Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
[//]: # "
PR Title
Be aware that we use the title to create changelog automatically and therefore only allow specific prefixes
- break: to indicate a breaking change, this supersedes any of the types
- feat: to indicate new features or checks
- fix: to indicate a bugfix or handling of edge cases of existing checks
- docs: to indicate an update to our documentation
- chore: to indicate adjustments to workflow files or dependency updates
- platform: to indicate a change needed for the platform
Additionally a scope is needs to be added to the prefix, which indicates the targeted framework, in doubt choose 'general'.
#
Allowed prefixs:
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
#
ex.
feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance
"
Description
This change addresses issue #5796 where Checkov was incorrectly throwing CKV_K8S_31 even when the seccomp RuntimeDefault profile was added under the container securityContext. The fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level. This involves updating the logic to account for the seccompProfile setting in the securityContext of individual containers. There are no additional dependencies required for this change.
Fixes # (issue)
Checkov scan was incorrectly throwing CKV_K8S_31 even when seccomp runtimedefault was added under container securityContext. The issue was due to the check not accounting for settings at the container level properly. This fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level.
Description
CKV_K8S_31 checks if seccomp profile type is set to RuntimeDefault for containers. The violation occurs when this is not set, leading to potential security risks.
Fix
Updated the check to ensure that the seccompProfile type is set to RuntimeDefault within the securityContext of each container in the spec of Deployments, StatefulSets, DaemonSets, Jobs, and ReplicaSets. This involves iterating through each container, validating the seccompProfile type, and ensuring all containers have the correct RuntimeDefault setting. The check will pass only if all containers meet this requirement.
Checklist:
[v] My code follows the style guidelines of this project
[v] I have performed a self-review of my own code
[ ] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[v] I have added tests that prove my feature, policy, or fix is effective and works
[v] New and existing tests pass locally with my changes
[ ] Any dependent changes have been merged and published in downstream modules
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
[//]: # "
PR Title
"
Description
This change addresses issue #5796 where Checkov was incorrectly throwing CKV_K8S_31 even when the seccomp RuntimeDefault profile was added under the container securityContext. The fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level. This involves updating the logic to account for the seccompProfile setting in the securityContext of individual containers. There are no additional dependencies required for this change. Fixes # (issue)
Checkov scan was incorrectly throwing CKV_K8S_31 even when seccomp runtimedefault was added under container securityContext. The issue was due to the check not accounting for settings at the container level properly. This fix ensures that the check correctly validates seccompProfile settings for each container within a Pod and not just at the Deployment level.
Description
CKV_K8S_31 checks if seccomp profile type is set to RuntimeDefault for containers. The violation occurs when this is not set, leading to potential security risks.
Fix
Updated the check to ensure that the seccompProfile type is set to RuntimeDefault within the securityContext of each container in the spec of Deployments, StatefulSets, DaemonSets, Jobs, and ReplicaSets. This involves iterating through each container, validating the seccompProfile type, and ensuring all containers have the correct RuntimeDefault setting. The check will pass only if all containers meet this requirement.
Checklist: