Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API group not taken into account for findings. #14

Open
felix-caboff opened this issue Jan 15, 2024 · 0 comments
Open

API group not taken into account for findings. #14

felix-caboff opened this issue Jan 15, 2024 · 0 comments
Labels
kind/enhancement

Comments

@felix-caboff
Copy link

Is your feature request related to a problem? Please describe.

The tool works well, but, it has the potential for false positives when looking for excessive permissions. Take the following example that was flagged as having cluster admin privileges:

            "rules": [
                {
                    "apiGroups": [
                        "dex.coreos.com"
                    ],
                    "resources": [
                        "*"
                    ],
                    "verbs": [
                        "*"
                    ]
                }
            ]

The tool lists this has cluster admin privileges even though in reality the privileges granted are restricted to the dex.coreos.com apiGroup. That isn't to say that having * * on the dex API isn't a bad thing, just that it isn't the same as having cluster admin perms.

Describe the solution you would like

The tool should probably look for apiGroups and list them if found alongside the rest of the details.

Describe alternatives you have considered

In general I think it would be useful for it to be able to output the raw data for each finding so that these are easily validated.

Additional context

Thank you!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Milestone
No milestone
Development

No branches or pull requests
1 participant
@felix-caboff