[SARIF] reported by reviewdog 🐶 #### C-0055 Linux hardening: Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise. *Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.* Raw Output: message:"\n#### C-0055 Linux hardening:\nContainers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.\n\n*Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.*\n" location:{path:"Deployment-api.yaml" range:{start:{line:70 column:1} end:{line:70 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0055"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n seccompProfile: YOUR_VALUE\n"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n seLinuxOptions: YOUR_VALUE\n"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n capabilities:\n drop:\n - YOUR_VALUE\n"}

[SARIF] reported by reviewdog 🐶 #### C-0030 Ingress and Egress blocked: Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with. *Remediation: Define a network policy that restricts ingress and egress connections.* Raw Output: message:"\n#### C-0030 Ingress and Egress blocked:\nDisable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.\n\n*Remediation: Define a network policy that restricts ingress and egress connections.*\n" location:{path:"Deployment-api.yaml" range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0030"}

[SARIF] reported by reviewdog 🐶 #### C-0016 Allow privilege escalation: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities. *Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.* Raw Output: message:"\n#### C-0016 Allow privilege escalation:\nAttackers may gain access to a container and uplift its privilege to enable excessive capabilities.\n\n*Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.*\n" location:{path:"Deployment-api.yaml" range:{start:{line:70 column:1} end:{line:70 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0016"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n allowPrivilegeEscalation: false\n"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n privileged: false\n"}

[SARIF] reported by reviewdog 🐶 #### C-0013 Non-root containers: Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root. *Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.* Raw Output: message:"\n#### C-0013 Non-root containers:\nPotential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.\n\n*Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.*\n" location:{path:"Deployment-api.yaml" range:{start:{line:70 column:1} end:{line:70 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0013"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n runAsNonRoot: true\n"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n runAsGroup: 1000\n"}

[SARIF] reported by reviewdog 🐶 #### C-0017 Immutable container filesystem: Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks. *Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.* Raw Output: message:"\n#### C-0017 Immutable container filesystem:\nMutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.\n\n*Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.*\n" location:{path:"Deployment-api.yaml" range:{start:{line:70 column:1} end:{line:70 column:1}}} severity:INFO source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0017"} suggestions:{range:{start:{line:70 column:1} end:{line:70 column:1}} text:" securityContext:\n readOnlyRootFilesystem: true\n"}

[SARIF] reported by reviewdog 🐶 #### C-0055 Linux hardening: Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise. *Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.* Raw Output: message:"\n#### C-0055 Linux hardening:\nContainers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.\n\n*Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.*\n" location:{path:"manifests/centurion/base" range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0055"}

[SARIF] reported by reviewdog 🐶 #### C-0030 Ingress and Egress blocked: Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with. *Remediation: Define a network policy that restricts ingress and egress connections.* Raw Output: message:"\n#### C-0030 Ingress and Egress blocked:\nDisable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.\n\n*Remediation: Define a network policy that restricts ingress and egress connections.*\n" location:{path:"manifests/centurion/base" range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0030"}

[SARIF] reported by reviewdog 🐶 #### C-0016 Allow privilege escalation: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities. *Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.* Raw Output: message:"\n#### C-0016 Allow privilege escalation:\nAttackers may gain access to a container and uplift its privilege to enable excessive capabilities.\n\n*Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.*\n" location:{path:"manifests/centurion/base" range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0016"}

[SARIF] reported by reviewdog 🐶 #### C-0013 Non-root containers: Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root. *Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.* Raw Output: message:"\n#### C-0013 Non-root containers:\nPotential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.\n\n*Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.*\n" location:{path:"manifests/centurion/base" range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0013"}