KICS #8
Phil91Annotations
1 error and 13 warnings
|
Analyze
Advanced Security must be enabled for this repository to use code scanning.
|
|
Analyze
Advanced Security must be enabled for this repository to use code scanning.
|
|
Analyze
Advanced Security must be enabled for this repository to use code scanning.
|
|
Analyze
Advanced Security must be enabled for this repository to use code scanning.
|
|
[MEDIUM] Container Running With Low UID:
charts/dim/templates/cronjob-processes.yaml#L37
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
|
[MEDIUM] Container Running With Low UID:
charts/dim/templates/deployment.yaml#L39
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
|
[MEDIUM] Seccomp Profile Is Not Configured:
charts/dim/templates/cronjob-processes.yaml#L37
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
|
|
[MEDIUM] Seccomp Profile Is Not Configured:
charts/dim/templates/deployment.yaml#L39
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
|
|
[MEDIUM] Service Account Token Automount Not Disabled:
charts/dim/templates/cronjob-processes.yaml#L35
Service Account Tokens are automatically mounted even if not necessary
|
|
[MEDIUM] Service Account Token Automount Not Disabled:
charts/dim/templates/deployment.yaml#L38
Service Account Tokens are automatically mounted even if not necessary
|
|
[MEDIUM] Unpinned Actions Full Length Commit SHA:
.github/workflows/release.yml#L61
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[MEDIUM] Unpinned Actions Full Length Commit SHA:
.github/workflows/release-please.yml#L36
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Container Requests Not Equal To It's Limits:
charts/dim/templates/cronjob-processes.yaml#L135
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
|
|
[LOW] Container Requests Not Equal To It's Limits:
charts/dim/templates/deployment.yaml#L143
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
|