{"findings":[{"app":null,"type":"extscan","title":"Apply security context to your pods and containers.","description":"CIS Benchmark: **5.7.3**\n\nApply Security Context to Your Pods and Containers.\n\nA security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context.\n\n## Remediation\n\nFollow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers.\n\n\n## Additional information\n\n- [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker/)\n- [Docker Benchmark Scripts](https://github.com/docker/docker-bench-security)","internal_id":"CKV_K8S_29/db45ee39caa16b8b904679fdc9900ab7","severity":"moderate","owasp_category":"a6-misconfiguration","category":"PodSecurityContext","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Apply security context to your pods and containers.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_29","ruleName":"PodSecurityContext","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.7.3","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Use read-only filesystem for containers where possible.","description":"Use read-only filesystem for containers where possible.\n\n## Additional information\n\n**[ReadOnlyFilesystem](https://appthreat.com?q=CKV_K8S_22)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_22/e6dab018803baba902fd63cdf469ba50","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ReadOnlyFilesystem","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Use read-only filesystem for containers where possible.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_22","ruleName":"ReadOnlyFilesystem","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Containers should run as a high UID to avoid host conflict.","description":"Containers should run as a high UID to avoid host conflict.\n\n## Additional information\n\n**[RootContainersHighUID](https://appthreat.com?q=CKV_K8S_40)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_40/4cedd9637f825376a4ecb07f026c1a5b","severity":"moderate","owasp_category":"a6-misconfiguration","category":"RootContainersHighUID","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Containers should run as a high UID to avoid host conflict.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_40","ruleName":"RootContainersHighUID","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Minimize the admission of containers with the NET_RAW capability.","description":"CIS Benchmark: **5.2.7**\n\nDo not generally permit containers with the potentially dangerous NET_RAW capability.\n\nContainers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers. Ideally, all containers should drop this capability. There should be at least one PodSecurityPolicy (PSP) defined which prevents containers with the NET_RAW capability from launching. If you need to run containers with this capability, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Remediation\n\nCreate a PodSecurityPolicy (PSP) as described in the Kubernetes documentation, ensuring that the `.spec.requiredDropCapabilities` is set to include either `NET_RAW` or `ALL`.\n```yaml\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: example\nspec:\n privileged: false # Don't allow privileged pods!\n # Required to prevent escalations to root.\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n ...\n```\n\n\n## Additional information\n\n- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n- [Privilege Escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)","internal_id":"CKV_K8S_28/001f5c06f4693230d02203c9f5e965e4","severity":"moderate","owasp_category":"a6-misconfiguration","category":"DropCapabilities","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Minimize the admission of containers with the NET_RAW capability.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_28","ruleName":"DropCapabilities","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.2.7","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Image Pull Policy should be Always.","description":"Image Pull Policy should be Always.\n\n## Additional information\n\n**[ImagePullPolicyAlways](https://appthreat.com?q=CKV_K8S_15)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_15/5a6942c8c3c7c3b251aa81bb30f0f4eb","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ImagePullPolicyAlways","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Image Pull Policy should be Always.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_15","ruleName":"ImagePullPolicyAlways","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Readiness Probe Should be Configured.","description":"Readiness Probe Should be Configured.\n\n## Additional information\n\n**[ReadinessProbe](https://appthreat.com?q=CKV_K8S_9)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_9/693dd8f5c40339c637c76b0c0f303ec5","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ReadinessProbe","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Readiness Probe Should be Configured.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_9","ruleName":"ReadinessProbe","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Image should use digest.","description":"Image should use digest.\n\n## Additional information\n\n**[ImageDigest](https://appthreat.com?q=CKV_K8S_43)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_43/105fc82ff33cf1eb0734e243435fdfc1","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ImageDigest","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Image should use digest.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_43","ruleName":"ImageDigest","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"CPU requests should be set.","description":"CPU requests should be set.\n\n## Additional information\n\n**[CPURequests](https://appthreat.com?q=CKV_K8S_10)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_10/c3335d3c053bbddb7a9a183765767af3","severity":"info","owasp_category":"a6-misconfiguration","category":"CPURequests","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"CPU requests should be set.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_10","ruleName":"CPURequests","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Liveness Probe Should be Configured.","description":"Liveness Probe Should be Configured.\n\n## Additional information\n\n**[LivenessProbe](https://appthreat.com?q=CKV_K8S_8)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_8/4bb4abdf7e70abf9ce9912f181ac10f6","severity":"moderate","owasp_category":"a6-misconfiguration","category":"LivenessProbe","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Liveness Probe Should be Configured.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_8","ruleName":"LivenessProbe","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Minimize the admission of containers with capabilities assigned.","description":"CIS Benchmark: **5.2.9**\n\nMinimize the admission of containers with capabilities assigned.\n\nContainers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user. In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized.\n\n## Remediation\n\nReview the use of capabilites in applications runnning on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.\n\n\n## Additional information\n\n- [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities)","internal_id":"CKV_K8S_37/ed7ad496962d588d1815241827c2e78f","severity":"moderate","owasp_category":"a6-misconfiguration","category":"MinimizeCapabilities","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Minimize the admission of containers with capabilities assigned.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_37","ruleName":"MinimizeCapabilities","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.2.9","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Ensure that the seccomp profile is set to docker/default or runtime/default.","description":"CIS Benchmark: **5.7.2**\n\nEnsure that the seccomp profile is set to docker/default in your pod definitions.\n\nSeccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.\n\n## Remediation\n\nSeccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing \"--feature-gates=AllAlpha=true\" argument.\nEdit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to \"--feature-gates=AllAlpha=true\" KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\". Based on your system, restart the kube-apiserver service.\nFor example:\n```bash\nsystemctl restart kube-apiserver.service\n```\n\nUse annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below:\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: trustworthy-pod\n annotations:\n seccomp.security.alpha.kubernetes.io/pod: docker/default\nspec:\n containers:\n - name: trustworthy-container\n image: sotrustworthy:latest\n```\n","internal_id":"CKV_K8S_31/ff2e497d56d2d8d9caec9c79c43de319","severity":"moderate","owasp_category":"a6-misconfiguration","category":"Seccomp","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Ensure that the seccomp profile is set to docker/default or runtime/default.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_31","ruleName":"Seccomp","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.7.2","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"The default namespace should not be used.","description":"CIS Benchmark: **5.7.4**\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. If possible, consider adopting new techniques such as `hierarchical namespaces`.\n\n\n## Additional information\n\n- [Multi-tenancy SIG](https://github.com/kubernetes-sigs/multi-tenancy/blob/master/incubator/hnc/docs/user-guide/concepts.md#basic)","internal_id":"CKV_K8S_21/d9df539446d1ed1efbf115b57b8d3315","severity":"critical","owasp_category":"a6-misconfiguration","category":"DefaultNamespace","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"The default namespace should not be used.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_21","ruleName":"DefaultNamespace","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.7.4","shiftleft_managed":false},{"key":"cis_status","value":"SCORED","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"CPU limits should be set.","description":"CPU limits should be set.\n\n## Additional information\n\n**[CPULimits](https://appthreat.com?q=CKV_K8S_11)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_11/9093db3818241367b415e187715f94b1","severity":"info","owasp_category":"a6-misconfiguration","category":"CPULimits","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"CPU limits should be set.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_11","ruleName":"CPULimits","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Ensure that Service Account Tokens are only mounted where necessary.","description":"CIS Benchmark: **5.1.6**\n\nEnsure that Service Account Tokens are only mounted where necessary.\n\nMounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster. Avoiding mounting these tokens removes this attack avenue.\n\n## Remediation\n\nModify the definition of pods and service accounts which do not need to mount service account tokens to disable it.\n","internal_id":"CKV_K8S_38/773fa9c844ec1363c96e2b70817e6e60","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ServiceAccountTokens","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Ensure that Service Account Tokens are only mounted where necessary.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_38","ruleName":"ServiceAccountTokens","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.1.6","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Memory requests should be set.","description":"Memory requests should be set.\n\n## Additional information\n\n**[MemoryRequests](https://appthreat.com?q=CKV_K8S_12)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_12/cc708487aef378fa680150912f9223dd","severity":"info","owasp_category":"a6-misconfiguration","category":"MemoryRequests","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Memory requests should be set.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_12","ruleName":"MemoryRequests","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Memory limits should be set.","description":"Memory limits should be set.\n\n## Additional information\n\n**[MemoryLimits](https://appthreat.com?q=CKV_K8S_13)**\n\n## Documentation\n\n- [AWS Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)\n- [Azure Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)\n- [Google Cloud Terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs)","internal_id":"CKV_K8S_13/09b6f86276b46925d3c2ace530595aa7","severity":"info","owasp_category":"a6-misconfiguration","category":"MemoryLimits","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Memory limits should be set.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_13","ruleName":"MemoryLimits","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[]},{"app":null,"type":"extscan","title":"Containers should not run with allowPrivilegeEscalation.","description":"CIS Benchmark: **5.2.5**\n\nMinimize the admission of containers with allowPrivilegeEscalation.\n\nA container running with the allowPrivilegeEscalation flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n## Remediation\n\nCreate a PodSecurityPolicy (PSP) as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is set to `false`.\n```yaml\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: example\nspec:\n privileged: false # Don't allow privileged pods!\n # Required to prevent escalations to root.\n allowPrivilegeEscalation: false\n ...\n```\n\n\n## Additional information\n\n- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n- [Privilege Escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)","internal_id":"CKV_K8S_20/f8fac23612107dc2494067cd0951d92b","severity":"critical","owasp_category":"a6-misconfiguration","category":"AllowPrivilegeEscalation","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Containers should not run with allowPrivilegeEscalation.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_20","ruleName":"AllowPrivilegeEscalation","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.2.5","shiftleft_managed":false},{"key":"cis_status","value":"SCORED","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Minimize the admission of root containers.","description":"CIS Benchmark: **5.2.6**\n\nMinimize the admission of root containers.\n\nContainers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have a escalated likelihood of container breakout. Ideally, all containers should run as a defined non-UID 0 user. There should be at least one PodSecurityPolicy (PSP) defined which does not permit root users in a container. If you need to run root containers, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n## Remediation\n\nCreate a PodSecurityPolicy (PSP) as described in the Kubernetes documentation, ensuring that the `.spec.runAsUser.rule` is set to either `MustRunAsNonRoot` or `MustRunAs` with the range of UIDs not including `0`.\n```yaml\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: example\nspec:\n privileged: false # Don't allow privileged pods!\n # Required to prevent escalations to root.\n allowPrivilegeEscalation: false\n runAsUser:\n # Require the container to run without root privileges.\n rule: 'MustRunAsNonRoot'\n ...\n```\n\n\n## Additional information\n\n- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n- [Privilege Escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)","internal_id":"CKV_K8S_23/1f106d66003f14960b0e96b1d03d77f0","severity":"moderate","owasp_category":"a6-misconfiguration","category":"RootContainers","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Minimize the admission of root containers.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_23","ruleName":"RootContainers","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.2.6","shiftleft_managed":false}]},{"app":null,"type":"extscan","title":"Apply security context to your pods and containers.","description":"CIS Benchmark: **5.7.3**\n\nApply Security Context to Your Pods and Containers.\n\nA security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context.\n\n## Remediation\n\nFollow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers.\n\n\n## Additional information\n\n- [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker/)\n- [Docker Benchmark Scripts](https://github.com/docker/docker-bench-security)","internal_id":"CKV_K8S_30/db45ee39caa16b8b904679fdc9900ab7","severity":"moderate","owasp_category":"a6-misconfiguration","category":"ContainerSecurityContext","details":{"repoContext":{"gitProvider":"","ciProvider":"","repositoryName":"","repositoryUri":"","revisionId":"","branch":"master","invokedBy":"","pullRequest":false,"botUser":false},"name":"Apply security context to your pods and containers.","tags":"Scan","fileName":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml","DATA_TYPE":"OSS_SCAN","lineNumber":19,"ruleId":"CKV_K8S_30","ruleName":"ContainerSecurityContext","contextText":"19 apiVersion: v1\n","snippetText":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"tags":[{"key":"cis_category","value":"5.7.3","shiftleft_managed":false}]}]}
{"tool":{"driver":{"name":"Security Audit for Infrastructure","rules":[{"id":"CKV_K8S_29","help":{"text":"Apply security context to your pods and containers.","markdown":"Apply security context to your pods and containers."},"name":"PodSecurityContext","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Apply security context to your pods and containers."},"helpUri":"https://appthreat.com?q=CKV_K8S_29","shortDescription":{"text":"Apply security context to your pods and containers."}},{"id":"CKV_K8S_22","help":{"text":"Use read-only filesystem for containers where possible.","markdown":"Use read-only filesystem for containers where possible."},"name":"ReadOnlyFilesystem","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Use read-only filesystem for containers where possible."},"helpUri":"https://appthreat.com?q=CKV_K8S_22","shortDescription":{"text":"Use read-only filesystem for containers where possible."}},{"id":"CKV_K8S_40","help":{"text":"Containers should run as a high UID to avoid host conflict.","markdown":"Containers should run as a high UID to avoid host conflict."},"name":"RootContainersHighUID","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Containers should run as a high UID to avoid host conflict."},"helpUri":"https://appthreat.com?q=CKV_K8S_40","shortDescription":{"text":"Containers should run as a high UID to avoid host conflict."}},{"id":"CKV_K8S_28","help":{"text":"Minimize the admission of containers with the NET_RAW capability.","markdown":"Minimize the admission of containers with the NET_RAW capability."},"name":"DropCapabilities","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Minimize the admission of containers with the NET_RAW capability."},"helpUri":"https://appthreat.com?q=CKV_K8S_28","shortDescription":{"text":"Minimize the admission of containers with the NET_RAW capability."}},{"id":"CKV_K8S_15","help":{"text":"Image Pull Policy should be Always.","markdown":"Image Pull Policy should be Always."},"name":"ImagePullPolicyAlways","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Image Pull Policy should be Always."},"helpUri":"https://appthreat.com?q=CKV_K8S_15","shortDescription":{"text":"Image Pull Policy should be Always."}},{"id":"CKV_K8S_9","help":{"text":"Readiness Probe Should be Configured.","markdown":"Readiness Probe Should be Configured."},"name":"ReadinessProbe","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Readiness Probe Should be Configured."},"helpUri":"https://appthreat.com?q=CKV_K8S_9","shortDescription":{"text":"Readiness Probe Should be Configured."}},{"id":"CKV_K8S_43","help":{"text":"Image should use digest.","markdown":"Image should use digest."},"name":"ImageDigest","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Image should use digest."},"helpUri":"https://appthreat.com?q=CKV_K8S_43","shortDescription":{"text":"Image should use digest."}},{"id":"CKV_K8S_10","help":{"text":"CPU requests should be set.","markdown":"CPU requests should be set."},"name":"CPURequests","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"CPU requests should be set."},"helpUri":"https://appthreat.com?q=CKV_K8S_10","shortDescription":{"text":"CPU requests should be set."}},{"id":"CKV_K8S_8","help":{"text":"Liveness Probe Should be Configured.","markdown":"Liveness Probe Should be Configured."},"name":"LivenessProbe","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Liveness Probe Should be Configured."},"helpUri":"https://appthreat.com?q=CKV_K8S_8","shortDescription":{"text":"Liveness Probe Should be Configured."}},{"id":"CKV_K8S_37","help":{"text":"Minimize the admission of containers with capabilities assigned.","markdown":"Minimize the admission of containers with capabilities assigned."},"name":"MinimizeCapabilities","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Minimize the admission of containers with capabilities assigned."},"helpUri":"https://appthreat.com?q=CKV_K8S_37","shortDescription":{"text":"Minimize the admission of containers with capabilities assigned."}},{"id":"CKV_K8S_31","help":{"text":"Ensure that the seccomp profile is set to docker/default or runtime/default.","markdown":"Ensure that the seccomp profile is set to docker/default or runtime/default."},"name":"Seccomp","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Ensure that the seccomp profile is set to docker/default or runtime/default."},"helpUri":"https://appthreat.com?q=CKV_K8S_31","shortDescription":{"text":"Ensure that the seccomp profile is set to docker/default or runtime/default."}},{"id":"CKV_K8S_21","help":{"text":"The default namespace should not be used.","markdown":"The default namespace should not be used."},"name":"DefaultNamespace","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The default namespace should not be used."},"helpUri":"https://appthreat.com?q=CKV_K8S_21","shortDescription":{"text":"The default namespace should not be used."}},{"id":"CKV_K8S_11","help":{"text":"CPU limits should be set.","markdown":"CPU limits should be set."},"name":"CPULimits","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"CPU limits should be set."},"helpUri":"https://appthreat.com?q=CKV_K8S_11","shortDescription":{"text":"CPU limits should be set."}},{"id":"CKV_K8S_38","help":{"text":"Ensure that Service Account Tokens are only mounted where necessary.","markdown":"Ensure that Service Account Tokens are only mounted where necessary."},"name":"ServiceAccountTokens","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Ensure that Service Account Tokens are only mounted where necessary."},"helpUri":"https://appthreat.com?q=CKV_K8S_38","shortDescription":{"text":"Ensure that Service Account Tokens are only mounted where necessary."}},{"id":"CKV_K8S_12","help":{"text":"Memory requests should be set.","markdown":"Memory requests should be set."},"name":"MemoryRequests","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Memory requests should be set."},"helpUri":"https://appthreat.com?q=CKV_K8S_12","shortDescription":{"text":"Memory requests should be set."}},{"id":"CKV_K8S_13","help":{"text":"Memory limits should be set.","markdown":"Memory limits should be set."},"name":"MemoryLimits","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Memory limits should be set."},"helpUri":"https://appthreat.com?q=CKV_K8S_13","shortDescription":{"text":"Memory limits should be set."}},{"id":"CKV_K8S_20","help":{"text":"Containers should not run with allowPrivilegeEscalation.","markdown":"Containers should not run with allowPrivilegeEscalation."},"name":"AllowPrivilegeEscalation","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Containers should not run with allowPrivilegeEscalation."},"helpUri":"https://appthreat.com?q=CKV_K8S_20","shortDescription":{"text":"Containers should not run with allowPrivilegeEscalation."}},{"id":"CKV_K8S_23","help":{"text":"Minimize the admission of root containers.","markdown":"Minimize the admission of root containers."},"name":"RootContainers","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Minimize the admission of root containers."