๐ Checkov - Kubernetes Goat Report
info
Checkov is a static code analysis tool for infrastructure-as-code. Checkout the project documentation at https://www.checkov.io
::: info
๐ Overviewโ
Checkov scan results
- Checkov has detected
- Kubernetes issues: 263
- Dockerfiles issues: 39
- Helm charts issues: 36
- Kubernetes Manifests
- Dockerfiles
- Helm Charts
๐ฅ Kubernetes manifests issues reportโ
| check_name | check_id | file | resource | |
|---|---|---|---|---|
| 0 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 1 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 2 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 3 | Memory requests should be set | CKV_K8S_12 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 4 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 5 | Memory limits should be set | CKV_K8S_13 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 6 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 7 | CPU requests should be set | CKV_K8S_10 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 8 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 9 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 10 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 11 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 12 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 13 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 14 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 15 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 16 | Image should use digest | CKV_K8S_43 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 17 | CPU limits should be set | CKV_K8S_11 | /scenarios/cache-store/deployment.yaml | Deployment.secure-middleware.cache-store-deployment |
| 18 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 19 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 20 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 21 | Memory requests should be set | CKV_K8S_12 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 22 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 23 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 24 | CPU requests should be set | CKV_K8S_10 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 25 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 26 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 27 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 28 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 29 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 30 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 31 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 32 | The default namespace should not be used | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 33 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 34 | Image should use digest | CKV_K8S_43 | /scenarios/build-code/deployment.yaml | Deployment.default.build-code-deployment |
| 35 | The default namespace should not be used | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Service.default.build-code-service |
| 36 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 37 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 38 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 39 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 40 | Do not expose the docker daemon socket to containers | CKV_K8S_27 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 41 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 42 | Container should not be privileged | CKV_K8S_16 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 43 | Containers should not share the host network namespace | CKV_K8S_19 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 44 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 45 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 46 | Containers should not share the host process ID namespace | CKV_K8S_17 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 47 | Containers should not share the host IPC namespace | CKV_K8S_18 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 48 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 49 | Minimize the admission of containers with added capability | CKV_K8S_25 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 50 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 51 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 52 | The default namespace should not be used | CKV_K8S_21 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 53 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 54 | Image should use digest | CKV_K8S_43 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.default.docker-bench-security |
| 55 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 56 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 57 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 58 | Memory requests should be set | CKV_K8S_12 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 59 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 60 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 61 | CPU requests should be set | CKV_K8S_10 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 62 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 63 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 64 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 65 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 66 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 67 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 68 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 69 | The default namespace should not be used | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 70 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 71 | Image should use digest | CKV_K8S_43 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.default.kubernetes-goat-home-deployment |
| 72 | The default namespace should not be used | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Service.default.kubernetes-goat-home-service |
| 73 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 74 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 75 | Memory requests should be set | CKV_K8S_12 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 76 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 77 | Memory limits should be set | CKV_K8S_13 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 78 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 79 | CPU requests should be set | CKV_K8S_10 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 80 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 81 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 82 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 83 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 84 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 85 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 86 | The default namespace should not be used | CKV_K8S_21 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 87 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 88 | Image should use digest | CKV_K8S_43 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 89 | CPU limits should be set | CKV_K8S_11 | /scenarios/hidden-in-layers/deployment.yaml | Job.default.hidden-in-layers |
