DBP-1011-add-workflows-for-chart #2
YannickEverscheck-helm-kics-on-pr.yaml
on: pull_request
scan
/
Kics Helm Chart Scan
29s
Annotations
1 error and 10 warnings
|
scan / Kics Helm Chart Scan
KICS scan failed with exit code 50
|
|
[HIGH] Privilege Escalation Allowed:
status/templates/deployment.yaml#L34
Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
|
|
[MEDIUM] Container Running With Low UID:
status/templates/deployment.yaml#L34
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
|
[MEDIUM] NET_RAW Capabilities Not Being Dropped:
status/templates/deployment.yaml#L34
Containers should drop 'ALL' or at least 'NET_RAW' capabilities
|
|
[MEDIUM] Seccomp Profile Is Not Configured:
status/templates/deployment.yaml#L34
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
|
|
[MEDIUM] Service Account Token Automount Not Disabled:
status/templates/deployment.yaml#L26
Service Account Tokens are automatically mounted even if not necessary
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/service.yaml#L3
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/configmap.yaml#L4
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/configmap-files.yaml#L4
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Using Unrecommended Namespace:
status/templates/secret.yaml#L5
Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
|
|
[MEDIUM] Volume Mount With OS Directory Write Permissions:
status/templates/deployment.yaml#L112
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
|