No HEALTHCHECK defined

Property
Languageterraform
Severitylow

Description

The Docker container image lacks a HEALTHCHECK instruction, which means the container orchestration platform cannot automatically monitor and detect if the application inside the container becomes unhealthy.

Impact

Without a HEALTHCHECK, failed or unresponsive containers may go undetected, leading to degraded service availability and delayed recovery. This can result in prolonged downtime and increased operational risk, as unhealthy containers are not automatically restarted or replaced.

No plaintext password for compute instance

Property
Languageterraform
Severitymedium
Servicecompute
ProviderOpenStack
Vulnerability Typemisconfiguration

Description

Storing or assigning a plaintext password to an OpenStack compute instance in Terraform files exposes sensitive credentials within code repositories and configuration files. This approach fails to protect authentication secrets and increases the risk of credential leakage.

Impact

If a plaintext password is exposed, attackers could gain unauthorized access to compute instances, leading to data breaches, lateral movement within the cloud environment, and potential compromise of organizational assets and services.

No Root Access Keys

Property
Languageterraform
Severitycritical
Serviceiam
ProviderAWS

Description

AWS access keys are assigned to the root user, allowing programmatic access with unrestricted permissions. This practice exposes the entire AWS account to risk if the credentials are leaked or compromised.

Impact

If the root user’s access keys are compromised, an attacker gains full control over all AWS resources, enabling actions such as data theft, service disruption, or complete account takeover. This can lead to severe data loss, financial impact, and reputational damage.

No sensitive data stored in user_data

Property
Languageterraform
Severityhigh
Servicecompute
ProviderCloudStack
Vulnerability Typemisconfiguration

Description

Sensitive information such as passwords or secrets is stored in the user_data field of CloudStack instance resources. User data is accessible to anyone with access to the instance metadata service, making it an insecure location for confidential data.

Impact

If exploited, attackers or unauthorized users could retrieve sensitive credentials from the instance metadata, potentially leading to account compromise, lateral movement within the environment, or exposure of critical systems and data.

No State Machine Policy Wildcards

Property
Languageterraform
Severityhigh
Servicesam
ProviderAWS

Description

You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

Resolution

Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

No threat detections are set

Property
Languageterraform
Severitymedium
Servicedatabase
ProviderAzure
Vulnerability Typemisconfiguration

Description

The configuration disables one or more SQL Server security threat alerts, preventing the detection and reporting of suspicious activities like SQL injection, data exfiltration, or access anomalies. This reduces the visibility of potential attacks and compromises proactive security monitoring.

Impact

With threat alerts disabled, malicious activities may go undetected, allowing attackers to exploit vulnerabilities, exfiltrate data, or escalate privileges without timely detection. This increases the risk of data breaches and financial or reputational damage to the organization.

No unauthorized access to API Gateway methods

Property
Languageterraform
Severitylow
Serviceapi-gateway
ProviderAWS

Description

API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization

Resolution

Use and authorization method or require API Key

No wildcard verb and resource roles

Property
Languageterraform
Severitycritical
Vulnerability Typeomission

Description

A Kubernetes role is configured to allow all possible actions (‘verbs’) on all resources by using wildcards. This overly broad permission grants unrestricted access, violating the principle of least privilege.

Impact

If exploited, an attacker or compromised user could perform any action on any resource within the cluster, including deleting, modifying, or exposing sensitive data and configurations, potentially leading to full cluster compromise and service disruption.

No wildcard verb roles

Property
Languageterraform
Severitycritical
Vulnerability Typeomission

Description

A Kubernetes role is configured to allow wildcard (’*’) verbs on specific resources, granting all possible actions without restriction. This broad permission model bypasses the principle of least privilege and exposes sensitive resources to potential misuse.

Impact

If exploited, an attacker or compromised user could perform any operation—including read, write, delete, or escalate privileges—on critical Kubernetes resources such as secrets, deployments, or roles, leading to data breaches, service disruption, or full cluster compromise.