Kubernetes Auto Upgrades Not Enabled

Property
Languageterraform
Severitycritical
Servicecompute
ProviderDigitalOcean
Vulnerability Typeomission

Description

The Kubernetes cluster is not configured with automatic upgrades enabled, meaning it will not automatically receive the latest security patches and updates. This leaves the cluster running potentially outdated and vulnerable software versions.

Impact

Without auto-upgrades, known security vulnerabilities in the Kubernetes cluster software may remain unpatched, increasing the risk of exploitation by attackers. This can lead to unauthorized access, data breaches, or compromise of workloads running on the cluster.

Kubernetes resource with disallowed volumes mounted

Property
Languageterraform
Severityhigh
Vulnerability Typemisconfiguration

Description

Kubernetes resources are configured to mount critical host system directories (such as ‘/’, ‘/etc’, or ‘/var/lib/docker’) into containers using hostPath volumes, which exposes sensitive parts of the host filesystem to pods. This setup bypasses standard container isolation and is considered insecure.

Impact

Exposing critical host directories to containers can allow attackers or compromised applications to modify or access sensitive system files, potentially leading to full host takeover, data exfiltration, or disruption of other workloads running on the same node.

Kubernetes should have ‘Automatic repair’ enabled

Property
Languageterraform
Severitylow
Servicegke
ProviderGoogle

Description

The Kubernetes node pool is configured without automatic repair, meaning failed nodes are not automatically detected or replaced. This leaves the cluster vulnerable to prolonged outages when nodes become unhealthy.

Impact

Without automatic repair, failed nodes remain unusable until manually fixed, increasing the risk of service disruption, reduced availability, and delayed recovery from node failures. This can lead to application downtime and decreased reliability for users.

Kubernetes should have ‘Automatic upgrade’ enabled

Property
Languageterraform
Severitylow
Servicegke
ProviderGoogle

Description

Kubernetes node pools are provisioned without automatic upgrades enabled, causing nodes to remain on outdated versions rather than tracking the cluster master. This can leave nodes unpatched and inconsistent with the cluster control plane.

Impact

Without automatic upgrades, nodes may miss critical security patches and compatibility updates, increasing the risk of vulnerabilities or operational issues. Attackers could exploit outdated nodes, and cluster stability or supportability may be compromised.

Lambda functions should have X-Ray tracing enabled

Property
Languageterraform
Severitylow
Servicelambda
ProviderAWS

Description

The Lambda function is configured without AWS X-Ray tracing enabled, preventing the collection of detailed execution traces. This limits visibility into the function’s performance, execution flow, and potential issues such as bottlenecks or timeouts.

Impact

Without X-Ray tracing, it becomes difficult to diagnose and resolve errors or performance problems in Lambda functions. This lack of observability can delay incident response, obscure root causes, and allow operational issues to go undetected, increasing the risk of prolonged outages or undiagnosed failures.

Launch configuration should not have a public IP address.

Property
Languageterraform
Severityhigh
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

The launch configuration is set to assign a public IP address to instances, making them directly accessible from the internet. This exposes the instances to unnecessary external access and increases the attack surface.

Impact

Publicly accessible instances can be targeted by attackers for unauthorized access, data breaches, or exploitation of vulnerabilities. This exposure increases the risk of compromise, lateral movement within the network, and potential loss of sensitive data or service disruptions.

Launch configuration with unencrypted block device.

Property
Languageterraform
Severityhigh
Serviceec2
ProviderAWS
Vulnerability Typeomission

Description

The launch configuration defines one or more block devices without enabling encryption, leaving data stored on these volumes unprotected at rest. This configuration fails to secure sensitive information from unauthorized access if the storage is exposed.

Impact

Unencrypted block devices can be accessed by attackers who gain physical or administrative access to the storage, enabling them to read sensitive data such as credentials, personal information, or application secrets. This exposes the organization to data breaches, regulatory violations, and loss of customer trust.

Least Privilege Violation

Property
Languageswift
Severitymedium
CWECWE-272: Least Privilege Violation
Confidence LevelHigh
Impact LevelLow
Likelihood LevelLow

Description

The code configures a WKWebView to allow JavaScript to open new windows automatically. This increases the risk of unwanted or malicious pop-ups and reduces the security of the webview.

Impact

If exploited, attackers could use JavaScript to open additional browser windows or tabs without user consent, potentially leading to phishing attempts, information leaks, or a degraded user experience. This weakens the app’s security posture and could expose users to malicious content.

Legacy ABAC permissions are enabled.

Property
Languageterraform
Severityhigh
Servicegke
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The configuration enables legacy Attribute-Based Access Control (ABAC) in GKE clusters, which relies on broad, attribute-based permissions rather than the more secure, fine-grained Role-Based Access Control (RBAC). This increases the risk of granting excessive privileges to users or services.

Impact

If exploited, attackers or unauthorized users could obtain permissions beyond what is necessary, potentially leading to unauthorized access, privilege escalation, or compromise of cluster resources and sensitive data.

Legacy client authentication methods utilized.

Property
Languageterraform
Severityhigh
Servicegke
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The cluster is configured to allow legacy authentication methods, such as basic username/password or client certificate authentication, instead of using stronger mechanisms like service accounts or OAuth. This increases the risk of unauthorized access due to weaker credential management.

Impact

Exploiting this vulnerability could allow attackers to gain administrative access to the Kubernetes cluster’s master node using compromised or easily guessed credentials, potentially leading to full cluster takeover, data breaches, or disruption of critical workloads.