search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.13k stars 1.12k forks source link

Nginx Ingress annotation snippet related checks are not checking the correct configuration #6761

Open tepentti opened 1 month ago

tepentti commented 1 month ago

There are 3 checks that are related to Nginx Ingress annotation snippets:

However all of these only check if some annotation snippets are in place, not if the feature is actually disabled. It can be disabled with configuration allow-snippet-annotations which defaults to false:

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations

I suggest that those three checks are consolidated into one which fails if in the ConfigMap for Nginx Ingress that configuration is set to true.

bo156 commented 6 days ago

@tepentti thanks for the suggestion, the best way to keep all of our policies up to date (and add new ones) is using our community 💯 Please feel free to introduce a PR for this change (or anyone else which might want to contribute :) )