diff --git a/go.mod b/go.mod index b31d0f1b5744..97cac16fe685 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/alicebob/miniredis/v2 v2.30.4 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 - github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 + github.com/aquasecurity/defsec v0.93.2-0.20231120220217-6818261529c8 github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 @@ -23,12 +23,12 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-aws v0.4.0 + github.com/aquasecurity/trivy-aws v0.5.0 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d - github.com/aquasecurity/trivy-iac v0.5.2 + github.com/aquasecurity/trivy-iac v0.7.0 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231115100645-921512b4d163 - github.com/aquasecurity/trivy-policies v0.5.0 + github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 github.com/aws/aws-sdk-go-v2 v1.22.1 github.com/aws/aws-sdk-go-v2/config v1.18.45 github.com/aws/aws-sdk-go-v2/credentials v1.13.43 diff --git a/go.sum b/go.sum index 0bd9e6aceb22..f914d8ebadfe 100644 --- a/go.sum +++ b/go.sum @@ -320,8 +320,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= -github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 h1:gu7XQvv2CswgzOdOFHg/AmtR4vBonG35XvGxHHvcIr4= -github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= +github.com/aquasecurity/defsec v0.93.2-0.20231120220217-6818261529c8 h1:w/Sm2fVtb0Rv1bcLLwsW9j37mNUya8MwzKMcjG9OW/Q= +github.com/aquasecurity/defsec v0.93.2-0.20231120220217-6818261529c8/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf h1:kweQrNMfarPfjZGI1537GtuujhpzhsuT/MvmW2FwaBE= github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= @@ -342,18 +342,18 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-aws v0.4.0 h1:vrpL9Gx3+33D8TvRCDFJxEIHR3AA+TcnTr0rzRI62OI= -github.com/aquasecurity/trivy-aws v0.4.0/go.mod h1:dPx0xRElmFrVXBxeYqEAl5NejJ2kHb51ybFPzBMxWow= +github.com/aquasecurity/trivy-aws v0.5.0 h1:6RJrw+QHeVn2MH7bI7bsVIiqRyhDCPvdEqkNn54Ui4I= +github.com/aquasecurity/trivy-aws v0.5.0/go.mod h1:dPx0xRElmFrVXBxeYqEAl5NejJ2kHb51ybFPzBMxWow= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs= -github.com/aquasecurity/trivy-iac v0.5.2 h1:cqeSDEfQtM3l4ceiQ+IUD2K/ZBhyz443xe+S2TkBdE0= -github.com/aquasecurity/trivy-iac v0.5.2/go.mod h1:dHoaIzm4niotuaEiSM40HelhcL8m/2MHzT3uHcQYUh8= +github.com/aquasecurity/trivy-iac v0.7.0 h1:L2/mqQJD1iwY4xOr1un5Prg51epYBQgM34JVZtkp4Gg= +github.com/aquasecurity/trivy-iac v0.7.0/go.mod h1:GG9Y2YylH3e16PoJ0RUZ+C0Xw93Gic/5fwdkKjKwwqU= github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A= github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231115100645-921512b4d163 h1:6TsI0lQN7H/d3pM5vK1/taYbWMgnNYEOk+V2ydBdg0s= github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231115100645-921512b4d163/go.mod h1:u+rEg3lTLpv3EJVSC7HOhWWlUwuuxlfczMncYPMqTPI= -github.com/aquasecurity/trivy-policies v0.5.0 h1:7GukJhiEQpKg8VQH3PkwZOyFqO0J6hGmUbt7jne5mhU= -github.com/aquasecurity/trivy-policies v0.5.0/go.mod h1:YPefENNCAcbPxMDgKBWxjLmhyzYnlAY/HIH89VFaogY= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842/go.mod h1:BmEeSFgmBjo3avCli71736sy0veGcSUzGATupp1MCgA= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/integration/testdata/fixtures/repo/helm/testchart.tar.gz b/integration/testdata/fixtures/repo/helm/testchart.tar.gz index 38ec18cf0a8b..e36b2b474f3e 100644 Binary files a/integration/testdata/fixtures/repo/helm/testchart.tar.gz and b/integration/testdata/fixtures/repo/helm/testchart.tar.gz differ diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden index 037d02a8c26a..5899f2a52bc4 100644 --- a/integration/testdata/helm.json.golden +++ b/integration/testdata/helm.json.golden @@ -17,12 +17,12 @@ }, "Results": [ { - "Target": "testchart.tar.gz:templates/deployment.yaml", + "Target": "testchart.tar.gz:templates/pod.yaml", "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 151, - "Failures": 5, + "Successes": 141, + "Failures": 15, "Exceptions": 0 }, "Misconfigurations": [ @@ -32,7 +32,7 @@ "AVDID": "AVD-KSV-0001", "Title": "Can elevate its own privileges", "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.allowPrivilegeEscalation' to false", "Namespace": "builtin.kubernetes.KSV001", "Query": "data.builtin.kubernetes.KSV001.deny", "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", @@ -47,108 +47,256 @@ "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", - "StartLine": 28, - "EndLine": 57, + "StartLine": 19, + "EndLine": 22, "Code": { "Lines": [ { - "Number": 28, - "Content": " - name: testchart", + "Number": 19, + "Content": " - name: nginx", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", "FirstCause": true, "LastCause": false }, { - "Number": 29, - "Content": " securityContext:", + "Number": 20, + "Content": " image: nginx:1.14.2", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false }, { - "Number": 30, - "Content": " capabilities:", + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 31, - "Content": " drop:", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false }, { - "Number": 32, - "Content": " - ALL", + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " - ALL", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 33, - "Content": " readOnlyRootFilesystem: true", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, "LastCause": false }, { - "Number": 34, - "Content": " runAsGroup: 10001", + "Number": 20, + "Content": " image: nginx:1.14.2", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false }, { - "Number": 35, - "Content": " runAsNonRoot: true", + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 36, - "Content": " runAsUser: 10001", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", "FirstCause": false, "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false }, { - "Number": 37, - "Content": "", - "IsCause": false, + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, "Annotation": "", - "Truncated": true, + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true } ] } @@ -156,127 +304,275 @@ }, { "Type": "Helm Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", - "StartLine": 28, - "EndLine": 57, + "StartLine": 19, + "EndLine": 22, "Code": { "Lines": [ { - "Number": 28, - "Content": " - name: testchart", + "Number": 19, + "Content": " - name: nginx", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart", + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", "FirstCause": true, "LastCause": false }, { - "Number": 29, - "Content": " securityContext:", + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 30, - "Content": " capabilities:", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, "LastCause": false }, { - "Number": 31, - "Content": " drop:", + "Number": 20, + "Content": " image: nginx:1.14.2", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mdrop\u001b[0m:", + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false }, { - "Number": 32, - "Content": " - ALL", + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " - ALL", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 33, - "Content": " readOnlyRootFilesystem: true", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, "LastCause": false }, { - "Number": 34, - "Content": " runAsGroup: 10001", + "Number": 20, + "Content": " image: nginx:1.14.2", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001", + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", "FirstCause": false, "LastCause": false }, { - "Number": 35, - "Content": " runAsNonRoot: true", + "Number": 21, + "Content": " ports:", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false }, { - "Number": 36, - "Content": " runAsUser: 10001", + "Number": 22, + "Content": " - containerPort: 80", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001", + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", "FirstCause": false, "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false }, { - "Number": 37, - "Content": "", - "IsCause": false, + "Number": 21, + "Content": " ports:", + "IsCause": true, "Annotation": "", - "Truncated": true, + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", "FirstCause": false, "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true } ] } @@ -284,71 +580,226 @@ }, { "Type": "Helm Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", + "StartLine": 19, + "EndLine": 22, "Code": { - "Lines": null + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] } } }, { "Type": "Helm Security Check", - "ID": "KSV116", - "AVDID": "AVD-KSV-0116", - "Title": "Runs with a root primary or supplementary GID", - "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", - "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", - "Namespace": "builtin.kubernetes.KSV116", - "Query": "data.builtin.kubernetes.KSV116.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nginx' of Deployment 'nginx-deployment' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", "References": [ "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv116" + "https://avd.aquasec.com/misconfig/ksv021" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", + "StartLine": 19, + "EndLine": 22, "Code": { - "Lines": null + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] } } }, { "Type": "Helm Security Check", - "ID": "KSV117", - "AVDID": "AVD-KSV-0117", - "Title": "Prevent binding to privileged ports", - "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", - "Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", - "Namespace": "builtin.kubernetes.KSV117", - "Query": "data.builtin.kubernetes.KSV117.deny", - "Resolution": "Do not map the container ports to privileged host ports when starting a container.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "https://avd.aquasec.com/misconfig/ksv117" + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 19, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container nginx of deployment nginx-deployment in default namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" ], "Status": "FAIL", "Layer": {}, @@ -359,64 +810,83 @@ "Lines": null } } - } - ] - }, - { - "Target": "testchart.tar.gz:templates/service.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 155, - "Failures": 1, - "Exceptions": 0 - }, - "Misconfigurations": [ + }, { "Type": "Helm Security Check", - "ID": "KSV116", - "AVDID": "AVD-KSV-0116", - "Title": "Runs with a root primary or supplementary GID", - "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", - "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", - "Namespace": "builtin.kubernetes.KSV116", - "Query": "data.builtin.kubernetes.KSV116.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv116" + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" ], "Status": "FAIL", "Layer": {}, "CauseMetadata": { "Provider": "Kubernetes", "Service": "general", + "StartLine": 19, + "EndLine": 22, "Code": { - "Lines": null + "Lines": [ + { + "Number": 19, + "Content": " - name: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 20, + "Content": " image: nginx:1.14.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] } } - } - ] - }, - { - "Target": "testchart.tar.gz:templates/serviceaccount.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 155, - "Failures": 1, - "Exceptions": 0 - }, - "Misconfigurations": [ + }, { "Type": "Helm Security Check", "ID": "KSV116", "AVDID": "AVD-KSV-0116", "Title": "Runs with a root primary or supplementary GID", "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", - "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Message": "deployment nginx-deployment in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", "Namespace": "builtin.kubernetes.KSV116", "Query": "data.builtin.kubernetes.KSV116.deny", "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", @@ -435,6 +905,32 @@ "Lines": null } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment nginx-deployment in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }