Created
February 28, 2024 11:42
-
-
Save O5ten/1c8eb2ecac24c16bed3b3e020838375d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ mend iac | |
| Initializing: Done | |
| Scanning: Done | |
| [Retrieving: IaC misconfigurations] ◢ | |
| Scanned to Organization: Aurora Innovation Unified Platform | Application: My IAC Application, Project: iac | |
| Detected 18 Misconfigurations (CRITICAL: 0, HIGH: 0, MEDIUM: 4, LOW: 14, UNKNOWN: 0) | |
| +----------+------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | FILE | PROVIDER | SERVICE | SEVERITY | DETAILS | RESOLUTION | START LINE | END LINE | | |
| +----------+------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | k8s.yaml | Kubernetes | general | MEDIUM | Container | Set | 109 | 136 | | |
| | | | | | 'backstage' of | 'containers[].securi | | | | |
| | | | | | Deployment | tyContext.runAsNonRo | | | | |
| | | | | | 'backstage' should | ot' | | | | |
| | | | | | set | to true. | | | | |
| | | | | | 'securityContext.run | | | | | |
| | | | | | AsNonRoot' | | | | | |
| | | | | | to true | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | MEDIUM | Container 'postgres' | Set | 159 | 176 | | |
| | | | | | | 'containers[].securi | | | | |
| | | | | | of Deployment | tyContext.runAsNonRo | | | | |
| | | | | | 'postgres' should | ot' | | | | |
| | | | | | set | to true. | | | | |
| | | | | | 'securityContext.run | | | | | |
| | | | | | AsNonRoot' | | | | | |
| | | | | | to true | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | MEDIUM | Container | Set 'set | 109 | 136 | | |
| | | | | | 'backstage' of | containers[].securit | | | | |
| | | | | | Deployment | yContext.allowPrivil | | | | |
| | | | | | 'backstage' should | egeEscalation' | | | | |
| | | | | | set | to 'false'. | | | | |
| | | | | | 'securityContext.all | | | | | |
| | | | | | owPrivilegeEscalatio | | | | | |
| | | | | | n' | | | | | |
| | | | | | to false | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | MEDIUM | Container 'postgres' | Set 'set | 159 | 176 | | |
| | | | | | | containers[].securit | | | | |
| | | | | | of Deployment | yContext.allowPrivil | | | | |
| | | | | | 'postgres' should | egeEscalation' | | | | |
| | | | | | set | to 'false'. | | | | |
| | | | | | 'securityContext.all | | | | | |
| | | | | | owPrivilegeEscalatio | | | | | |
| | | | | | n' | | | | | |
| | | | | | to false | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | container should | Set | 109 | 136 | | |
| | | | | | drop all | 'spec.containers[*]. | | | | |
| | | | | | | securityContext.capa | | | | |
| | | | | | | bilities.drop' | | | | |
| | | | | | | to 'ALL' and only | | | | |
| | | | | | | add | | | | |
| | | | | | | 'NET_BIND_SERVICE' | | | | |
| | | | | | | to | | | | |
| | | | | | | 'spec.containers[*]. | | | | |
| | | | | | | securityContext.capa | | | | |
| | | | | | | bilities.add'. | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container 'postgres' | Set | 159 | 176 | | |
| | | | | | | 'containers[].securi | | | | |
| | | | | | of Deployment | tyContext.runAsUser' | | | | |
| | | | | | 'postgres' should | | | | | |
| | | | | | set | to an integer > | | | | |
| | | | | | 'securityContext.run | 10000. | | | | |
| | | | | | AsUser' | | | | | |
| | | | | | > 10000 | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Set | 109 | 136 | | |
| | | | | | 'backstage' of | 'containers[].securi | | | | |
| | | | | | Deployment | tyContext.runAsGroup | | | | |
| | | | | | 'backstage' should | ' | | | | |
| | | | | | set | to an integer > | | | | |
| | | | | | 'securityContext.run | 10000. | | | | |
| | | | | | AsGroup' | | | | | |
| | | | | | > 10000 | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container 'postgres' | Set | 159 | 176 | | |
| | | | | | | 'containers[].securi | | | | |
| | | | | | of Deployment | tyContext.runAsGroup | | | | |
| | | | | | 'postgres' should | ' | | | | |
| | | | | | set | to an integer > | | | | |
| | | | | | 'securityContext.run | 10000. | | | | |
| | | | | | AsGroup' | | | | | |
| | | | | | > 10000 | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Set | 109 | 136 | | |
| | | | | | 'backstage' of | 'containers[].securi | | | | |
| | | | | | Deployment | tyContext.runAsUser' | | | | |
| | | | | | 'backstage' should | | | | | |
| | | | | | set | to an integer > | | | | |
| | | | | | 'securityContext.run | 10000. | | | | |
| | | | | | AsUser' | | | | | |
| | | | | | > 10000 | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | container should | Set | 159 | 176 | | |
| | | | | | drop all | 'spec.containers[*]. | | | | |
| | | | | | | securityContext.capa | | | | |
| | | | | | | bilities.drop' | | | | |
| | | | | | | to 'ALL' and only | | | | |
| | | | | | | add | | | | |
| | | | | | | 'NET_BIND_SERVICE' | | | | |
| | | | | | | to | | | | |
| | | | | | | 'spec.containers[*]. | | | | |
| | | | | | | securityContext.capa | | | | |
| | | | | | | bilities.add'. | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Change | 109 | 136 | | |
| | | | | | 'backstage' of | 'containers[].securi | | | | |
| | | | | | Deployment | tyContext.readOnlyRo | | | | |
| | | | | | 'backstage' should | otFilesystem' | | | | |
| | | | | | set | to 'true'. | | | | |
| | | | | | 'securityContext.rea | | | | | |
| | | | | | dOnlyRootFilesystem' | | | | | |
| | | | | | | | | | | |
| | | | | | to true | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container 'postgres' | Change | 159 | 176 | | |
| | | | | | | 'containers[].securi | | | | |
| | | | | | of Deployment | tyContext.readOnlyRo | | | | |
| | | | | | 'postgres' should | otFilesystem' | | | | |
| | | | | | set | to 'true'. | | | | |
| | | | | | 'securityContext.rea | | | | | |
| | | | | | dOnlyRootFilesystem' | | | | | |
| | | | | | | | | | | |
| | | | | | to true | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Add 'ALL' to | 109 | 136 | | |
| | | | | | 'backstage' of | containers[].securit | | | | |
| | | | | | Deployment | yContext.capabilitie | | | | |
| | | | | | 'backstage' should | s.drop. | | | | |
| | | | | | add 'ALL' to | | | | | |
| | | | | | 'securityContext.cap | | | | | |
| | | | | | abilities.drop' | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container 'postgres' | Add 'ALL' to | 159 | 176 | | |
| | | | | | | containers[].securit | | | | |
| | | | | | of Deployment | yContext.capabilitie | | | | |
| | | | | | 'postgres' should | s.drop. | | | | |
| | | | | | add 'ALL' to | | | | | |
| | | | | | 'securityContext.cap | | | | | |
| | | | | | abilities.drop' | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Set a limit value | 109 | 136 | | |
| | | | | | 'backstage' of | under | | | | |
| | | | | | Deployment | 'containers[].resour | | | | |
| | | | | | 'backstage' should | ces.limits.cpu'. | | | | |
| | | | | | set | | | | | |
| | | | | | 'resources.limits.cp | | | | | |
| | | | | | u' | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Container | Set | 109 | 136 | | |
| | | | | | 'backstage' of | 'containers[].resour | | | | |
| | | | | | Deployment | ces.requests.cpu'. | | | | |
| | | | | | 'backstage' should | | | | | |
| | | | | | set | | | | | |
| | | | | | 'resources.requests. | | | | | |
| | | | | | cpu' | | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Either Pod or | Set | 109 | 136 | | |
| | | | | | Container should set | 'spec.securityContex | | | | |
| | | | | | | t.seccompProfile.typ | | | | |
| | | | | | 'securityContext.sec | e', | | | | |
| | | | | | compProfile.type' | 'spec.containers[*]. | | | | |
| | | | | | to 'RuntimeDefault' | securityContext.secc | | | | |
| | | | | | | ompProfile' | | | | |
| | | | | | | and | | | | |
| | | | | | | 'spec.initContainers | | | | |
| | | | | | | [*].securityContext. | | | | |
| | | | | | | seccompProfile' | | | | |
| | | | | | | to 'RuntimeDefault' | | | | |
| | | | | | | or undefined. | | | | |
| | +------------+---------+----------+----------------------+----------------------+------------+----------+ | |
| | | Kubernetes | general | LOW | Either Pod or | Set | 159 | 176 | | |
| | | | | | Container should set | 'spec.securityContex | | | | |
| | | | | | | t.seccompProfile.typ | | | | |
| | | | | | 'securityContext.sec | e', | | | | |
| | | | | | compProfile.type' | 'spec.containers[*]. | | | | |
| | | | | | to 'RuntimeDefault' | securityContext.secc | | | | |
| | | | | | | ompProfile' | | | | |
| | | | | | | and | | | | |
| | | | | | | 'spec.initContainers | | | | |
| | | | | | | [*].securityContext. | | | | |
| | | | | | | seccompProfile' | | | | |
| | | | | | | to 'RuntimeDefault' | | | | |
| | | | | | | or undefined. | | | | |
| +----------+------------+---------+----------+----------------------+----------------------+------------+----------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment