search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.76k stars 499 forks source link

Wrong detection of AllowPrivilegeEscalation and others #1374

Open areplogle-reverb opened 2 years ago

areplogle-reverb commented 2 years ago

Description

Trying to use terrascan-action to scan kubernetes manifests for violations I get an abundant amount of false positives of AllowPrivilegeEscalation and others relating to secrets files

e.g.

    Description    :    Containers Should Not Run with AllowPrivilegeEscalation
    File           :    clusters/infra/services/kiam/agent.yaml
    Line           :    1
    Severity       :    HIGH

What I Did

on: [push]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Run Terrascan
      id: terrascan
      uses: tenable/terrascan-action@main
      with:
        iac_type: 'k8s'
        iac_version: 'v1'
        policy_type: 'k8s'
        only_warn: true
        #scm_token: ${{ secrets.GH_ACCESS_TOKEN }}
        #verbose: true
        #sarif_upload: true
        #non_recursive:
        #iac_dir:
        #policy_path:
        #skip_rules:
        config_path:  /github/workspace/.github/workflows/config.toml
        #find_vulnerabilities:
        #webhook_url:
        #webhook_token:

used above GH action on a kubernetes manifest repo

Opened the issue here on advice from @gaurav-gogia as it appears policy related and not directly to do with the GH action.

Pitenager commented 2 years ago

I have the same problem.

In my case, this is the output and the related file:

 {
        "rule_name": "privilegeEscalationCheck",
        "description": "Containers Should Not Run with AllowPrivilegeEscalation",
        "rule_id": "AC_K8S_0085",
        "severity": "HIGH",
        "category": "Compliance Validation",
        "resource_name": "cloudwatch-agent",
        "resource_type": "kubernetes_daemonset",
        "file": "redacted\\cwagent-daemonset.yaml",
        "line": 1
      },

And checking the corresponding file, these are the contents:

# deploy cwagent as daemonset
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: cloudwatch-agent
  namespace: amazon-cloudwatch
spec:
  selector:
    matchLabels:
      name: cloudwatch-agent
  template:
    metadata:
      labels:
        name: cloudwatch-agent
    spec:
      containers:
        - name: cloudwatch-agent
          image: amazon/cloudwatch-agent:1.247350.0b251780
          ports:
            - containerPort: 8125
              hostPort: 8125
              protocol: UDP
          resources:
            limits:
              cpu:  200m
              memory: 200Mi
            requests:
              cpu: 200m
              memory: 200Mi
          # Please don't change below envs
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: HOST_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CI_VERSION
              value: "k8s/1.3.9"
          # Please don't change the mountPath
          volumeMounts:
            - name: cwagentconfig
              mountPath: /etc/cwagentconfig
            - name: rootfs
              mountPath: /rootfs
              readOnly: true
            - name: dockersock
              mountPath: /var/run/docker.sock
              readOnly: true
            - name: varlibdocker
              mountPath: /var/lib/docker
              readOnly: true
            - name: containerdsock
              mountPath: /run/containerd/containerd.sock
              readOnly: true
            - name: sys
              mountPath: /sys
              readOnly: true
            - name: devdisk
              mountPath: /dev/disk
              readOnly: true
      volumes:
        - name: cwagentconfig
          configMap:
            name: cwagentconfig
        - name: rootfs
          hostPath:
            path: /
        - name: dockersock
          hostPath:
            path: /var/run/docker.sock
        - name: varlibdocker
          hostPath:
            path: /var/lib/docker
        - name: containerdsock
          hostPath:
            path: /run/containerd/containerd.sock
        - name: sys
          hostPath:
            path: /sys
        - name: devdisk
          hostPath:
            path: /dev/disk/
      terminationGracePeriodSeconds: 60
      serviceAccountName: cloudwatch-agent

Thanks in advance.