simar7

> Can we add checks for all annotations as the issue says? I have seen that some annotations allow characters that might be considered suspicious in some cases, such as...

> The `ingress-nginx` repository uses a fairly simple [regular expression](https://github.com/kubernetes/ingress-nginx/blob/c8ab89c0211abba8bcf13a4db061c613fb37de3a/internal/ingress/annotations/parser/validators.go#L81). Yes I saw it, I'm not sure why it's this simplified. Then again it maybe enough to cover all cases.

> > good idea to validate any label that expects a specific type. > > How can we know the type for any label? Except if we create a list...

> > > good idea to validate any label that expects a specific type. > > > > > > How can we know the type for any label? Except...

@nikpivkin in addition to checking for named IAM policies, we also need to check for conditions such as `s3:get:*`, `s3:put:*` etc or in general `s3::*`. Today the check only checks...

Please see the following blurb from our research team: > If the permission `s3:Get*` is attached broadly to any S3 bucket in the account, it can introduce security risks by...

> [@simar7](https://github.com/simar7) I can't find the quote in the link. regardless, I can see how this might be confusing since the check is referring to "full access", "unrestricted acceess", etc,...

Closing in favor of https://github.com/aquasecurity/trivy/issues/8845

> Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version. Could you expand more on this, where does this passlisting happen? Is it a...

@kalpanathanneeru21 looks like CI is failing.