| 90 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 91 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 92 | Memory requests should be set | CKV_K8S_12 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 93 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 94 | Memory limits should be set | CKV_K8S_13 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 95 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 96 | CPU requests should be set | CKV_K8S_10 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 97 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 98 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 99 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 100 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 101 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 102 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 103 | The default namespace should not be used | CKV_K8S_21 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 104 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 105 | Image should use digest | CKV_K8S_43 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 106 | CPU limits should be set | CKV_K8S_11 | /scenarios/batch-check/job.yaml | Job.default.batch-check-job |
| 107 | Minimize wildcard use in Roles and ClusterRoles | CKV_K8S_49 | /scenarios/hunger-check/deployment.yaml | Role.big-monolith.secret-reader |
| 108 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 109 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 110 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 111 | Memory requests should be set | CKV_K8S_12 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 112 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 113 | Memory limits should be set | CKV_K8S_13 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 114 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 115 | CPU requests should be set | CKV_K8S_10 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 116 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 117 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 118 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 119 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 120 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 121 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 122 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 123 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 124 | Image should use digest | CKV_K8S_43 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 125 | CPU limits should be set | CKV_K8S_11 | /scenarios/hunger-check/deployment.yaml | Deployment.big-monolith.hunger-check-deployment |
| 126 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 127 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 128 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 129 | Memory requests should be set | CKV_K8S_12 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 130 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 131 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 132 | CPU requests should be set | CKV_K8S_10 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 133 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 134 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 135 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 136 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 137 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 138 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 139 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 140 | The default namespace should not be used | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 141 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 142 | Image should use digest | CKV_K8S_43 | /scenarios/poor-registry/deployment.yaml | Deployment.default.poor-registry-deployment |
| 143 | The default namespace should not be used | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Service.default.poor-registry-service |
| 144 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 145 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 146 | Memory requests should be set | CKV_K8S_12 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 147 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 148 | Memory limits should be set | CKV_K8S_13 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 149 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 150 | CPU requests should be set | CKV_K8S_10 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 151 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 152 | Containers should not share the host process ID namespace | CKV_K8S_17 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 153 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 154 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 155 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 156 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 157 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 158 | The default namespace should not be used | CKV_K8S_21 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 159 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 160 | Image should use digest | CKV_K8S_43 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 161 | CPU limits should be set | CKV_K8S_11 | /scenarios/kube-bench-security/master-job.yaml | Job.default.kube-bench-master |
| 162 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 163 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 164 | Memory requests should be set | CKV_K8S_12 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 165 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 166 | Memory limits should be set | CKV_K8S_13 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 167 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 168 | CPU requests should be set | CKV_K8S_10 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 169 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 170 | Containers should not share the host process ID namespace | CKV_K8S_17 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 171 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 172 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 173 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 174 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 175 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 176 | The default namespace should not be used | CKV_K8S_21 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 177 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 178 | Image should use digest | CKV_K8S_43 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 179 | CPU limits should be set | CKV_K8S_11 | /scenarios/kube-bench-security/node-job.yaml | Job.default.kube-bench-node |
| 180 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 181 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 182 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 183 | Memory requests should be set | CKV_K8S_12 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 184 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 185 | Do not expose the docker daemon socket to containers | CKV_K8S_27 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 186 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 187 | CPU requests should be set | CKV_K8S_10 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 188 | Container should not be privileged | CKV_K8S_16 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 189 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 190 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 191 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 192 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 193 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 194 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 195 | The default namespace should not be used | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 196 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 197 | Image should use digest | CKV_K8S_43 | /scenarios/health-check/deployment.yaml | Deployment.default.health-check-deployment |
| 198 | The default namespace should not be used | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Service.default.health-check-service |
| 199 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 200 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 201 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 202 | Memory requests should be set | CKV_K8S_12 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 203 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 204 | Do not expose the docker daemon socket to containers | CKV_K8S_27 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 205 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 206 | CPU requests should be set | CKV_K8S_10 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 207 | Container should not be privileged | CKV_K8S_16 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 208 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 209 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 210 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 211 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 212 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 213 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 214 | The default namespace should not be used | CKV_K8S_21 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 215 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 216 | Image should use digest | CKV_K8S_43 | /scenarios/health-check/deployment-kind.yaml | Deployment.default.health-check-deployment |
| 217 | The default namespace should not be used | CKV_K8S_21 | /scenarios/health-check/deployment-kind.yaml | Service.default.health-check-service |
| 218 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 219 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 220 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 221 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 222 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 223 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 224 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 225 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 226 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 227 | Apply security context to your pods and containers | CKV_K8S_30 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 228 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 229 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 230 | The default namespace should not be used | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 231 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 232 | Image should use digest | CKV_K8S_43 | /scenarios/internal-proxy/deployment.yaml | Deployment.default.internal-proxy-deployment |
| 233 | The default namespace should not be used | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.default.internal-proxy-api-service |
| 234 | The default namespace should not be used | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.default.internal-proxy-info-app-service |
| 235 | The default namespace should not be used | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Secret.default.goatvault |
| 236 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 237 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 238 | Liveness Probe Should be Configured | CKV_K8S_8 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 239 | Memory requests should be set | CKV_K8S_12 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 240 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 241 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 242 | CPU requests should be set | CKV_K8S_10 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 243 | Container should not be privileged | CKV_K8S_16 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 244 | Containers should not share the host network namespace | CKV_K8S_19 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 245 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 246 | Readiness Probe Should be Configured | CKV_K8S_9 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 247 | Prefer using secrets as files over secrets as environment variables | CKV_K8S_35 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 248 | Containers should not share the host process ID namespace | CKV_K8S_17 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 249 | Containers should not share the host IPC namespace | CKV_K8S_18 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 250 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 251 | Apply security context to your pods and containers | CKV_K8S_29 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 252 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 253 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 254 | The default namespace should not be used | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 255 | Minimize the admission of root containers | CKV_K8S_23 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 256 | Image should use digest | CKV_K8S_43 | /scenarios/system-monitor/deployment.yaml | Deployment.default.system-monitor-deployment |
| 257 | The default namespace should not be used | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Service.default.system-monitor-service |
| 258 | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | CKV_K8S_156 | /infrastructure/helm-tiller/pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 259 | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | CKV_K8S_158 | /infrastructure/helm-tiller/pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 260 | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | CKV_K8S_155 | /infrastructure/helm-tiller/pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 261 | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | CKV_K8S_157 | /infrastructure/helm-tiller/pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 262 | Minimize wildcard use in Roles and ClusterRoles | CKV_K8S_49 | /infrastructure/helm-tiller/pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
๐ฅ Helm Charts issues reportโ
| check_name | check_id | file | resource | |
|---|---|---|---|---|
| 0 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 1 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 2 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 3 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 4 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 5 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 6 | Apply security context to your pods and containers | CKV_K8S_29 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 7 | Apply security context to your pods and containers | CKV_K8S_30 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 8 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 9 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 10 | The default namespace should not be used | CKV_K8S_21 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 11 | Minimize the admission of root containers | CKV_K8S_23 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 12 | Image should use digest | CKV_K8S_43 | /metadata-db/templates/deployment.yaml | Deployment.default.release-name-metadata-db |
| 13 | The default namespace should not be used | CKV_K8S_21 | /metadata-db/templates/service.yaml | Service.default.release-name-metadata-db |
