Property
Language
Severity
Service	gke
Provider	Google
Vulnerability Type	misconfiguration

Description

The node_metadata attribute in the workload_metadata_config block is set insecurely, allowing Kubernetes pods to access sensitive VM metadata that should be concealed. This misconfiguration exposes metadata that could include credentials or internal configuration details.

Impact

If exploited, pods running in the cluster could access and potentially exfiltrate sensitive VM metadata, such as service account tokens or project information, leading to privilege escalation, data leakage, or compromise of other Google Cloud resources.

Property
Language
Severity

Description

The configuration uses non-core (disallowed) Kubernetes volume types in pod specifications, which do not meet the Pod Security Standards for restricted environments. This increases exposure to less secure or deprecated storage backends.

Impact

Using disallowed volume types can introduce security risks such as data leakage, privilege escalation, or access to sensitive host resources, potentially allowing attackers to compromise the cluster or access unauthorized data.

Property
Language
Severity
Vulnerability Type	misconfiguration

Description

The configuration sets a non-default value for ‘procMount’ in container security contexts, overriding the default /proc masks that help restrict container access to sensitive host process information.

Impact

Allowing non-default /proc masks increases the risk that containers can access or manipulate host process data, potentially enabling privilege escalation, information disclosure, or container breakout attacks.

Resolution

Do not set spec.containers[].securityContext.procMount and spec.initContainers[].securityContext.procMount.

Property
Language
Severity
CWE	CWE-262: Not Using Password Aging
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

The code defines Azure Key Vault secrets without specifying an expiration date. This means secrets may remain valid indefinitely, increasing the risk if they are ever leaked or compromised.

Impact

Without an expiration date, old or unused secrets might stay active, making it easier for attackers to exploit stale credentials. This can lead to unauthorized access to sensitive resources and increase the organization’s overall security exposure.

Property
Language
Severity
CWE	CWE-262: Not Using Password Aging
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

Keys in Azure Key Vault are being created without an expiration date. This means the keys will remain valid indefinitely unless manually deleted or rotated.

Impact

If keys do not expire, compromised or outdated keys could be misused for extended periods, increasing the risk of unauthorized access or data breaches. This weakens key lifecycle management and can result in non-compliance with security policies.

Property
Language
Severity
CWE	CWE-223: Omission of Security-relevant Information
OWASP	A09:2021 - Security Logging and Monitoring Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

This code defines AWS security group rules without meaningful descriptions, or leaves the description empty or set to a default value. Missing or generic descriptions make it difficult to understand the purpose of each rule.

Impact

Without clear descriptions, it becomes challenging to audit, troubleshoot, or manage security groups, increasing the risk of misconfigurations going unnoticed. This can lead to accidental exposure of resources or delayed response to security incidents.

Property
Language
Severity
CWE	CWE-223: Omission of Security-relevant Information
OWASP	A09:2021 - Security Logging and Monitoring Failures
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

The AWS ECR repository is configured without image scanning on push, meaning container images are not automatically checked for known vulnerabilities before being stored. This increases the risk of deploying insecure or outdated software.

Impact

If image scanning is disabled, vulnerable images could be pushed to the repository and later deployed to production, potentially exposing your application to exploits, data breaches, or compromise by attackers leveraging unpatched vulnerabilities in your containers.

Property
Language	csharp
Severity
CWE	CWE-346: Origin Validation Error
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The application does not set the HTTP Strict-Transport-Security (HSTS) header, which means browsers may connect over insecure HTTP instead of always using HTTPS. This leaves users vulnerable to man-in-the-middle attacks if connections downgrade to HTTP.

Impact

Without HSTS, attackers could intercept or alter data by forcing users to access the site over insecure HTTP, potentially exposing sensitive information or session data. This weakens the application’s overall transport security and puts both users and the organization at risk of data theft or manipulation.

Property
Language	generic
Severity
CWE	CWE-346: Origin Validation Error
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Including JavaScript or CSS from a CDN without using the ‘integrity’ attribute on or tags means your application can’t verify if the external resource has been tampered with. This exposes users to the risk of loading malicious or altered code if the CDN is compromised.

Property
Language
Severity
CWE	CWE-346: Origin Validation Error
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The application sets CORS headers like ‘Access-Control-Allow-Origin’ using values directly from user input (such as request headers, parameters, or body). This allows untrusted origins to access protected resources, exposing the API to cross-origin attacks.

Impact

If exploited, attackers could bypass browser security controls to access sensitive data or perform actions as an authenticated user from malicious websites. This may lead to data leaks, account compromise, or unauthorized operations affecting users and the organization.