KICS #458
Annotations
12 warnings
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/checkout@v3, github/codeql-action/upload-sarif@v2. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
|
Upload SARIF file for GitHub Advanced Security Dashboard
CodeQL Action v2 will be deprecated on December 5th, 2024. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/
|
KICS scan:
charts/country-risk/charts/country-risk-frontend/templates/deployment.yaml#L58
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
KICS scan:
docker-compose.yml#L5
Incoming container traffic should be bound to a specific host interface
|
KICS scan:
docker-compose.yml#L3
Check containers periodically to see if they are running properly.
|
KICS scan:
docker-compose.yml#L3
Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
|
KICS scan:
docker-compose.yml#L3
'pids_limit' should be set and different than -1
|
KICS scan:
charts/country-risk/charts/country-risk-frontend/templates/deployment.yaml#L58
Check if Readiness Probe is not configured.
|
KICS scan:
docker-compose.yml#L3
Attribute 'security_opt' should be defined.
|
KICS scan:
.github/workflows/trivy-test-images.yml#L49
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
KICS scan:
.github/workflows/codeql.yml#L65
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
KICS scan:
.github/workflows/codeql.yml#L51
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
Loading