Skip to content

Instantly share code, notes, and snippets.

@O5ten

O5ten/mend-iac.output

Created February 28, 2024 11:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save O5ten/1c8eb2ecac24c16bed3b3e020838375d to your computer and use it in GitHub Desktop.
Save O5ten/1c8eb2ecac24c16bed3b3e020838375d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mend-iac.output
$ mend iac
Initializing: Done
Scanning: Done
[Retrieving: IaC misconfigurations] ◢
Scanned to Organization: Aurora Innovation Unified Platform | Application: My IAC Application, Project: iac
Detected 18 Misconfigurations (CRITICAL: 0, HIGH: 0, MEDIUM: 4, LOW: 14, UNKNOWN: 0)
+----------+------------+---------+----------+----------------------+----------------------+------------+----------+
| FILE | PROVIDER | SERVICE | SEVERITY | DETAILS | RESOLUTION | START LINE | END LINE |
+----------+------------+---------+----------+----------------------+----------------------+------------+----------+
| k8s.yaml | Kubernetes | general | MEDIUM | Container | Set | 109 | 136 |
| | | | | 'backstage' of | 'containers[].securi | | |
| | | | | Deployment | tyContext.runAsNonRo | | |
| | | | | 'backstage' should | ot' | | |
| | | | | set | to true. | | |
| | | | | 'securityContext.run | | | |
| | | | | AsNonRoot' | | | |
| | | | | to true | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | MEDIUM | Container 'postgres' | Set | 159 | 176 |
| | | | | | 'containers[].securi | | |
| | | | | of Deployment | tyContext.runAsNonRo | | |
| | | | | 'postgres' should | ot' | | |
| | | | | set | to true. | | |
| | | | | 'securityContext.run | | | |
| | | | | AsNonRoot' | | | |
| | | | | to true | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | MEDIUM | Container | Set 'set | 109 | 136 |
| | | | | 'backstage' of | containers[].securit | | |
| | | | | Deployment | yContext.allowPrivil | | |
| | | | | 'backstage' should | egeEscalation' | | |
| | | | | set | to 'false'. | | |
| | | | | 'securityContext.all | | | |
| | | | | owPrivilegeEscalatio | | | |
| | | | | n' | | | |
| | | | | to false | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | MEDIUM | Container 'postgres' | Set 'set | 159 | 176 |
| | | | | | containers[].securit | | |
| | | | | of Deployment | yContext.allowPrivil | | |
| | | | | 'postgres' should | egeEscalation' | | |
| | | | | set | to 'false'. | | |
| | | | | 'securityContext.all | | | |
| | | | | owPrivilegeEscalatio | | | |
| | | | | n' | | | |
| | | | | to false | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | container should | Set | 109 | 136 |
| | | | | drop all | 'spec.containers[*]. | | |
| | | | | | securityContext.capa | | |
| | | | | | bilities.drop' | | |
| | | | | | to 'ALL' and only | | |
| | | | | | add | | |
| | | | | | 'NET_BIND_SERVICE' | | |
| | | | | | to | | |
| | | | | | 'spec.containers[*]. | | |
| | | | | | securityContext.capa | | |
| | | | | | bilities.add'. | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container 'postgres' | Set | 159 | 176 |
| | | | | | 'containers[].securi | | |
| | | | | of Deployment | tyContext.runAsUser' | | |
| | | | | 'postgres' should | | | |
| | | | | set | to an integer > | | |
| | | | | 'securityContext.run | 10000. | | |
| | | | | AsUser' | | | |
| | | | | > 10000 | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Set | 109 | 136 |
| | | | | 'backstage' of | 'containers[].securi | | |
| | | | | Deployment | tyContext.runAsGroup | | |
| | | | | 'backstage' should | ' | | |
| | | | | set | to an integer > | | |
| | | | | 'securityContext.run | 10000. | | |
| | | | | AsGroup' | | | |
| | | | | > 10000 | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container 'postgres' | Set | 159 | 176 |
| | | | | | 'containers[].securi | | |
| | | | | of Deployment | tyContext.runAsGroup | | |
| | | | | 'postgres' should | ' | | |
| | | | | set | to an integer > | | |
| | | | | 'securityContext.run | 10000. | | |
| | | | | AsGroup' | | | |
| | | | | > 10000 | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Set | 109 | 136 |
| | | | | 'backstage' of | 'containers[].securi | | |
| | | | | Deployment | tyContext.runAsUser' | | |
| | | | | 'backstage' should | | | |
| | | | | set | to an integer > | | |
| | | | | 'securityContext.run | 10000. | | |
| | | | | AsUser' | | | |
| | | | | > 10000 | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | container should | Set | 159 | 176 |
| | | | | drop all | 'spec.containers[*]. | | |
| | | | | | securityContext.capa | | |
| | | | | | bilities.drop' | | |
| | | | | | to 'ALL' and only | | |
| | | | | | add | | |
| | | | | | 'NET_BIND_SERVICE' | | |
| | | | | | to | | |
| | | | | | 'spec.containers[*]. | | |
| | | | | | securityContext.capa | | |
| | | | | | bilities.add'. | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Change | 109 | 136 |
| | | | | 'backstage' of | 'containers[].securi | | |
| | | | | Deployment | tyContext.readOnlyRo | | |
| | | | | 'backstage' should | otFilesystem' | | |
| | | | | set | to 'true'. | | |
| | | | | 'securityContext.rea | | | |
| | | | | dOnlyRootFilesystem' | | | |
| | | | | | | | |
| | | | | to true | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container 'postgres' | Change | 159 | 176 |
| | | | | | 'containers[].securi | | |
| | | | | of Deployment | tyContext.readOnlyRo | | |
| | | | | 'postgres' should | otFilesystem' | | |
| | | | | set | to 'true'. | | |
| | | | | 'securityContext.rea | | | |
| | | | | dOnlyRootFilesystem' | | | |
| | | | | | | | |
| | | | | to true | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Add 'ALL' to | 109 | 136 |
| | | | | 'backstage' of | containers[].securit | | |
| | | | | Deployment | yContext.capabilitie | | |
| | | | | 'backstage' should | s.drop. | | |
| | | | | add 'ALL' to | | | |
| | | | | 'securityContext.cap | | | |
| | | | | abilities.drop' | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container 'postgres' | Add 'ALL' to | 159 | 176 |
| | | | | | containers[].securit | | |
| | | | | of Deployment | yContext.capabilitie | | |
| | | | | 'postgres' should | s.drop. | | |
| | | | | add 'ALL' to | | | |
| | | | | 'securityContext.cap | | | |
| | | | | abilities.drop' | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Set a limit value | 109 | 136 |
| | | | | 'backstage' of | under | | |
| | | | | Deployment | 'containers[].resour | | |
| | | | | 'backstage' should | ces.limits.cpu'. | | |
| | | | | set | | | |
| | | | | 'resources.limits.cp | | | |
| | | | | u' | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Container | Set | 109 | 136 |
| | | | | 'backstage' of | 'containers[].resour | | |
| | | | | Deployment | ces.requests.cpu'. | | |
| | | | | 'backstage' should | | | |
| | | | | set | | | |
| | | | | 'resources.requests. | | | |
| | | | | cpu' | | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Either Pod or | Set | 109 | 136 |
| | | | | Container should set | 'spec.securityContex | | |
| | | | | | t.seccompProfile.typ | | |
| | | | | 'securityContext.sec | e', | | |
| | | | | compProfile.type' | 'spec.containers[*]. | | |
| | | | | to 'RuntimeDefault' | securityContext.secc | | |
| | | | | | ompProfile' | | |
| | | | | | and | | |
| | | | | | 'spec.initContainers | | |
| | | | | | [*].securityContext. | | |
| | | | | | seccompProfile' | | |
| | | | | | to 'RuntimeDefault' | | |
| | | | | | or undefined. | | |
| +------------+---------+----------+----------------------+----------------------+------------+----------+
| | Kubernetes | general | LOW | Either Pod or | Set | 159 | 176 |
| | | | | Container should set | 'spec.securityContex | | |
| | | | | | t.seccompProfile.typ | | |
| | | | | 'securityContext.sec | e', | | |
| | | | | compProfile.type' | 'spec.containers[*]. | | |
| | | | | to 'RuntimeDefault' | securityContext.secc | | |
| | | | | | ompProfile' | | |
| | | | | | and | | |
| | | | | | 'spec.initContainers | | |
| | | | | | [*].securityContext. | | |
| | | | | | seccompProfile' | | |
| | | | | | to 'RuntimeDefault' | | |
| | | | | | or undefined. | | |
+----------+------------+---------+----------+----------------------+----------------------+------------+----------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment