[SARIF] reported by reviewdog 🐶 #### C-0056 Configured liveness probe: Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured. *Remediation: Ensure Liveness probes are configured wherever possible.* Raw Output: message:"\n#### C-0056 Configured liveness probe:\nLiveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.\n\n*Remediation: Ensure Liveness probes are configured wherever possible.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0056"}

[SARIF] reported by reviewdog 🐶 #### C-0045 Writable hostPath mount: Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence. *Remediation: Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.* Raw Output: message:"\n#### C-0045 Writable hostPath mount:\nMounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.\n\n*Remediation: Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0045"}

[SARIF] reported by reviewdog 🐶 #### C-0013 Non-root containers: Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root. *Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.* Raw Output: message:"\n#### C-0013 Non-root containers:\nPotential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.\n\n*Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0013"}

[SARIF] reported by reviewdog 🐶 #### C-0076 Label usage for resources: It is recommended to set labels that identify semantic attributes of your application or deployment. For example, { app: myapp, tier: frontend, phase: test, deployment: v3 }. These labels can used to assign policies to logical groups of the deployments as well as for presentation and tracking purposes. This control helps you find deployments without any of the expected labels. *Remediation: Define labels that are most suitable to your needs of use the exceptions to prevent further notifications.* Raw Output: message:"\n#### C-0076 Label usage for resources:\nIt is recommended to set labels that identify semantic attributes of your application or deployment. For example, { app: myapp, tier: frontend, phase: test, deployment: v3 }. These labels can used to assign policies to logical groups of the deployments as well as for presentation and tracking purposes. This control helps you find deployments without any of the expected labels.\n\n*Remediation: Define labels that are most suitable to your needs of use the exceptions to prevent further notifications.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:INFO source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0076"}

[SARIF] reported by reviewdog 🐶 #### C-0048 HostPath mount: Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount. *Remediation: Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.* Raw Output: message:"\n#### C-0048 HostPath mount:\nMounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.\n\n*Remediation: Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0048"}

[SARIF] reported by reviewdog 🐶 #### C-0016 Allow privilege escalation: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities. *Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.* Raw Output: message:"\n#### C-0016 Allow privilege escalation:\nAttackers may gain access to a container and uplift its privilege to enable excessive capabilities.\n\n*Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0016"}

[SARIF] reported by reviewdog 🐶 #### C-0018 Configured readiness probe: Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured. *Remediation: Ensure Readiness probes are configured wherever possible.* Raw Output: message:"\n#### C-0018 Configured readiness probe:\nReadiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.\n\n*Remediation: Ensure Readiness probes are configured wherever possible.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:INFO source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0018"}

[SARIF] reported by reviewdog 🐶 #### C-0017 Immutable container filesystem: Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks. *Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.* Raw Output: message:"\n#### C-0017 Immutable container filesystem:\nMutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.\n\n*Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:INFO source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0017"}

[SARIF] reported by reviewdog 🐶 #### C-0030 Ingress and Egress blocked: Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with. *Remediation: Define a network policy that restricts ingress and egress connections.* Raw Output: message:"\n#### C-0030 Ingress and Egress blocked:\nDisable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.\n\n*Remediation: Define a network policy that restricts ingress and egress connections.*\n" location:{path:"." range:{start:{line:1 column:1}}} severity:WARNING source:{name:"kubescape" url:"https://armosec.io"} code:{value:"C-0030"}