:latest’ tag used

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

The Dockerfile uses the ’latest’ tag in the ‘FROM’ statement instead of specifying a fixed image version. This can lead to unpredictable builds as the base image may change over time without notice.

Impact

Relying on the ’latest’ tag can result in unintentional updates to the base image, potentially introducing vulnerabilities, breaking changes, or unstable behavior. Attackers could exploit unexpected image changes to compromise application integrity or security.

A configuration for an external workload identity pool provider should have conditions set

Property
Languageterraform
Severityhigh
Serviceiam
ProviderGoogle
Vulnerability Typeomission

Description

The configuration for the Google IAM Workload Identity Pool Provider lacks attribute conditions, allowing any external source, such as any GitHub Action, to assume the linked service account. This absence of restrictions means the identity pool is open to broader, unintended access.

Impact

Without conditions set, external attackers could authenticate as the service account and use its permissions, potentially gaining unauthorized access to sensitive Google Cloud resources or performing actions on behalf of the organization, leading to data exposure or service disruption.

A database resource is marked as publicly accessible.

Property
Languageterraform
Severitycritical
Servicerdb
ProviderNifcloud
Vulnerability Typeomission

Description

The database resource is configured to allow public access, exposing it to the internet without network restrictions. This setting makes the database reachable from any external source.

Impact

If exploited, attackers could connect to the database over the internet, potentially leading to unauthorized data access, data theft, or manipulation. This exposure significantly increases the risk of data breaches and compromises the security of sensitive information managed by the application.

A firewall rule allows traffic from/to the public internet

Property
Languageterraform
Severitymedium
Servicecompute
ProviderOpenStack
Vulnerability Typeomission

Description

A firewall rule is configured to allow network traffic from or to the public internet without restricting source or destination IP addresses. This broad access exposes internal resources to anyone on the internet, rather than limiting connections to trusted IP ranges.

Impact

If exploited, attackers on the public internet could reach exposed services, increasing the risk of unauthorized access, data breaches, or service disruption. Compromised resources may be used as entry points for lateral movement within the network, leading to further security incidents.

A KMS key is not configured to auto-rotate.

Property
Languageterraform
Severitymedium
Servicekms
ProviderAWS
Vulnerability Typeomission

Description

KMS keys are not configured with automatic rotation, resulting in cryptographic keys being used for extended periods without change. This increases the risk associated with key compromise due to prolonged exposure.

Impact

If a long-lived KMS key is compromised, an attacker could decrypt sensitive data or perform unauthorized actions for as long as the key remains active. Failure to rotate keys regularly increases the attack surface and the window of opportunity for misuse.

A MSK cluster allows unencrypted data at rest.

Property
Languageterraform
Severityhigh
Servicemsk
ProviderAWS
Vulnerability Typeomission

Description

The MSK (Managed Streaming for Kafka) cluster is configured without encryption for data at rest. This means data stored on disk within the cluster is unprotected and could be accessed in plaintext if storage is compromised.

Impact

If exploited, attackers with access to the underlying storage could read sensitive Kafka data directly from disk, leading to potential data breaches, regulatory non-compliance, and exposure of confidential information.

A MSK cluster allows unencrypted data in transit.

Property
Languageterraform
Severityhigh
Servicemsk
ProviderAWS
Vulnerability Typeomission

Description

The MSK (Managed Streaming for Kafka) cluster is configured to allow unencrypted data transmission between clients and brokers or between cluster nodes. This exposes data in transit to potential interception, as communications are not secured with encryption protocols like TLS.

Impact

Without in-transit encryption, sensitive information such as messages, credentials, or configuration data sent through the Kafka cluster can be intercepted and read by unauthorized parties. This could lead to data breaches, unauthorized access, or compromise of confidential information within the organization.

A security group rule allows egress traffic to multiple public addresses

Property
Languageterraform
Severitymedium
Servicenetworking
ProviderOpenStack
Vulnerability Typemisconfiguration

Description

The security group rule permits outbound (egress) traffic to multiple public IP addresses or broad IP ranges, exposing internal resources to the public internet. This configuration lacks proper restriction on external access.

Impact

If exploited, sensitive data or services could be exfiltrated or accessed by unauthorized parties on the public internet, increasing the risk of data breaches, malware transmission, and other security incidents affecting the organization.

A security group rule allows ingress traffic from multiple public addresses

Property
Languageterraform
Severitymedium
Servicenetworking
ProviderOpenStack
Vulnerability Typemisconfiguration

Description

The security group rule permits ingress traffic from multiple public IP addresses or broad ranges, exposing services to the open internet instead of restricting access to specific, trusted sources. This configuration increases the attack surface by allowing connections from any public location.

Impact

Attackers can attempt unauthorized access, exploit vulnerabilities, or launch attacks (such as brute force or scanning) against exposed resources. This can lead to data breaches, service disruption, or compromise of infrastructure, putting the application’s security and availability at risk.

Access keys should be rotated at least every 90 days

Property
Languageterraform
Severitylow
Serviceiam
ProviderAWS

Description

Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account.

Resolution

Rotate keys every 90 days or less