Checkmarx · asofsilva · Mar 15, 2024 · Mar 7, 2024 · Mar 14, 2024 · Mar 14, 2024
@@ -1,11 +1,12 @@
 {
-  "id": "95588189-1abd-4df1-9588-b0a5034f9e87",
-  "queryName": "Missing App Armor Config",
-  "severity": "LOW",
-  "category": "Access Control",
-  "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack",
-  "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta",
-  "platform": "Pulumi",
-  "descriptionID": "15676623",
-  "cwe": ""
+    "id": "95588189-1abd-4df1-9588-b0a5034f9e87",
+    "queryName": "Missing App Armor Config",
+    "severity": "LOW",
+    "category": "Access Control",
+    "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack",
+    "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta",
+    "platform": "Pulumi",
+    "descriptionID": "15676623",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "ee305555-6b1d-4055-94cf-e22131143c34",
-  "queryName": "PSP Set To Privileged",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Do not allow pod to request execution as privileged.",
-  "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml",
-  "platform": "Pulumi",
-  "descriptionID": "7a6c8b70",
-  "cwe": ""
+    "id": "ee305555-6b1d-4055-94cf-e22131143c34",
+    "queryName": "PSP Set To Privileged",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Do not allow pod to request execution as privileged.",
+    "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml",
+    "platform": "Pulumi",
+    "descriptionID": "7a6c8b70",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9",
-  "queryName": "Github Organization Webhook With SSL Disabled",
-  "severity": "MEDIUM",
-  "category": "Encryption",
-  "descriptionText": "Check if insecure SSL is being used in the GitHub organization webhooks",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook",
-  "platform": "Terraform",
-  "descriptionID": "5def6580",
-  "cwe": ""
+    "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9",
+    "queryName": "Github Organization Webhook With SSL Disabled",
+    "severity": "MEDIUM",
+    "category": "Encryption",
+    "descriptionText": "Check if insecure SSL is being used in the GitHub organization webhooks",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook",
+    "platform": "Terraform",
+    "descriptionID": "5def6580",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "15d8a7fd-465a-4d15-a868-add86552f17b",
-  "queryName": "GitHub Repository Set To Public",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')",
-  "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html",
-  "platform": "Terraform",
-  "descriptionID": "4df8b842",
-  "cwe": ""
+    "id": "15d8a7fd-465a-4d15-a868-add86552f17b",
+    "queryName": "GitHub Repository Set To Public",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')",
+    "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html",
+    "platform": "Terraform",
+    "descriptionID": "4df8b842",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "17172bc2-56fb-4f17-916f-a014147706cd",
-  "queryName": "Cluster Admin Rolebinding With Superuser Permissions",
-  "severity": "LOW",
-  "category": "Access Control",
-  "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name",
-  "platform": "Terraform",
-  "descriptionID": "3cfeabe4",
-  "cwe": ""
+    "id": "17172bc2-56fb-4f17-916f-a014147706cd",
+    "queryName": "Cluster Admin Rolebinding With Superuser Permissions",
+    "severity": "LOW",
+    "category": "Access Control",
+    "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name",
+    "platform": "Terraform",
+    "descriptionID": "3cfeabe4",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03",
-  "queryName": "Cluster Allows Unsafe Sysctls",
-  "severity": "HIGH",
-  "category": "Insecure Configurations",
-  "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls",
-  "platform": "Terraform",
-  "descriptionID": "21547beb",
-  "cwe": ""
+    "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03",
+    "queryName": "Cluster Allows Unsafe Sysctls",
+    "severity": "HIGH",
+    "category": "Insecure Configurations",
+    "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls",
+    "platform": "Terraform",
+    "descriptionID": "21547beb",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "587d5d82-70cf-449b-9817-f60f9bccb88c",
-  "queryName": "Container Host Pid Is True",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Minimize the admission of containers wishing to share the host process ID namespace",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid",
-  "platform": "Terraform",
-  "descriptionID": "74aa164e",
-  "cwe": ""
+    "id": "587d5d82-70cf-449b-9817-f60f9bccb88c",
+    "queryName": "Container Host Pid Is True",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Minimize the admission of containers wishing to share the host process ID namespace",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid",
+    "platform": "Terraform",
+    "descriptionID": "74aa164e",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4",
-  "queryName": "Container Is Privileged",
-  "severity": "HIGH",
-  "category": "Insecure Configurations",
-  "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged",
-  "platform": "Terraform",
-  "descriptionID": "e2be4ab9",
-  "cwe": ""
+    "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4",
+    "queryName": "Container Is Privileged",
+    "severity": "HIGH",
+    "category": "Insecure Configurations",
+    "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged",
+    "platform": "Terraform",
+    "descriptionID": "e2be4ab9",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "60af03ff-a421-45c8-b214-6741035476fa",
