Skip to content

Commit

Permalink
chore(deps): Update defsec to v0.91.0 (#4886)
Browse files Browse the repository at this point in the history
* chore(deps): Update defsec to v0.91.0

* update tests

Signed-off-by: Simar <simar@linux.com>

---------

Signed-off-by: Simar <simar@linux.com>
  • Loading branch information
simar7 authored Jul 30, 2023
1 parent c3bc67c commit 7271d68
Show file tree
Hide file tree
Showing 5 changed files with 376 additions and 49 deletions.
14 changes: 7 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.30.4
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f
github.com/aquasecurity/defsec v0.91.0
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
Expand All @@ -27,7 +27,7 @@ require (
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9
github.com/aws/aws-sdk-go v1.44.245
github.com/aws/aws-sdk-go-v2 v1.18.1
github.com/aws/aws-sdk-go-v2 v1.19.0
github.com/aws/aws-sdk-go-v2/config v1.18.25
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0
github.com/aws/aws-sdk-go-v2/service/sts v1.19.0
Expand Down Expand Up @@ -146,14 +146,14 @@ require (
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.24 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect
github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 // indirect
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.26.2 // indirect
Expand All @@ -163,14 +163,14 @@ require (
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 // indirect
github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 // indirect
github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticache v1.26.8 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.19.11 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.23 // indirect
Expand Down
25 changes: 14 additions & 11 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -321,8 +321,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f h1:JQnhl5zK5cBJKPbCLdvK0ialSkwvp+z1B9rY61SRxNI=
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o=
github.com/aquasecurity/defsec v0.91.0 h1:JGTiKL2UgnANZ4RoQQKokzpZ2vFv2LlXGoNjIypz9RQ=
github.com/aquasecurity/defsec v0.91.0/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 h1:btZmyXc4e4wDNBEI4guYzpCMeNPM0f8p0F/IzSsoP0M=
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
Expand Down Expand Up @@ -369,8 +369,9 @@ github.com/aws/aws-sdk-go-v2 v1.17.5/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3eP
github.com/aws/aws-sdk-go-v2 v1.17.7/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo=
github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2 v1.19.0 h1:klAT+y3pGFBU/qVf1uzwttpBbiuozJYWzNLHioyDJ+k=
github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU=
github.com/aws/aws-sdk-go-v2/config v1.18.25 h1:JuYyZcnMPBiFqn87L2cRppo+rNwgah6YwD3VuyvaW6Q=
Expand All @@ -385,16 +386,18 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29/go.mod h1:Dip3sIGv48
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31/go.mod h1:QT0BqUvX1Bh2ABdTGnjqEjvjzrCfIniM9Sc8zn9Yndo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 h1:hMUCiE3Zi5AHrRNGf5j985u0WyqI6r2NULhUfo0N/No=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23/go.mod h1:mr6c4cHC+S/MMkrjtSlG4QA36kOznDep+0fga5L/fGQ=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25/go.mod h1:zBHOPwhBc3FlQjQJE/D3IfPWiWaQmT06Vq9aNukDo0k=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26/go.mod h1:vq86l7956VgFr0/FWQ2BWnK07QC3WYsepKzy33qqY5U=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 h1:srIVS45eQuewqz6fKKu6ZGXaq6FuFg5NzgQBAM6g8Y4=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 h1:yOpYx+FTBdpk/g+sBU6Cb1H0U/TLEcYYp66mYqsPpcc=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 h1:gGLG7yKaXG02/jBlg210R7VgQIotiQntNhsCFejawx8=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ=
Expand All @@ -405,8 +408,8 @@ github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 h1:eWwaF3m67oAJGBhfzVC9
github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24/go.mod h1:3olVANhEv+CFhEvC/TTkqh+1kg+r0px3CbH5eRKx7J4=
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 h1:1L2042GftNVyI3TtWclGodfN5zBQjBNXsTQxDNaPXs8=
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11/go.mod h1:Cs+mG0DXkVYPWsWIE8Ga78C/HeN5zFBbPHdOnJPwZ4M=
github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 h1:s8cE1HX3Pi53iMg+A+d7gGvmjA+Z4nH6u0BbbuFwXXE=
github.com/aws/aws-sdk-go-v2/service/athena v1.18.10/go.mod h1:LiVr7tVQ2lrlv82VQhyuulN8uysLHsEeptFjA5PY1Pc=
github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 h1:x6pNnhCWXrkGX43gkJkcdCtlYSFx3tzqJKnm2QBqz6k=
github.com/aws/aws-sdk-go-v2/service/athena v1.30.4/go.mod h1:XyrQmcmWx6BNhu1K5la/Zub8gX29MqiIMQ9silULHjk=
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 h1:nLAPA7/DSmDWYP/MGtRNP6bHjiL8Fmyg8qeDxW90nm0=
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5/go.mod h1:HYQXu2AKM7RLCn3APoQ5EvL2N/RlI4LSNN8pIGbdaDQ=
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 h1:Qw1G/M7eanpm6s/URkG1UuRLKEnRnpUvkUb7NMVvWb8=
Expand All @@ -427,8 +430,8 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 h1:WblDV33AG9dhv0zFEPEmGtD5UECS
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0/go.mod h1:L3ZT0N/vBsw77mOAawXmRnREpEjcHd2v5Hzf7AkIH8M=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 h1:uiF/RI+Up8H2xdgT2GWa20YzxiKEalHieqNjm6HC3Xk=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18/go.mod h1:DQtDYmexqR+z+B6HBCvY7zK/tuXKv6Zy/IwOXOK3eow=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 h1:EHJAYkUnlFJ/KwuFMvUs/bPbb0DaqAI+gTfXxffTPZ0=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26/go.mod h1:NpR78BP2STxvF/R1GXLDM4gAEfjz68W/h0nC5b6Jk3s=
github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 h1:PxWgrtfQvct60NjxSrFsSWG/Yg1HATRKP4IeUPiLlrE=
github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1/go.mod h1:eZBCsRjzc+ZX8x3h0beHOu+uxRWRwnEHzzvDgKy9v0E=
github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 h1:+rQHxWkGK5GyanoetOyOG/U0sgXjlt3vw+jufY7wp4k=
github.com/aws/aws-sdk-go-v2/service/efs v1.20.3/go.mod h1:UpiMmYILiWWe5wfcz6dJded9/K1XVmcOD3LB1ZCLVdw=
github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 h1:47HQVuJXgwvuoc4AT3rVdm77H0qGFbFnsuE4PRT+xX0=
Expand All @@ -441,8 +444,8 @@ github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 h1:XE/MewOiHgW
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0/go.mod h1:2GKcrxIvmAf07PsxbJ7tccJDXzVj0oHT/MuBQ9835X8=
github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 h1:C6I3p2ENt01I5iO5oEXyfzSk1VIEKADXSMgNdiW1Tw8=
github.com/aws/aws-sdk-go-v2/service/emr v1.24.4/go.mod h1:hvWrBVsomnNf7Y0Onrl+wGAkcOAH81Ybcy8FSQrvARM=
github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 h1:JH1H7POlsZt41X9JYIBLZoXW0Qv+WOuC48xsafsls2Q=
github.com/aws/aws-sdk-go-v2/service/iam v1.19.12/go.mod h1:kAnokExGCYs7zfvZEZdFHvQ/x4ZKIci0Raps6mZI1Ag=
github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 h1:VTCWgsrromZqnlRgfziqqWWcW7LFkQLwJVYgf/5zgWA=
github.com/aws/aws-sdk-go-v2/service/iam v1.21.1/go.mod h1:LBsjrFczXiQLASO6FtDGTeHuZh6oHuIH6VKaOozFghg=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 h1:dpiPHgmFstgkLG07KaYAewvuptq5kvo52xn7tVSrtrQ=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10/go.mod h1:9cBNUHI2aW4ho0A5T87O294iPDuuUOSIEDjnd1Lq/z0=
Expand Down
128 changes: 118 additions & 10 deletions integration/testdata/helm.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,16 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 143,
"Failures": 2,
"Successes": 146,
"Failures": 4,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV001",
"AVDID": "AVD-KSV-0001",
"Title": "Process can elevate its own privileges",
"Title": "Can elevate its own privileges",
"Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
"Namespace": "builtin.kubernetes.KSV001",
Expand Down Expand Up @@ -148,7 +148,7 @@
"Type": "Helm Security Check",
"ID": "KSV030",
"AVDID": "AVD-KSV-0030",
"Title": "Default Seccomp profile not set",
"Title": "Runtime/Default Seccomp profile not set",
"Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.",
"Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
"Namespace": "builtin.kubernetes.KSV030",
Expand Down Expand Up @@ -262,6 +262,58 @@
]
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
"AVDID": "AVD-KSV-0104",
"Title": "Seccomp policies disabled",
"Description": "Seccomp profile must not be explicitly set to 'Unconfined'.",
"Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile",
"Namespace": "builtin.kubernetes.KSV104",
"Query": "data.builtin.kubernetes.KSV104.deny",
"Resolution": "Do not set seccomp profile to 'Unconfined'",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline",
"https://avd.aquasec.com/misconfig/ksv104"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV116",
"AVDID": "AVD-KSV-0116",
"Title": "Runs with a root primary or supplementary GID",
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
"Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
"Namespace": "builtin.kubernetes.KSV116",
"Query": "data.builtin.kubernetes.KSV116.deny",
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv116"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
Expand All @@ -270,20 +322,76 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 145,
"Failures": 0,
"Successes": 149,
"Failures": 1,
"Exceptions": 0
}
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV116",
"AVDID": "AVD-KSV-0116",
"Title": "Runs with a root primary or supplementary GID",
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
"Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
"Namespace": "builtin.kubernetes.KSV116",
"Query": "data.builtin.kubernetes.KSV116.deny",
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv116"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "testchart.tar.gz:templates/serviceaccount.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 145,
"Failures": 0,
"Successes": 149,
"Failures": 1,
"Exceptions": 0
}
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV116",
"AVDID": "AVD-KSV-0116",
"Title": "Runs with a root primary or supplementary GID",
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
"Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
"Namespace": "builtin.kubernetes.KSV116",
"Query": "data.builtin.kubernetes.KSV116.deny",
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
"References": [
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
"https://avd.aquasec.com/misconfig/ksv116"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
Loading

0 comments on commit 7271d68

Please sign in to comment.