zegl
commented
9 months ago @0GiS0 Hey! Do you have an example of what the output should look like?
Closed 0GiS0 closed 6 months ago
zegl
commented
9 months ago @0GiS0 Hey! Do you have an example of what the output should look like?
0GiS0
commented
9 months ago Hi @zegl!!
Here you have a kubescape output for example:
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://armosec.io",
"name": "kubescape",
"rules": [
{
"id": "C-0061",
"shortDescription": {
"text": "Pods in default namespace"
},
"fullDescription": {
"text": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace."
},
"defaultConfiguration": {
"level": "note"
},
"help": {
"text": "Remediation: Create necessary namespaces and move all the PODs from default namespace there."
}
},
{
"id": "C-0017",
"shortDescription": {
"text": "Immutable container filesystem"
},
"fullDescription": {
"text": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks."
},
"defaultConfiguration": {
"level": "note"
},
"help": {
"text": "Remediation: Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access."
}
},
{
"id": "C-0055",
"shortDescription": {
"text": "Linux hardening"
},
"fullDescription": {
"text": "Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges."
}
},
{
"id": "C-0013",
"shortDescription": {
"text": "Non-root containers"
},
"fullDescription": {
"text": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true."
}
},
{
"id": "C-0018",
"shortDescription": {
"text": "Configured readiness probe"
},
"fullDescription": {
"text": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured."
},
"defaultConfiguration": {
"level": "note"
},
"help": {
"text": "Remediation: Ensure Readiness probes are configured wherever possible."
}
},
{
"id": "C-0077",
"shortDescription": {
"text": "K8s common labels usage"
},
"fullDescription": {
"text": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined."
},
"defaultConfiguration": {
"level": "note"
},
"help": {
"text": "Remediation: Define applicable labels or use the exception mechanism to prevent further notifications."
}
},
{
"id": "C-0004",
"shortDescription": {
"text": "Resources memory limit and request"
},
"fullDescription": {
"text": "This control identifies all Pods for which the memory limit is not set."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: Set the memory limit or use exception mechanism to avoid unnecessary notifications."
}
},
{
"id": "C-0016",
"shortDescription": {
"text": "Allow privilege escalation"
},
"fullDescription": {
"text": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false."
}
},
{
"id": "C-0056",
"shortDescription": {
"text": "Configured liveness probe"
},
"fullDescription": {
"text": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: Ensure Liveness probes are configured wherever possible."
}
},
{
"id": "C-0009",
"shortDescription": {
"text": "Resource limits"
},
"fullDescription": {
"text": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls."
}
},
{
"id": "C-0030",
"shortDescription": {
"text": "Ingress and Egress blocked"
},
"fullDescription": {
"text": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: Define a network policy that restricts ingress and egress connections."
}
},
{
"id": "C-0050",
"shortDescription": {
"text": "Resources CPU limit and request"
},
"fullDescription": {
"text": "This control identifies all Pods for which the CPU limit is not set."
},
"defaultConfiguration": {
"level": "warning"
},
"help": {
"text": "Remediation: Set the CPU limit or use exception mechanism to avoid unnecessary notifications."
}
}
]
}
},
"results": [
{
"ruleId": "C-0061",
"ruleIndex": 0,
"message": {
"text": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 5,
"startColumn": 3
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 8,
"startColumn": 1,
"endLine": 8,
"endColumn": 1
},
"insertedContent": {
"text": " namespace: YOUR_NAMESPACE\n"
}
}
]
}
]
}
]
},
{
"ruleId": "C-0017",
"ruleIndex": 1,
"message": {
"text": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n readOnlyRootFilesystem: true\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0055",
"ruleIndex": 2,
"message": {
"text": "Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n seccompProfile: YOUR_VALUE\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n seLinuxOptions: YOUR_VALUE\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n capabilities:\n drop:\n - YOUR_VALUE\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0013",
"ruleIndex": 3,
"message": {
"text": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n runAsNonRoot: true\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n allowPrivilegeEscalation: false\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0018",
"ruleIndex": 4,
"message": {
"text": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " readinessProbe: YOUR_VALUE\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0077",
"ruleIndex": 5,
"message": {
"text": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 7,
"startColumn": 5
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 6,
"startColumn": 10,
"endLine": 7,
"endColumn": 1
},
"insertedContent": {
"text": ""
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 7,
"startColumn": 2,
"endLine": 8,
"endColumn": 6
},
"insertedContent": {
"text": "YOUR_VALUE"
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 15,
"startColumn": 14,
"endLine": 16,
"endColumn": 1
},
"insertedContent": {
"text": ""
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 16,
"startColumn": 2,
"endLine": 17,
"endColumn": 10
},
"insertedContent": {
"text": "YOUR_VALUE"
}
}
]
}
]
}
]
},
{
"ruleId": "C-0004",
"ruleIndex": 6,
"message": {
"text": "This control identifies all Pods for which the memory limit is not set."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n limits:\n memory: YOUR_VALUE\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n requests:\n memory: YOUR_VALUE\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0016",
"ruleIndex": 7,
"message": {
"text": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " securityContext:\n allowPrivilegeEscalation: false\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0056",
"ruleIndex": 8,
"message": {
"text": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " livenessProbe: YOUR_VALUE\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0009",
"ruleIndex": 9,
"message": {
"text": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n limits:\n cpu: YOUR_VALUE\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n limits:\n memory: YOUR_VALUE\n "
}
}
]
}
]
}
]
},
{
"ruleId": "C-0030",
"ruleIndex": 10,
"message": {
"text": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 1,
"startColumn": 1
}
}
}
]
},
{
"ruleId": "C-0050",
"ruleIndex": 11,
"message": {
"text": "This control identifies all Pods for which the CPU limit is not set."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"region": {
"startLine": 19,
"startColumn": 9
}
}
}
],
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n limits:\n cpu: YOUR_VALUE\n "
}
}
]
}
]
},
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "manifests/nginx.yaml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 23,
"startColumn": 7,
"endLine": 23,
"endColumn": 7
},
"insertedContent": {
"text": " resources:\n requests:\n cpu: YOUR_VALUE\n "
}
}
]
}
]
}
]
}
]
}
]
}I think the only thing you should omit is this:
GHAS says a name is required:
nikzayn
commented
9 months ago I would like to work on this. Can you brief me a bit about what need to be done here?
zegl
commented
8 months ago @nikzayn To improve the SARIF output so that it's compatible with GitHub CodeQL :-) Part of the task is to discover what's needed.
Which version of kube-score are you using?
What did you do? I execute:
kube-score score manifests/*.yaml --output-format sarif > kube-score-results.sarifWhat did you expect to see?
A valid SARIF output to upload to GHAS
What did you see instead?
An invalid SARIF which has a empty tool driver name: