diff --git a/go.mod b/go.mod index c68ce29964a3..eeeb59798adc 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/alicebob/miniredis/v2 v2.30.4 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 - github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f + github.com/aquasecurity/defsec v0.91.0 github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 @@ -27,7 +27,7 @@ require ( github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9 github.com/aws/aws-sdk-go v1.44.245 - github.com/aws/aws-sdk-go-v2 v1.18.1 + github.com/aws/aws-sdk-go-v2 v1.19.0 github.com/aws/aws-sdk-go-v2/config v1.18.25 github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 @@ -146,14 +146,14 @@ require ( github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.24 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 // indirect github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 // indirect - github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect + github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 // indirect github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 // indirect github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.26.2 // indirect @@ -163,14 +163,14 @@ require ( github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect - github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect + github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 // indirect github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 // indirect github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 // indirect github.com/aws/aws-sdk-go-v2/service/elasticache v1.26.8 // indirect github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.19.11 // indirect github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 // indirect github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 // indirect - github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 // indirect + github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.23 // indirect diff --git a/go.sum b/go.sum index a1a6f0d1c144..0c9ea4488d84 100644 --- a/go.sum +++ b/go.sum @@ -321,8 +321,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= -github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f h1:JQnhl5zK5cBJKPbCLdvK0ialSkwvp+z1B9rY61SRxNI= -github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o= +github.com/aquasecurity/defsec v0.91.0 h1:JGTiKL2UgnANZ4RoQQKokzpZ2vFv2LlXGoNjIypz9RQ= +github.com/aquasecurity/defsec v0.91.0/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8= github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 h1:btZmyXc4e4wDNBEI4guYzpCMeNPM0f8p0F/IzSsoP0M= github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= @@ -369,8 +369,9 @@ github.com/aws/aws-sdk-go-v2 v1.17.5/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3eP github.com/aws/aws-sdk-go-v2 v1.17.7/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo= github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2 v1.19.0 h1:klAT+y3pGFBU/qVf1uzwttpBbiuozJYWzNLHioyDJ+k= +github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU= github.com/aws/aws-sdk-go-v2/config v1.18.25 h1:JuYyZcnMPBiFqn87L2cRppo+rNwgah6YwD3VuyvaW6Q= @@ -385,16 +386,18 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29/go.mod h1:Dip3sIGv48 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31/go.mod h1:QT0BqUvX1Bh2ABdTGnjqEjvjzrCfIniM9Sc8zn9Yndo= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 h1:hMUCiE3Zi5AHrRNGf5j985u0WyqI6r2NULhUfo0N/No= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23/go.mod h1:mr6c4cHC+S/MMkrjtSlG4QA36kOznDep+0fga5L/fGQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25/go.mod h1:zBHOPwhBc3FlQjQJE/D3IfPWiWaQmT06Vq9aNukDo0k= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26/go.mod h1:vq86l7956VgFr0/FWQ2BWnK07QC3WYsepKzy33qqY5U= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 h1:srIVS45eQuewqz6fKKu6ZGXaq6FuFg5NzgQBAM6g8Y4= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 h1:yOpYx+FTBdpk/g+sBU6Cb1H0U/TLEcYYp66mYqsPpcc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 