| 14 | Minimize the admission of containers with capabilities assigned | CKV_K8S_37 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 15 | Ensure that the seccomp profile is set to docker/default or runtime/default | CKV_K8S_31 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 16 | Liveness Probe Should be Configured | CKV_K8S_8 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 17 | Memory requests should be set | CKV_K8S_12 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 18 | Containers should not run with allowPrivilegeEscalation | CKV_K8S_20 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 19 | Memory limits should be set | CKV_K8S_13 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 20 | Containers should run as a high UID to avoid host conflict | CKV_K8S_40 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 21 | CPU requests should be set | CKV_K8S_10 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 22 | Use read-only filesystem for containers where possible | CKV_K8S_22 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 23 | Readiness Probe Should be Configured | CKV_K8S_9 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 24 | Minimize the admission of containers with the NET_RAW capability | CKV_K8S_28 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 25 | Apply security context to your pods and containers | CKV_K8S_29 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 26 | Apply security context to your pods and containers | CKV_K8S_30 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 27 | Image Tag should be fixed - not latest or blank | CKV_K8S_14 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 28 | Ensure that Service Account Tokens are only mounted where necessary | CKV_K8S_38 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 29 | The default namespace should not be used | CKV_K8S_21 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 30 | Minimize the admission of root containers | CKV_K8S_23 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 31 | Image should use digest | CKV_K8S_43 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 32 | CPU limits should be set | CKV_K8S_11 | /metadata-db/templates/tests/test-connection.yaml | Pod.default.release-name-metadata-db-test-connection |
| 33 | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | CKV_K8S_156 | /pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 34 | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | CKV_K8S_158 | /pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 35 | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | CKV_K8S_155 | /pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 36 | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | CKV_K8S_157 | /pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 37 | Minimize wildcard use in Roles and ClusterRoles | CKV_K8S_49 | /pwnchart/templates/clusterrole.yaml | ClusterRole.default.all-your-base |
| 38 | Ensure that default service accounts are not actively used | CKV_K8S_42 | /pwnchart/templates/clusterrolebinding.yaml | ClusterRoleBinding.default.belong-to-us |
๐ฅ Dockerfiles issues reportโ
| check_name | check_id | file | resource | |
|---|---|---|---|---|
| 0 | Ensure that APT isn't used | CKV_DOCKER_9 | /infrastructure/helm-tiller/Dockerfile | /infrastructure/helm-tiller/Dockerfile.RUN |
| 1 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/helm-tiller/Dockerfile | /infrastructure/helm-tiller/Dockerfile. |
| 2 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/helm-tiller/Dockerfile | /infrastructure/helm-tiller/Dockerfile. |
| 3 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/cache-store/Dockerfile | /infrastructure/cache-store/Dockerfile. |
| 4 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/cache-store/Dockerfile | /infrastructure/cache-store/Dockerfile. |
| 5 | Ensure the base image uses a non latest version tag | CKV_DOCKER_7 | /infrastructure/build-code/Dockerfile | /infrastructure/build-code/Dockerfile.FROM |
| 6 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/build-code/Dockerfile | /infrastructure/build-code/Dockerfile. |
| 7 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/build-code/Dockerfile | /infrastructure/build-code/Dockerfile. |
| 8 | Ensure the base image uses a non latest version tag | CKV_DOCKER_7 | /infrastructure/hidden-in-layers/Dockerfile | /infrastructure/hidden-in-layers/Dockerfile.FROM |
| 9 | Ensure that COPY is used instead of ADD in Dockerfiles | CKV_DOCKER_4 | /infrastructure/hidden-in-layers/Dockerfile | /infrastructure/hidden-in-layers/Dockerfile.ADD |
| 10 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/hidden-in-layers/Dockerfile | /infrastructure/hidden-in-layers/Dockerfile. |
| 11 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/hidden-in-layers/Dockerfile | /infrastructure/hidden-in-layers/Dockerfile. |
| 12 | Ensure the base image uses a non latest version tag | CKV_DOCKER_7 | /infrastructure/batch-check/Dockerfile | /infrastructure/batch-check/Dockerfile.FROM |
| 13 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/batch-check/Dockerfile | /infrastructure/batch-check/Dockerfile. |
| 14 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/batch-check/Dockerfile | /infrastructure/batch-check/Dockerfile. |
| 15 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/users-repos/Dockerfile | /infrastructure/users-repos/Dockerfile. |
| 16 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/users-repos/Dockerfile | /infrastructure/users-repos/Dockerfile. |
| 17 | Ensure that APT isn't used | CKV_DOCKER_9 | /infrastructure/hunger-check/Dockerfile | /infrastructure/hunger-check/Dockerfile.RUN |
| 18 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/hunger-check/Dockerfile | /infrastructure/hunger-check/Dockerfile. |
| 19 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/hunger-check/Dockerfile | /infrastructure/hunger-check/Dockerfile. |
| 20 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/internal-api/Dockerfile | /infrastructure/internal-api/Dockerfile. |
| 21 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/internal-api/Dockerfile | /infrastructure/internal-api/Dockerfile. |
| 22 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/poor-registry/Dockerfile | /infrastructure/poor-registry/Dockerfile. |
| 23 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/poor-registry/Dockerfile | /infrastructure/poor-registry/Dockerfile. |
| 24 | Ensure that APT isn't used | CKV_DOCKER_9 | /infrastructure/health-check/Dockerfile | /infrastructure/health-check/Dockerfile.RUN |
| 25 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/health-check/Dockerfile | /infrastructure/health-check/Dockerfile. |
| 26 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/health-check/Dockerfile | /infrastructure/health-check/Dockerfile. |
| 27 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/info-app/Dockerfile | /infrastructure/info-app/Dockerfile. |
| 28 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/info-app/Dockerfile | /infrastructure/info-app/Dockerfile. |
| 29 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/metadata-db/Dockerfile | /infrastructure/metadata-db/Dockerfile. |
| 30 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/metadata-db/Dockerfile | /infrastructure/metadata-db/Dockerfile. |
| 31 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/system-monitor/Dockerfile | /infrastructure/system-monitor/Dockerfile. |
| 32 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/system-monitor/Dockerfile | /infrastructure/system-monitor/Dockerfile. |
| 33 | Ensure the base image uses a non latest version tag | CKV_DOCKER_7 | /infrastructure/k8s-goat-home/Dockerfile | /infrastructure/k8s-goat-home/Dockerfile.FROM |
| 34 | Ensure that HEALTHCHECK instructions have been added to container images | CKV_DOCKER_2 | /infrastructure/k8s-goat-home/Dockerfile | /infrastructure/k8s-goat-home/Dockerfile. |
| 35 | Ensure that a user for the container has been created | CKV_DOCKER_3 | /infrastructure/k8s-goat-home/Dockerfile | /infrastructure/k8s-goat-home/Dockerfile. |