Vulnerabilities

MQ Broker should have audit logging enabled

Property
Language
Severity
Service	mq
Provider	AWS
Vulnerability Type	omission

Description

The MQ broker is configured without audit logging enabled, which prevents recording of user actions and broker events. This omission makes it difficult to track or investigate activities within the broker.

Impact

Without audit logs, malicious or unauthorized actions may go undetected, hindering incident response and forensic analysis. This increases the risk of undetected data breaches or misuse, and may lead to compliance violations.

MQ Broker should have general logging enabled

Property
Language
Severity
Service	mq
Provider	AWS

Description

The MQ Broker is configured without general logging enabled, which prevents the recording of operational events and activities. This omission makes it difficult to monitor, audit, or investigate the broker’s behavior during incidents.

Impact

Without general logging, issues such as unauthorized access, misconfigurations, or system failures may go undetected or be difficult to trace, leading to delayed incident response and increased risk of undiagnosed security or operational problems.

Multiple CMD instructions listed

Property
Language
Severity
Vulnerability Type	omission

Description

The Dockerfile contains multiple CMD instructions, but only the last one will be executed at container runtime, causing earlier CMDs to be ignored and potentially leading to unexpected container behavior.

Impact

If multiple CMDs are specified, the intended application entrypoint might not run, leading to application failures, reduced reliability, or security gaps if critical startup commands are omitted. This can disrupt deployments and expose the environment to misconfiguration risks.

Multiple ENTRYPOINT instructions listed

Property
Language
Severity
Vulnerability Type	omission

Description

Defining multiple ENTRYPOINT instructions in a Dockerfile causes only the last one to be used, rendering previous ENTRYPOINT commands ineffective. This can lead to unexpected container behavior and misconfiguration.

Impact

Critical application processes may not start as intended, potentially resulting in containers running the wrong commands or failing to launch. This can disrupt services, introduce security risks, and make containers behave unpredictably in production.

Multiple HEALTHCHECK defined

Property
Language
Severity
Vulnerability Type	omission

Description

Defining multiple HEALTHCHECK instructions within the same Dockerfile stage causes ambiguity, as only the last instruction is used and earlier ones are ignored. This can lead to unexpected container health behavior and misconfiguration.

Impact

Ambiguous or incorrect HEALTHCHECK configuration may result in containers being marked as healthy or unhealthy incorrectly, which can disrupt automated orchestration, monitoring, and recovery processes, potentially leading to reduced availability or undetected service failures.

Neptune encryption should use Customer Managed Keys

Property
Language
Severity
Service	neptune
Provider	AWS
Vulnerability Type	omission

Description

The Neptune cluster is configured to use AWS-managed encryption keys instead of customer-managed keys. This limits granular control over key management, such as key rotation, access policies, and auditing.

Impact

Relying on AWS-managed keys restricts the organization’s ability to enforce its own security policies, potentially increasing the risk of unauthorized data access or non-compliance with regulatory requirements if the default keys are compromised or mismanaged.

Neptune logs export should be enabled

Property
Language
Severity
Service	neptune
Provider	AWS
Vulnerability Type	omission

Description

AWS Neptune clusters do not have audit logging enabled by default. Without enabling export logs, actions and changes within the Neptune instance are not recorded for audit purposes, reducing visibility into usage and access.

Impact

Lack of audit logs makes it difficult to detect unauthorized access, investigate incidents, or comply with security policies. This can allow malicious activities or configuration changes to go unnoticed, increasing the risk of data breaches and regulatory non-compliance.

Neptune storage must be encrypted at rest

Property
Language
Severity
Service	neptune
Provider	AWS
Vulnerability Type	omission

Description

Neptune storage is not configured to use encryption at rest, meaning data stored on disk is left unprotected. This exposes sensitive information if the underlying storage media is accessed or compromised.

Impact

Without encryption, attackers gaining access to Neptune storage disks could read all stored data, leading to potential data breaches, regulatory violations, and loss of sensitive or proprietary information.

NET_RAW capability added

Property
Language
Severity
Vulnerability Type	omission

Description

Granting the NET_RAW capability to containers allows them to craft raw network packets, which is generally unnecessary and increases the attack surface. This capability can enable unintended or malicious network activities from within the container.

Impact

If exploited, attackers could use the NET_RAW capability to intercept network traffic or send spoofed packets, potentially leading to data leaks, network attacks, or lateral movement within the environment. This undermines network security controls and can compromise both application and infrastructure integrity.

Network Policy should be enabled on GKE clusters

Property
Language
Severity
Service	gke
Provider	Google
Vulnerability Type	omission

Description

The GKE cluster is configured without network policy enforcement, allowing unrestricted network traffic between pods across all namespaces. This configuration fails to segment network communication within the cluster.

Impact

Without network policies, any compromised pod or malicious actor inside the cluster could freely communicate with and potentially exploit other pods, increasing the risk of lateral movement, data exposure, and unauthorized access to sensitive services within the cluster.

< Previous Next >