h1:gGLG7yKaXG02/jBlg210R7VgQIotiQntNhsCFejawx8= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ= @@ -405,8 +408,8 @@ github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 h1:eWwaF3m67oAJGBhfzVC9 github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24/go.mod h1:3olVANhEv+CFhEvC/TTkqh+1kg+r0px3CbH5eRKx7J4= github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 h1:1L2042GftNVyI3TtWclGodfN5zBQjBNXsTQxDNaPXs8= github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11/go.mod h1:Cs+mG0DXkVYPWsWIE8Ga78C/HeN5zFBbPHdOnJPwZ4M= -github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 h1:s8cE1HX3Pi53iMg+A+d7gGvmjA+Z4nH6u0BbbuFwXXE= -github.com/aws/aws-sdk-go-v2/service/athena v1.18.10/go.mod h1:LiVr7tVQ2lrlv82VQhyuulN8uysLHsEeptFjA5PY1Pc= +github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 h1:x6pNnhCWXrkGX43gkJkcdCtlYSFx3tzqJKnm2QBqz6k= +github.com/aws/aws-sdk-go-v2/service/athena v1.30.4/go.mod h1:XyrQmcmWx6BNhu1K5la/Zub8gX29MqiIMQ9silULHjk= github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 h1:nLAPA7/DSmDWYP/MGtRNP6bHjiL8Fmyg8qeDxW90nm0= github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5/go.mod h1:HYQXu2AKM7RLCn3APoQ5EvL2N/RlI4LSNN8pIGbdaDQ= github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 h1:Qw1G/M7eanpm6s/URkG1UuRLKEnRnpUvkUb7NMVvWb8= @@ -427,8 +430,8 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 h1:WblDV33AG9dhv0zFEPEmGtD5UECS github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0/go.mod h1:L3ZT0N/vBsw77mOAawXmRnREpEjcHd2v5Hzf7AkIH8M= github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 h1:uiF/RI+Up8H2xdgT2GWa20YzxiKEalHieqNjm6HC3Xk= github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18/go.mod h1:DQtDYmexqR+z+B6HBCvY7zK/tuXKv6Zy/IwOXOK3eow= -github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 h1:EHJAYkUnlFJ/KwuFMvUs/bPbb0DaqAI+gTfXxffTPZ0= -github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26/go.mod h1:NpR78BP2STxvF/R1GXLDM4gAEfjz68W/h0nC5b6Jk3s= +github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 h1:PxWgrtfQvct60NjxSrFsSWG/Yg1HATRKP4IeUPiLlrE= +github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1/go.mod h1:eZBCsRjzc+ZX8x3h0beHOu+uxRWRwnEHzzvDgKy9v0E= github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 h1:+rQHxWkGK5GyanoetOyOG/U0sgXjlt3vw+jufY7wp4k= github.com/aws/aws-sdk-go-v2/service/efs v1.20.3/go.mod h1:UpiMmYILiWWe5wfcz6dJded9/K1XVmcOD3LB1ZCLVdw= github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 h1:47HQVuJXgwvuoc4AT3rVdm77H0qGFbFnsuE4PRT+xX0= @@ -441,8 +444,8 @@ github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 h1:XE/MewOiHgW github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0/go.mod h1:2GKcrxIvmAf07PsxbJ7tccJDXzVj0oHT/MuBQ9835X8= github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 h1:C6I3p2ENt01I5iO5oEXyfzSk1VIEKADXSMgNdiW1Tw8= github.com/aws/aws-sdk-go-v2/service/emr v1.24.4/go.mod h1:hvWrBVsomnNf7Y0Onrl+wGAkcOAH81Ybcy8FSQrvARM= -github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 h1:JH1H7POlsZt41X9JYIBLZoXW0Qv+WOuC48xsafsls2Q= -github.com/aws/aws-sdk-go-v2/service/iam v1.19.12/go.mod h1:kAnokExGCYs7zfvZEZdFHvQ/x4ZKIci0Raps6mZI1Ag= +github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 h1:VTCWgsrromZqnlRgfziqqWWcW7LFkQLwJVYgf/5zgWA= +github.com/aws/aws-sdk-go-v2/service/iam v1.21.1/go.mod h1:LBsjrFczXiQLASO6FtDGTeHuZh6oHuIH6VKaOozFghg= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 h1:dpiPHgmFstgkLG07KaYAewvuptq5kvo52xn7tVSrtrQ= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10/go.mod h1:9cBNUHI2aW4ho0A5T87O294iPDuuUOSIEDjnd1Lq/z0= diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden index 4ffddde5cf5b..e613367ff782 100644 --- a/integration/testdata/helm.json.golden +++ b/integration/testdata/helm.