| Property | |
|---|---|
| Language |  |
| Severity |  |
Description
If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.
Resolution
Change the proxy kubeconfig file ownership to root:root if exist
If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Description
If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive.
Resolution
Change the proxy kubeconfig file permissions to 600 or more restrictive if exist
Image tag ":latest" used
| Property | |
|---|---|
| Language | |
| Severity |  |
| Vulnerability Type | omission |
Description
Using the ‘:latest’ tag for container images in deployments makes it unclear which version of the image is actually running, leading to unpredictability and difficulty tracing or rolling back changes. This practice reduces transparency and control over the software lifecycle.
Impact
Relying on ‘:latest’ can result in unintentional upgrades or inconsistencies across environments, increasing the risk of running untested or vulnerable code. Attackers may exploit this unpredictability to introduce malicious images, or operations teams may struggle to respond quickly to incidents due to lack of version clarity.
Image user should not be ‘root
| Property | |
|---|---|
| Language | |
| Severity | |
| Vulnerability Type | omission |
Description
The container image is configured to run as the ‘root’ user by default, or does not specify a non-root user. This increases the risk of privilege escalation within the container environment.
Impact
If exploited, an attacker who gains access to the container could perform administrative actions, potentially escaping the container to access the host system or other containers, leading to full system compromise or data breaches.
Improper Access Control
| Property | |
|---|---|
| Language | apex |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Every Apex class should have an explicit sharing mode declared. Use the with sharing or without sharing keywords on a class to specify whether sharing rules must be enforced. Use the inherited sharing keyword on an Apex class to run the class in the sharing mode of the class that called it.
Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove ‘seccompProfile: unconfined’ to prevent this.
Improper Access Control
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The service configuration explicitly disables SELinux separation by setting ’label:disable’ in ‘security_opt’. This causes the container to run without SELinux protections, leaving it unconfined.
Impact
Disabling SELinux separation removes important security boundaries, allowing a compromised container to potentially access or modify sensitive files or processes on the host system. This greatly increases the risk of privilege escalation and data breaches.
Improper Access Control
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The service is configured to disable seccomp confinement by setting ‘seccomp:unconfined’, which removes important security restrictions on what system calls the container can make. This exposes the container to a wider range of potential attacks.
Impact
Disabling seccomp allows attackers to exploit vulnerabilities in the application or container runtime to perform unauthorized actions, such as breaking out of the container, accessing the host system, or escalating privileges. This significantly increases the risk of compromise to both the application and the underlying server.
Improper Access Control
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Remote debugging is enabled for this Azure App Service, which can expose sensitive application internals to anyone with access. Enabling remote debugging in production environments increases the risk of unauthorized access.
Impact
If exploited, attackers could gain remote access to the application’s runtime environment, potentially allowing them to execute arbitrary code, inspect sensitive data, or disrupt service operation. This can lead to data breaches, service downtime, and compromise of organizational assets.
Improper Access Control
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The MariaDB server is configured to allow public network access, which exposes the database to the internet. This increases the risk of unauthorized access or attacks from external sources.
Impact
If public access is enabled, attackers could potentially connect to the database from anywhere, leading to data breaches, unauthorized data manipulation, or service disruption. This exposure puts sensitive data and resources at risk of compromise.