prowler icon indicating copy to clipboard operation
prowler copied to clipboard
verified publisher icon prowler-cloud

Missing documented workload checks in prowler kubernetes scan output

Open petrobubka opened this issue 7 months ago • 3 comments

New feature motivation

Hi Prowler team 👋,

According to the official documentation on the Prowler website (Kubernetes Policy Index), there are several valuable workload-level checks listed, such as:

  • Ensure liveness probe is configured
  • Ensure readiness probe is configured
  • Ensure CPU request is set
  • Ensure CPU limits are set
  • Ensure memory requests are set
  • Ensure memory limits are set
  • Ensure image tag is set to Fixed – not Latest or Blank

However, when I run prowler kubernetes --list-checks using version v5.5.1, none of these checks appear in the output. Additionally, even after deploying intentionally misconfigured workloads (e.g., missing probes or resource limits), they do not show up in the scan results.

Solution Proposed

These are very important security and reliability best practices, especially for production Kubernetes environments, and it would be great to have them included by default in the scan.

Describe alternatives you've considered

Additional context

Environment:

Prowler version: v5.5.1 Mode: Kubernetes scan running in-cluster Platform: EKS

Would appreciate any clarification, and happy to help test if needed. Thanks for your great work on this project! 🙌

petrobubka avatar Apr 29 '25 08:04 petrobubka

Hi @petrobubka!

Thanks a lot for pointing this out. You're absolutely right, those workload-level checks are mentioned in the documentation, but they’re not currently implemented in Prowler.

If you’d like to contribute them yourself, we’d be happy to help you through the process. Otherwise, they’re already in our backlog and we’ll try to add them as soon as possible.

To help clarify which checks are actually available and supported, a hub is coming soon, stay tuned 👀

Really appreciate your detailed feedback and your interest in improving the project!

danibarranqueroo avatar Apr 29 '25 09:04 danibarranqueroo

Thanks a lot for the quick and clear response @danibarranqueroo!

I'm not strong in programming at the moment, but I'm definitely happy to help test any new workload-level checks once they're available. Looking forward to the upcoming hub and improvements 👀

One more note I wanted to add:

When I run:

poetry run prowler kubernetes -z --compliance iso27001_2022_kubernetes …it only runs 54 checks, while --list-checks shows 83 total Kubernetes checks available. It would be great to have an option to view the full scan output, even if not limited by compliance framework. Right now, it feels like some valuable checks are hidden or skipped depending on how the command is run.

Thanks again for all your work - excited to see how the tool evolves!

petrobubka avatar Apr 29 '25 10:04 petrobubka

For anyone looking to contribute to this issue take a look to our DevGuide.

jfagoagas avatar Nov 13 '25 10:11 jfagoagas