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 88,
|
||||
"Failures": 12
|
||||
"Failures": 10
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -796,264 +796,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
@@ -1419,257 +1161,15 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 59,
|
||||
"Failures": 2
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
"Failures": 0
|
||||
}
|
||||
},
|
||||
{
|
||||
"Target": "templates/serviceaccount.yaml",
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 60,
|
||||
"Successes": 58,
|
||||
"Failures": 0
|
||||
}
|
||||
}
|
||||
|
||||
@@ -37,8 +37,6 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
|
||||
"AVD-KSV-0104", "AVD-KSV-0106",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
@@ -57,8 +55,6 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0104", "AVD-KSV-0106",
|
||||
"AVD-KSV-0117", "AVD-KSV-0110",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
@@ -82,8 +78,6 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0016", "AVD-KSV-0001", "AVD-KSV-0011",
|
||||
"AVD-KSV-0015", "AVD-KSV-0021", "AVD-KSV-0110", "AVD-KSV-0020",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
}),
|
||||
@@ -121,8 +115,6 @@ deny[res] {
|
||||
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
|
||||
"AVD-KSV-0104", "AVD-KSV-0106", "AVD-USR-ID001",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
|
||||
Reference in New Issue
Block a user