Property
Language
Severity

Description

The Kubernetes API server is not configured with the –kubelet-client-certificate and –kubelet-client-key flags, meaning it does not use client certificates to authenticate to kubelets. This weakens the security of communication between the API server and node kubelets.

Impact

Without certificate-based authentication, the connection between the API server and kubelets could be vulnerable to unauthorized access or man-in-the-middle attacks, potentially allowing attackers to intercept or manipulate sensitive node operations and compromise cluster integrity.

Property
Language
Severity

Description

The kubelet configuration file is set with permissions more permissive than 600, allowing users other than the owner to read or modify sensitive configuration settings. This exposes critical kubelet parameters to unauthorized access.

Impact

If exploited, unauthorized users could access or alter the kubelet’s configuration, potentially leading to privilege escalation, disruption of cluster operations, or compromise of node security and sensitive data.

Resolution

Change the kubelet config yaml permissions to 600 or more restrictive if exist

Property
Language
Severity
Service	monitor
Provider	Azure
Vulnerability Type	omission

Description

The log profile is not configured to capture all required activity categories (‘Action’, ‘Write’, ‘Delete’), resulting in incomplete event logging within Azure Monitor. This omission means certain operations may not be recorded for auditing or incident response.

Impact

If all activities are not logged, critical actions such as resource changes or deletions could go undetected, hindering forensic investigations and compliance efforts, and increasing the risk of untraceable unauthorized activity within the Azure environment.

Property
Language
Severity
Service	mq
Provider	AWS
Vulnerability Type	misconfiguration

Description

The MQ broker is configured to be publicly accessible, allowing connections from any external network. This exposes the messaging service to the internet, increasing the risk of unauthorized access.

Impact

If exploited, attackers could connect to the MQ broker over the internet, potentially intercepting, modifying, or injecting messages. This may lead to data breaches, service disruptions, or further compromise of internal systems.

Property
Language
Severity
Service	msk
Provider	AWS
Vulnerability Type	omission

Description

The MSK (Managed Streaming for Kafka) cluster is configured without broker log delivery to CloudWatch, Kinesis Firehose, or S3. This omission means operational events and errors within the Kafka cluster are not being captured for monitoring or troubleshooting.

Impact

Without broker logging enabled, detecting, diagnosing, and responding to incidents such as data loss, configuration issues, or unauthorized access becomes significantly more difficult. This lack of visibility can delay incident response, complicate audits, and increase the risk of prolonged outages or undetected security breaches.

Property
Language
Severity
Service	actions
Provider	GitHub
Vulnerability Type	misconfiguration

Description

Storing sensitive secrets in the plaintext_value field of the github_actions_environment_secret resource exposes unencrypted credentials in Terraform code and state files, making them easily accessible. This practice fails to protect secrets and bypasses recommended encryption mechanisms.

Impact

If exploited, attackers with access to the codebase or state files can obtain sensitive secrets, potentially compromising GitHub Actions workflows, leaking credentials, or enabling unauthorized access to critical systems and data.

Property
Language
Severity
Service	container
Provider	Azure
Vulnerability Type	omission

Description

The AKS cluster is deployed without Kubernetes Role-Based Access Control (RBAC) enabled, allowing unrestricted access to cluster resources regardless of user roles or permissions. This configuration bypasses granular access control mechanisms.

Impact

Without RBAC, any authenticated user or service can perform potentially harmful operations on the cluster, such as modifying workloads, accessing sensitive data, or disrupting services. This significantly increases the risk of privilege escalation, data breaches, and unauthorized changes to the Kubernetes environment.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

The PostgreSQL server is not configured to enable ‘connection_throttling’, which means logging for connection throttling events is disabled. This reduces visibility into potential connection contention or abuse scenarios.

Impact

Without connection throttling logs, diagnosing connection-related issues and detecting abnormal access patterns becomes difficult. This can hinder incident response, delay troubleshooting, and potentially allow attackers or misconfigured applications to exhaust database resources undetected.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

The PostgreSQL server is not configured to log checkpoints, which reduces visibility into database operations and hinders the ability to audit or troubleshoot issues effectively. Missing the ’log_checkpoints’ parameter set to ‘on’ leaves gaps in operational logging.

Impact

Without checkpoint logging, errors and queries related to database checkpoints are not recorded, making it difficult to detect, investigate, or respond to failures and suspicious activities. This can delay incident response, obscure root cause analysis, and potentially allow malicious actions or misconfigurations to go unnoticed.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

The PostgreSQL server is not configured to log successful connection attempts. Without ’log_connections’ set to ‘ON’, connection events are not recorded, reducing audit visibility.

Impact

Lack of connection logging makes it difficult to detect unauthorized access, investigate security incidents, or troubleshoot configuration issues. This can allow attackers to connect to the database without leaving an audit trail, increasing the risk of undetected breaches.