bridgecrewio
Nginx Ingress annotation snippet related checks are not checking the correct configuration
There are 3 checks that are related to Nginx Ingress annotation snippets:
- checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py
- checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py
- checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py
However all of these only check if some annotation snippets are in place, not if the feature is actually disabled. It can be disabled with configuration allow-snippet-annotations which defaults to false:
I suggest that those three checks are consolidated into one which fails if in the ConfigMap for Nginx Ingress that configuration is set to true.
@tepentti thanks for the suggestion, the best way to keep all of our policies up to date (and add new ones) is using our community 💯 Please feel free to introduce a PR for this change (or anyone else which might want to contribute :) )
@bo156 Hi Barak. How do I sign up for Checkov Slack community? in case I have any question. It has sign in options only, and doesn't recognize my email :) since I am not signed in there. https://codifiedsecurity.slack.com/
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!