},"helpUri":"https://appthreat.com?q=CKV_K8S_23","shortDescription":{"text":"Minimize the admission of root containers."}},{"id":"CKV_K8S_30","help":{"text":"Apply security context to your pods and containers.","markdown":"Apply security context to your pods and containers."},"name":"ContainerSecurityContext","properties":{"tags":["Scan"],"precision":"high"},"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Apply security context to your pods and containers."},"helpUri":"https://appthreat.com?q=CKV_K8S_30","shortDescription":{"text":"Apply security context to your pods and containers."}}],"version":"1.0.0-scan","fullName":"Security Audit for Infrastructure"}},"conversion":{"tool":{"driver":{"name":"@ShiftLeft/sast-scan"}},"invocation":{"arguments":["-s","--framework","kubernetes","--quiet","--skip-download","-o","json","-d","/app"],"executionSuccessful":true,"commandLine":"-s --framework kubernetes --quiet --skip-download -o json -d /app","endTimeUtc":"2023-08-28T05:56:18Z","workingDirectory":{"uri":"file:///home/oran/Documents/ric-app-hw-python"}}},"invocations":[{"executionSuccessful":true,"endTimeUtc":"2023-08-28T05:56:18Z","workingDirectory":{"uri":"file:///home/oran/Documents/ric-app-hw-python"}}],"properties":{"metrics":{"total":19,"critical":2,"high":13,"medium":0,"low":4}},"results":[{"message":{"markdown":"","text":"Apply security context to your pods and containers."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_29","ruleIndex":0},{"message":{"markdown":"","text":"Use read-only filesystem for containers where possible."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_22","ruleIndex":1},{"message":{"markdown":"","text":"Containers should run as a high UID to avoid host conflict."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_40","ruleIndex":2},{"message":{"markdown":"","text":"Minimize the admission of containers with the NET_RAW capability."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_28","ruleIndex":3},{"message":{"markdown":"","text":"Image Pull Policy should be Always."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_15","ruleIndex":4},{"message":{"markdown":"","text":"Readiness Probe Should be Configured."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_9","ruleIndex":5},{"message":{"markdown":"","text":"Image should use digest."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_43","ruleIndex":6},{"message":{"markdown":"","text":"CPU requests should be set."},"level":"note","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"LOW","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_10","ruleIndex":7},{"message":{"markdown":"","text":"Liveness Probe Should be Configured."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_8","ruleIndex":8},{"message":{"markdown":"","text":"Minimize the admission of containers with capabilities assigned."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_37","ruleIndex":9},{"message":{"markdown":"","text":"Ensure that the seccomp profile is set to docker/default or runtime/default."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_31","ruleIndex":10},{"message":{"markdown":"","text":"The default namespace should not be used."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"CRITICAL","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_21","ruleIndex":11},{"message":{"markdown":"","text":"CPU limits should be set."},"level":"note","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"LOW","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_11","ruleIndex":12},{"message":{"markdown":"","text":"Ensure that Service Account Tokens are only mounted where necessary."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_38","ruleIndex":13},{"message":{"markdown":"","text":"Memory requests should be set."},"level":"note","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"LOW","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_12","ruleIndex":14},{"message":{"markdown":"","text":"Memory limits should be set."},"level":"note","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"LOW","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_13","ruleIndex":15},{"message":{"markdown":"","text":"Containers should not run with allowPrivilegeEscalation."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"CRITICAL","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_20","ruleIndex":16},{"message":{"markdown":"","text":"Minimize the admission of root containers."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_23","ruleIndex":17},{"message":{"markdown":"","text":"Apply security context to your pods and containers."},"level":"error","locations":[{"physicalLocation":{"region":{"snippet":{"text":"19 apiVersion: v1\n"},"startLine":19},"artifactLocation":{"uri":"file:///home/oran/Documents/ric-app-hw-python/resources/pod.yaml"},"contextRegion":{"snippet":{"text":"19 apiVersion: v1\nkind: Pod\nmetadata:\n"},"endLine":21,"startLine":19}}}],"properties":{"issue_confidence":"HIGH","issue_severity":"HIGH","issue_tags":{}},"baselineState":"new","partialFingerprints":{"scanPrimaryLocationHash":"b0bd4a6a902e74cb","scanFileHash":"9710d25bf881cc8a"},"ruleId":"CKV_K8S_30","ruleIndex":18}],"automationDetails":{"description":{"text":"Static Analysis Security Test results using @ShiftLeft/sast-scan"},"guid":"dd280ae7-4836-43c9-a2b1-a61c9a830447"},"versionControlProvenance":[{"branch":"master","repositoryUri":"","revisionId":""}]}
{"tool":{"driver":{"name":"Python Source Analyzer","version":"1.0.0-scan","fullName":"Python Source Analyzer"}},"conversion":{"tool":{"driver":{"name":"@ShiftLeft/sast-scan"}},"invocation":{"arguments":["-r","-a","vuln","-n","3","-s","B101,B102,B105,B307,B308,B310,B322,B404,B601,B602,B603,B604,B605,B701,B702,B703","-iii","-ll","-o","/app/reports/source-python-report.json","-f","json","-x",".git,.svn,.mvn,.idea,.github,.hg,dist,obj,backup,docs,tests,test,test-packages,tmp,report,reports,node_modules,.terraform,.serverless,venv,.virtualenv,vendor,bower_components,.vscode,e2e,.pytest_cache,__pycache__,.storybook,.venv,.tox,examples,tutorials,samples,migrations,db_migrations,unittests,unittests_legacy,stubs,cypress,mock,mocks","/app"],"executionSuccessful":true,"commandLine":"-r -a vuln -n 3 -s B101,B102,B105,B307,B308,B310,B322,B404,B601,B602,B603,B604,B605,B701,B702,B703 -iii -ll -o /app/reports/source-python-report.json -f json -x .git,.svn,.mvn,.idea,.github,.hg,dist,obj,backup,docs,tests,test,test-packages,tmp,report,reports,node_modules,.terraform,.serverless,venv,.virtualenv,vendor,bower_components,.vscode,e2e,.pytest_cache,__pycache__,.storybook,.venv,.tox,examples,tutorials,samples,migrations,db_migrations,unittests,unittests_legacy,stubs,cypress,mock,mocks /app","endTimeUtc":"2023-08-28T05:56:16Z","workingDirectory":{"uri":"file:///home/oran/Documents/ric-app-hw-python"}}},"invocations":[{"executionSuccessful":true,"endTimeUtc":"2023-08-28T05:56:16Z","workingDirectory":{"uri":"file:///home/oran/Documents/ric-app-hw-python"}}],"properties":{"metrics":{"total":0,"critical":0,"high":0,"medium":0,"low":0}},"results":[],"automationDetails":{"description":{"text":"Static Analysis Security Test results using @ShiftLeft/sast-scan"},"guid":"bf813369-d6ff-470d-a89e-195870e19510"},"versionControlProvenance":[{"branch":"master","repositoryUri":"","revisionId":""}]}
<h1>SAST Scan Status <buttonclass="btn btn-success btn-action"><spanclass="tooltip tooltip-top"data-tooltip="No major issues were found"><iclass="icon icon-check"></i></span></button></h1>
<p>Report from the scan performed on <spanclass="text-dark chip"><iclass="icon icon-time"></i> 2023-08-28 at 05:56:16</span> for <spanclass="text-dark chip"><iclass="icon icon-link"></i> <ahref=""></a></span>
<p>This report was generated by ShiftLeft from the SAST Scan invocation on 2023-08-28 at 05:56:16. The scan used the tool <spanclass="text-bold"> Python Source Analyzer</span> to scan the source code repository .
</p>
<p> </p>
<p><iclass="icon icon-check icon-2x text-success"></i> Based on this report, the application is certified as ready for deployment to test and production environments. Please refer to the dependency and container scan reports (if available) for additional context.</p>
<p>Thank you for using <ahref="https://shiftleft.io"target="_blank">ShiftLeft</a>. Looking for a more detailed analysis? Check out ShiftLeft <ahref="https://www.shiftleft.io/"target="_blank">CORE</a> or login to your <ahref="https://www.shiftleft.io/dashboard"target="_blank">dashboard</a>.</p>
<h1>SAST Scan Status <buttonclass="btn btn-error btn-action"><spanclass="tooltip tooltip-top"data-tooltip="Issues were found in this run"><iclass="icon icon-cross"></i></span></button></h1>
<p>Report from the scan performed on <spanclass="text-dark chip"><iclass="icon icon-time"></i> 2023-08-28 at 05:56:18</span> for <spanclass="text-dark chip"><iclass="icon icon-link"></i> <ahref=""></a></span>
<p>This report was generated by ShiftLeft from the SAST Scan invocation on 2023-08-28 at 05:56:18. The scan used the tool <spanclass="text-bold"> Security Audit for Infrastructure</span> to scan the source code repository .
<p><iclass="icon icon-flag icon-2x text-warning"></i> ShiftLeft recommends immediate remediation of the key issues identified before using this application in a live environment.</p>
<p>Thank you for using <ahref="https://shiftleft.io"target="_blank">ShiftLeft</a>. Looking for a more detailed analysis? Check out ShiftLeft <ahref="https://www.shiftleft.io/"target="_blank">CORE</a> or login to your <ahref="https://www.shiftleft.io/dashboard"target="_blank">dashboard</a>.</p>