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 143, - "Failures": 2, + "Successes": 146, + "Failures": 4, "Exceptions": 0 }, "Misconfigurations": [ @@ -29,7 +29,7 @@ "Type": "Helm Security Check", "ID": "KSV001", "AVDID": "AVD-KSV-0001", - "Title": "Process can elevate its own privileges", + "Title": "Can elevate its own privileges", "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false", "Namespace": "builtin.kubernetes.KSV001", @@ -148,7 +148,7 @@ "Type": "Helm Security Check", "ID": "KSV030", "AVDID": "AVD-KSV-0030", - "Title": "Default Seccomp profile not set", + "Title": "Runtime/Default Seccomp profile not set", "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", @@ -262,6 +262,58 @@ ] } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -270,20 +322,76 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] }, { "Target": "testchart.tar.gz:templates/serviceaccount.yaml", "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] } ] } diff --git a/integration/testdata/helm_testchart.json.golden b/integration/testdata/helm_testchart.json.golden index 84e108b713e8..0314f93a748b 100644 --- a/integration/testdata/helm_testchart.json.golden +++ b/integration/testdata/helm_testchart.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 143, - "Failures": 2, + "Successes": 146, + "Failures": 4, "Exceptions": 0 }, "Misconfigurations": [ @@ -29,7 +29,7 @@ "Type": "Helm Security Check", "ID": "KSV001", "AVDID": "AVD-KSV-0001", - "Title": "Process can elevate its own privileges", + "Title": "Can elevate its own privileges", "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false", "Namespace": "builtin.kubernetes.KSV001", @@ -148,7 +148,7 @@ "Type": "Helm Security Check", "ID": "KSV030", "AVDID": "AVD-KSV-0030", - "Title": "Default Seccomp profile not set", + "Title": "Runtime/Default Seccomp profile not set", "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", @@ -262,6 +262,58 @@ ] } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -270,20 +322,76 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] }, { "Target": "templates/serviceaccount.yaml", "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] } ] } diff --git a/integration/testdata/helm_testchart.overridden.json.golden b/integration/testdata/helm_testchart.overridden.json.golden index 0b3507c777c6..fa6ad076116e 100644 --- a/integration/testdata/helm_testchart.overridden.json.golden +++ b/integration/testdata/helm_testchart.overridden.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 141, - "Failures": 4, + "Successes": 144, + "Failures": 6, "Exceptions": 0 }, "Misconfigurations": [ @@ -29,7 +29,7 @@ "Type": "Helm Security Check", "ID": "KSV001", "AVDID": "AVD-KSV-0001", - "Title": "Process can elevate its own privileges", + "Title": "Can elevate its own privileges", "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false", "Namespace": "builtin.kubernetes.KSV001", @@ -148,7 +148,7 @@ "Type": "Helm Security Check", "ID": "KSV020", "AVDID": "AVD-KSV-0020", - "Title": "Runs with low user ID", + "Title": "Runs with UID \u003c= 10000", "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.runAsUser' \u003e 10000", "Namespace": "builtin.kubernetes.KSV020", @@ -267,7 +267,7 @@ "Type": "Helm Security Check", "ID": "KSV030", "AVDID": "AVD-KSV-0030", - "Title": "Default Seccomp profile not set", + "Title": "Runtime/Default Seccomp profile not set", "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", @@ -382,6 +382,32 @@ } } }, + { + "Type": "Helm Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, { "Type": "Helm Security Check", "ID": "KSV105", @@ -473,6 +499,32 @@ ] } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -481,20 +533,76 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] }, { "Target": "templates/serviceaccount.yaml", "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 145, - "Failures": 0, + "Successes": 149, + "Failures": 1, "Exceptions": 0 - } + }, + "Misconfigurations": [ + { + "Type": "Helm Security Check", + "ID": "KSV116", + "AVDID": "AVD-KSV-0116", + "Title": "Runs with a root primary or supplementary GID", + "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.", + "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0", + "Namespace": "builtin.kubernetes.KSV116", + "Query": "data.builtin.kubernetes.KSV116.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv116" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] } ] }