-  "queryName": "Container Resources Limits Undefined",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Kubernetes container should have resource limitations defined such as CPU and memory",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod",
-  "platform": "Terraform",
-  "descriptionID": "36651cdf",
-  "cwe": ""
+    "id": "60af03ff-a421-45c8-b214-6741035476fa",
+    "queryName": "Container Resources Limits Undefined",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Kubernetes container should have resource limitations defined such as CPU and memory",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod",
+    "platform": "Terraform",
+    "descriptionID": "36651cdf",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "0ad60203-c050-4115-83b6-b94bde92541d",
-  "queryName": "Container Runs Unmasked",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types",
-  "platform": "Terraform",
-  "descriptionID": "bbb3aa40",
-  "cwe": ""
+    "id": "0ad60203-c050-4115-83b6-b94bde92541d",
+    "queryName": "Container Runs Unmasked",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Check if a container has full access (unmasked) to the host\u00e2\u20ac\u2122s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types",
+    "platform": "Terraform",
+    "descriptionID": "bbb3aa40",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28",
-  "queryName": "Containers With Added Capabilities",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Containers should not have extra capabilities allowed",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1",
-  "platform": "Terraform",
-  "descriptionID": "4422c052",
-  "cwe": ""
+    "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28",
+    "queryName": "Containers With Added Capabilities",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Containers should not have extra capabilities allowed",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1",
+    "platform": "Terraform",
+    "descriptionID": "4422c052",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "3f55386d-75cd-4e9a-ac47-167b26c04724",
-  "queryName": "Containers With Sys Admin Capabilities",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1",
-  "platform": "Terraform",
-  "descriptionID": "03622ad2",
-  "cwe": ""
+    "id": "3f55386d-75cd-4e9a-ac47-167b26c04724",
+    "queryName": "Containers With Sys Admin Capabilities",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1",
+    "platform": "Terraform",
+    "descriptionID": "03622ad2",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f",
-  "queryName": "CPU Limits Not Set",
-  "severity": "MEDIUM",
-  "category": "Resource Management",
-  "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits",
-  "platform": "Terraform",
-  "descriptionID": "9dd8e356",
-  "cwe": ""
+    "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f",
+    "queryName": "CPU Limits Not Set",
+    "severity": "MEDIUM",
+    "category": "Resource Management",
+    "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits",
+    "platform": "Terraform",
+    "descriptionID": "9dd8e356",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2",
-  "queryName": "CPU Requests Not Set",
-  "severity": "MEDIUM",
-  "category": "Resource Management",
-  "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests",
-  "platform": "Terraform",
-  "descriptionID": "957f09a7",
-  "cwe": ""
+    "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2",
+    "queryName": "CPU Requests Not Set",
+    "severity": "MEDIUM",
+    "category": "Resource Management",
+    "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests",
+    "platform": "Terraform",
+    "descriptionID": "957f09a7",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "58876b44-a690-4e9f-9214-7735fa0dd15d",
-  "queryName": "CronJob Deadline Not Configured",
-  "severity": "LOW",
-  "category": "Resource Management",
-  "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds",
-  "platform": "Terraform",
-  "descriptionID": "030edc62",
-  "cwe": ""
+    "id": "58876b44-a690-4e9f-9214-7735fa0dd15d",
+    "queryName": "CronJob Deadline Not Configured",
+    "severity": "LOW",
+    "category": "Resource Management",
+    "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds",
+    "platform": "Terraform",
+    "descriptionID": "030edc62",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "737a0dd9-0aaa-4145-8118-f01778262b8a",
-  "queryName": "Default Service Account In Use",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
-  "descriptionText": "Default service accounts should not be actively used",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token",
-  "platform": "Terraform",
-  "descriptionID": "b0822187",
-  "cwe": ""
+    "id": "737a0dd9-0aaa-4145-8118-f01778262b8a",
+    "queryName": "Default Service Account In Use",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Default service accounts should not be actively used",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token",
+    "platform": "Terraform",
+    "descriptionID": "b0822187",
+    "cwe": "",
+    "cloudProvider": "common"
 }
@@ -1,11 +1,12 @@
 {
-  "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3",
-  "queryName": "Deployment Has No PodAntiAffinity",
-  "severity": "LOW",
-  "category": "Resource Management",
-  "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity",
-  "platform": "Terraform",
-  "descriptionID": "4a5ad90d",
-  "cwe": ""
+    "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3",
+    "queryName": "Deployment Has No PodAntiAffinity",
+    "severity": "LOW",
+    "category": "Resource Management",
+    "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity",
+    "platform": "Terraform",
+    "descriptionID": "4a5ad90d",
+    "cwe": "",
+    "cloudProvider": "common"
 }