mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 07:40:48 -08:00
chore(deps): Bump trivy-checks (#8619)
This commit is contained in:
simar7
12
go.mod
12
go.mod
@@ -24,7 +24,7 @@ require (
|
||||
github.com/aquasecurity/table v1.8.0
|
||||
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
|
||||
github.com/aquasecurity/tml v0.6.1
|
||||
github.com/aquasecurity/trivy-checks v1.7.1
|
||||
github.com/aquasecurity/trivy-checks v1.8.0
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
|
||||
github.com/aquasecurity/trivy-kubernetes v0.7.0
|
||||
@@ -39,11 +39,11 @@ require (
|
||||
github.com/bmatcuk/doublestar/v4 v4.8.1
|
||||
github.com/cenkalti/backoff/v4 v4.3.0
|
||||
github.com/cheggaaa/pb/v3 v3.1.7
|
||||
github.com/containerd/containerd/v2 v2.0.3
|
||||
github.com/containerd/containerd/v2 v2.0.4
|
||||
github.com/containerd/platforms v1.0.0-rc.1
|
||||
github.com/distribution/reference v0.6.0
|
||||
github.com/docker/cli v27.5.0+incompatible
|
||||
github.com/docker/docker v27.5.0+incompatible
|
||||
github.com/docker/docker v27.5.1+incompatible
|
||||
github.com/docker/go-connections v0.5.0
|
||||
github.com/docker/go-units v0.5.0
|
||||
github.com/fatih/color v1.18.0
|
||||
@@ -53,7 +53,7 @@ require (
|
||||
github.com/go-openapi/strfmt v0.23.0 // indirect
|
||||
github.com/go-redis/redis/v8 v8.11.5
|
||||
github.com/gocsaf/csaf/v3 v3.1.1
|
||||
github.com/golang-jwt/jwt/v5 v5.2.1
|
||||
github.com/golang-jwt/jwt/v5 v5.2.2
|
||||
github.com/google/go-containerregistry v0.20.3
|
||||
github.com/google/go-github/v62 v62.0.0
|
||||
github.com/google/licenseclassifier/v2 v2.0.0
|
||||
@@ -189,7 +189,7 @@ require (
|
||||
github.com/cloudflare/circl v1.6.0 // indirect
|
||||
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
|
||||
github.com/containerd/cgroups/v3 v3.0.3 // indirect
|
||||
github.com/containerd/containerd v1.7.26 // indirect
|
||||
github.com/containerd/containerd v1.7.27 // indirect
|
||||
github.com/containerd/containerd/api v1.8.0 // indirect
|
||||
github.com/containerd/continuity v0.4.5 // indirect
|
||||
github.com/containerd/errdefs v1.0.0 // indirect
|
||||
@@ -409,7 +409,7 @@ require (
|
||||
modernc.org/libc v1.61.13 // indirect
|
||||
modernc.org/mathutil v1.7.1 // indirect
|
||||
modernc.org/memory v1.8.2 // indirect
|
||||
mvdan.cc/sh/v3 v3.10.0 // indirect
|
||||
mvdan.cc/sh/v3 v3.11.0 // indirect
|
||||
oras.land/oras-go v1.2.5 // indirect
|
||||
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
|
||||
sigs.k8s.io/kustomize/api v0.18.0 // indirect
|
||||
|
||||
32
go.sum
32
go.sum
@@ -802,8 +802,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
|
||||
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
|
||||
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
|
||||
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
|
||||
github.com/aquasecurity/trivy-checks v1.7.1 h1:Pn+Mk0SkqY7adfZT6ZsRjCuum3svr7n5z3w+HpGXmbY=
|
||||
github.com/aquasecurity/trivy-checks v1.7.1/go.mod h1:YhmXAXgRdYIAYIr+/k/oEYUWoW7ZgGctmnJiV17ZcU8=
|
||||
github.com/aquasecurity/trivy-checks v1.8.0 h1:frMR06SEeDff1oEO6wBaTCqZCTBmZ+j8QAAl5EM1M4w=
|
||||
github.com/aquasecurity/trivy-checks v1.8.0/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8=
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
|
||||
@@ -944,12 +944,12 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL
|
||||
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
|
||||
github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
|
||||
github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
|
||||
github.com/containerd/containerd v1.7.26 h1:3cs8K2RHlMQaPifLqgRyI4VBkoldNdEw62cb7qQga7k=
|
||||
github.com/containerd/containerd v1.7.26/go.mod h1:m4JU0E+h0ebbo9yXD7Hyt+sWnc8tChm7MudCjj4jRvQ=
|
||||
github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
|
||||
github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
|
||||
github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
|
||||
github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
|
||||
github.com/containerd/containerd/v2 v2.0.3 h1:zBKgwgZsuu+LPCMzCLgA4sC4MiZzZ59ZT31XkmiISQM=
|
||||
github.com/containerd/containerd/v2 v2.0.3/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY=
|
||||
github.com/containerd/containerd/v2 v2.0.4 h1:+r7yJMwhTfMm3CDyiBjMBQO8a9CTBxL2Bg/JtqtIwB8=
|
||||
github.com/containerd/containerd/v2 v2.0.4/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY=
|
||||
github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
|
||||
github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
|
||||
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
|
||||
@@ -980,8 +980,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
||||
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
|
||||
github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
|
||||
github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
|
||||
github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
|
||||
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
|
||||
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
|
||||
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
|
||||
github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
|
||||
@@ -1017,8 +1017,8 @@ github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvD
|
||||
github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
||||
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
|
||||
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
|
||||
github.com/docker/docker v27.5.0+incompatible h1:um++2NcQtGRTz5eEgO6aJimo6/JxrTXC941hd05JO6U=
|
||||
github.com/docker/docker v27.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
|
||||
github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
|
||||
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
|
||||
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
|
||||
@@ -1201,8 +1201,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
|
||||
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
|
||||
github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
|
||||
github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
|
||||
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
|
||||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
|
||||
github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
|
||||
@@ -1412,8 +1412,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs
|
||||
github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
|
||||
github.com/hashicorp/hc-install v0.9.1 h1:gkqTfE3vVbafGQo6VZXcy2v5yoz2bE0+nhZXruCuODQ=
|
||||
github.com/hashicorp/hc-install v0.9.1/go.mod h1:pWWvN/IrfeBK4XPeXXYkL6EjMufHkCK5DvwxeLKuBf0=
|
||||
github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
|
||||
github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
|
||||
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
|
||||
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
|
||||
github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
|
||||
github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
|
||||
github.com/hashicorp/terraform-exec v0.22.0 h1:G5+4Sz6jYZfRYUCg6eQgDsqTzkNXV+fP8l+uRmZHj64=
|
||||
@@ -2880,8 +2880,8 @@ modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
|
||||
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
|
||||
modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
|
||||
modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
|
||||
mvdan.cc/sh/v3 v3.10.0 h1:v9z7N1DLZ7owyLM/SXZQkBSXcwr2IGMm2LY2pmhVXj4=
|
||||
mvdan.cc/sh/v3 v3.10.0/go.mod h1:z/mSSVyLFGZzqb3ZIKojjyqIx/xbmz/UHdCSv9HmqXY=
|
||||
mvdan.cc/sh/v3 v3.11.0 h1:q5h+XMDRfUGUedCqFFsjoFjrhwf2Mvtt1rkMvVz0blw=
|
||||
mvdan.cc/sh/v3 v3.11.0/go.mod h1:LRM+1NjoYCzuq/WZ6y44x14YNAI0NK7FLPeQSaFagGg=
|
||||
oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
|
||||
oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
|
||||
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
|
||||
|
||||
537
integration/testdata/helm.json.golden
vendored
537
integration/testdata/helm.json.golden
vendored
@@ -22,7 +22,7 @@
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 78,
|
||||
"Failures": 16
|
||||
"Failures": 22
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -165,6 +165,76 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV004",
|
||||
"AVDID": "AVD-KSV-0004",
|
||||
"Title": "Default capabilities: some containers do not drop any",
|
||||
"Description": "Security best practices require containers to run with minimal required capabilities.",
|
||||
"Message": "Container 'nginx' of 'deployment' 'nginx-deployment' in 'default' namespace should set securityContext.capabilities.drop",
|
||||
"Namespace": "builtin.kubernetes.KSV004",
|
||||
"Query": "data.builtin.kubernetes.KSV004.deny",
|
||||
"Resolution": "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv004",
|
||||
"References": [
|
||||
"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
|
||||
"https://avd.aquasec.com/misconfig/ksv004"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV011",
|
||||
@@ -795,6 +865,471 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 9,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 9,
|
||||
"Content": " replicas: 3",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 10,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 11,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 12,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " spec:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 9,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 9,
|
||||
"Content": " replicas: 3",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 10,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 11,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 12,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " spec:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
|
||||
894
integration/testdata/helm_testchart.json.golden
vendored
894
integration/testdata/helm_testchart.json.golden
vendored
@@ -21,8 +21,8 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 89,
|
||||
"Failures": 5
|
||||
"Successes": 90,
|
||||
"Failures": 10
