fix(query): Show privilege_escalation_allowed k8s alert also in case no securityContext is defined #4885
Conversation
…no securityContext is defined
|
Scan submitted to Checkmarx |
There was a problem hiding this comment.
Another great observation and refactor, @Churro 🚀 Thank you!
I have two request changes:
Co-authored-by: Rafaela Soares <[email protected]>
Co-authored-by: Rafaela Soares <[email protected]>
|
Scan not submitted to Checkmarx due to existing Active scan for the same project. |
1 similar comment
|
Scan not submitted to Checkmarx due to existing Active scan for the same project. |
|
Suggestions applied, thank you for the thorough review @rafaela-soares! 👍 |
|
Cx-SAST SummaryTotal of 5 vulnerabilities Violation SummaryNo policy violation found |
There was a problem hiding this comment.
Hi @Churro, everything looks good to me, the only thing I would like to request here is the use of the searchLine
Thank you for your great contributions
|
Hi @joaoReigota1, thank you for the review. I've now added |
Problem
The
privilege_escalation_allowedrule is rated high and, indeed, represents a very security-relevant setting. Currently, the rule does not trigger an alert in case nosecurityContextis defined with a container. There is a separate rule to check whethersecurityContextexists but the severity rating is low. Hence, alerts for a rule with high severity are only shown if a user acts upon a low severity rule.Therefore, I suggest to change the rule to always show the alert, regardless of the existence of
securityContext. This is important since a report otherwise does not provide a full picture of issues that demand for action.Proposed Changes
securityContextoptional, such that an alert is also shown in casecontainer.securityContextis undefinedI submit this contribution under the Apache-2.0 license.