Identified Risks
This table shows all the identified risks for this repository.
Filename | Message | Scanner |
|---|---|---|
.github/workflows/licenses.yaml | Ensure top-level permissions are not set to write-all | iac |
/github/workspace/attestation-resources/deployment.yaml | In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. | sast |
attestation-resources/cosign.key | private-key has detected secret for file attestation-resources/cosign.key at commit 87f606c188edc371acfc2ba587663b958da9a768. | secret-scanning |
public/example-sarif.json | private-key has detected secret for file public/example-sarif.json at commit b3e4c7114cdd47991544bf46743386ba1fde1a0e. | secret-scanning |
attestation-resources/deployment.yaml | Minimize the admission of containers with the NET_RAW capability | iac |
attestation-resources/deployment.yaml | Use read-only filesystem for containers where possible | iac |
attestation-resources/deployment.yaml | Image should use digest | iac |
attestation-resources/deployment.yaml | Minimize the admission of root containers | iac |
attestation-resources/deployment.yaml | Ensure that Service Account Tokens are only mounted where necessary | iac |
leaks-baseline.json | private-key has detected secret for file leaks-baseline.json at commit 42a48857d3e06d2f18b0611d7f37cf98627ee4f9. | secret-scanning |
src/pages/self-hosting-devguard/kubernetes.mdx | generic-api-key has detected secret for file src/pages/self-hosting-devguard/kubernetes.mdx at commit a557af3d6218f7eecde81dd44d6f4cac908a57b7. | secret-scanning |
/github/workspace/attestation-resources/deployment.yaml | When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. | sast |
attestation-resources/deployment.yaml | Ensure that the seccomp profile is set to docker/default or runtime/default | iac |
attestation-resources/deployment.yaml | Readiness Probe Should be Configured | iac |
attestation-resources/deployment.yaml | Minimize the admission of containers with capabilities assigned | iac |
attestation-resources/deployment.yaml | Memory requests should be set | iac |
attestation-resources/deployment.yaml | Containers should not run with allowPrivilegeEscalation | iac |
attestation-resources/deployment.yaml | Liveness Probe Should be Configured | iac |
attestation-resources/deployment.yaml | Minimize the admission of pods which lack an associated NetworkPolicy | iac |
attestation-resources/deployment.yaml | CPU requests should be set | iac |
attestation-resources/deployment.yaml | Containers should run as a high UID to avoid host conflict | iac |
attestation-resources/deployment.yaml | Memory limits should be set | iac |
attestation-resources/deployment.yaml | Apply security context to your pods and containers | iac |
attestation-resources/deployment.yaml | Apply security context to your containers | iac |
attestation-resources/deployment.yaml | CPU limits should be set | iac |
Showing 1 of 2 pages (27 items)