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -283,6 +283,648 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
@@ -547,9 +1189,251 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 61,
|
||||
"Failures": 0
|
||||
}
|
||||
"Successes": 59,
|
||||
"Failures": 2
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"Target": "templates/serviceaccount.yaml",
|
||||
|
||||
@@ -21,8 +21,8 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 87,
|
||||
"Failures": 7
|
||||
"Successes": 88,
|
||||
"Failures": 12
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -412,6 +412,648 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " replicas: 1",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m1",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " matchLabels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " template:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " metadata:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " labels:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
@@ -776,9 +1418,251 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 61,
|
||||
"Failures": 0
|
||||
}
|
||||
"Successes": 59,
|
||||
"Failures": 2
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV039",
|
||||
"AVDID": "AVD-KSV-0039",
|
||||
"Title": "limit range usage",
|
||||
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
|
||||
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV039",
|
||||
"Query": "data.builtin.kubernetes.KSV039.deny",
|
||||
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
|
||||
"https://avd.aquasec.com/misconfig/ksv039"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV040",
|
||||
"AVDID": "AVD-KSV-0040",
|
||||
"Title": "resource quota usage",
|
||||
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
|
||||
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
|
||||
"Namespace": "builtin.kubernetes.KSV040",
|
||||
"Query": "data.builtin.kubernetes.KSV040.deny",
|
||||
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
|
||||
"References": [
|
||||
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
|
||||
"https://avd.aquasec.com/misconfig/ksv040"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 13,
|
||||
"EndLine": 21,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 13,
|
||||
"Content": " type: ClusterIP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mtype\u001b[0m: ClusterIP",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 14,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 15,
|
||||
"Content": " - port: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mport\u001b[0m: \u001b[38;5;37m80",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 16,
|
||||
"Content": " targetPort: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mtargetPort\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 17,
|
||||
"Content": " protocol: TCP",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 18,
|
||||
"Content": " name: http",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mname\u001b[0m: http",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " selector:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mselector\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " app.kubernetes.io/name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " app.kubernetes.io/instance: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"Target": "templates/serviceaccount.yaml",
|
||||
|
||||
@@ -36,6 +36,13 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018",
|
||||
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
|
||||
"AVD-KSV-0104", "AVD-KSV-0106",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
"AVD-KSV-0034",
|
||||
}),
|
||||
},
|
||||
{
|
||||
@@ -49,6 +56,12 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
|
||||
"AVD-KSV-0104", "AVD-KSV-0106",
|
||||
"AVD-KSV-0117", "AVD-KSV-0110",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
})(t, results)
|
||||
|
||||
ignored := results.GetIgnored()
|
||||
@@ -68,6 +81,11 @@ func TestScanner_ScanFS(t *testing.T) {
|
||||
"AVD-KSV-0118", "AVD-KSV-0012", "AVD-KSV-0106",
|
||||
"AVD-KSV-0016", "AVD-KSV-0001", "AVD-KSV-0011",
|
||||
"AVD-KSV-0015", "AVD-KSV-0021", "AVD-KSV-0110", "AVD-KSV-0020",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
}),
|
||||
},
|
||||
{
|
||||
@@ -102,6 +120,13 @@ deny[res] {
|
||||
"AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018",
|
||||
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
|
||||
"AVD-KSV-0104", "AVD-KSV-0106", "AVD-USR-ID001",
|
||||
"AVD-KSV-0032",
|
||||
"AVD-KSV-0040",
|
||||
"AVD-KSV-0039",
|
||||
"AVD-KSV-0004",
|
||||
"AVD-KSV-0035",
|
||||
"AVD-KSV-0033",
|
||||
"AVD-KSV-0034",
|
||||
}),
|
||||
},
|
||||
{
|
||||
@@ -196,6 +221,8 @@ deny[res] {
|
||||
|
||||
func assertIds(expected []string) func(t *testing.T, results scan.Results) {
|
||||
return func(t *testing.T, results scan.Results) {
|
||||
t.Helper()
|
||||
|
||||
errorCodes := set.New[string]()
|
||||
for _, result := range results.GetFailed() {
|
||||
errorCodes.Append(result.Rule().AVDID)
|
||||
|
||||
Reference in New Issue
Block a user