appshield
appshield copied to clipboard
aquasecurity
Security configuration checks for popular cloud native applications and infrastructure.
## Description The validation for https://avd.aquasec.com/appshield/ds018/ is invalid, since having a reference to external image is valid and supported, see https://docs.docker.com/develop/develop-images/multistage-build/#use-an-external-image-as-a-stage Trivy could check if the `COPY --from=` argument refers...
I have multiple multi-stage Dockerfiles, where I use root user in the first stages and then I switch to non-privileged user only in the final stage (i.e. where it matters,...
Kubernetes current default is to not set a seccomp profile on containers. At the moment [KSV030](https://github.com/aquasecurity/appshield/blob/master/kubernetes/policies/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego) appears to only trigger when a seccomp policy or annotation is set which is...
The Docker policy `update_instruction_alone` complains for a trivial example such as this, which is using industry standard approaches and is _not_ an anti-pattern: ``` FROM alpine:latest RUN apk update &&...
The cronjob could be set with concurrencyPolicy: Allow, so when the job fails, the next job doesn't replace the previous job. This could cause resource starvation in the cluster. It...
I have a problem with DS005 rule where the source is a URL and not a file. Trivy suggest changing ADD to COPY but COPY doesn't support URL as source....
;to address this case: https://github.com/aquasecurity/trivy/issues/1187 the following regos should be fixed: https://github.com/aquasecurity/appshield/blob/d7275ab4c26d387c7df7cf90981185abfdf2b148/kubernetes/policies/general/runs_with_UID_le_10000.rego https://github.com/aquasecurity/appshield/blob/d7275ab4c26d387c7df7cf90981185abfdf2b148/kubernetes/policies/general/runs_with_GID_le_10000.rego
Refer to: https://github.com/kubernetes/kubernetes/issues/97076 ``` This issue affects multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from...
like Dockerfile https://github.com/aquasecurity/appshield/blob/fd5be792e710f0665c1b9acf5043d314eab36d54/docker/policies/run_command_cd_instead_of_workdir.rego#L13
At the moment the [seccomp policy](https://github.com/aquasecurity/appshield/blob/master/kubernetes/policies/general/seccomp_disabled.rego) uses the annotation based format to check whether a seccomp policy has been specified. As of Kubernetes 1.19, seccomp graduated to GA and the...
Metadata
Owner
Metadata
Security configuration checks for popular cloud native applications and infrastructure.