Repository | 1Password / scim-examples |
Description | 1Password SCIM Bridge deployment examples |
Stars | 117 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 54, Failed checks: 15, Skipped checks: 0
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.scimsession
File: /aws-ecsfargate-terraform/main.tf:111-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
111 | resource "aws_secretsmanager_secret" "scimsession" {
112 | name_prefix = local.name_prefix
113 | # Allow `terraform destroy` to delete secret (hint: save your scimsession file in 1Password)
114 | recovery_window_in_days = 0
115 |
116 | tags = local.tags
117 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:124-129
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
124 | resource "aws_cloudwatch_log_group" "op_scim_bridge" {
125 | name_prefix = local.name_prefix
126 | retention_in_days = var.log_retention_days
127 |
128 | tags = local.tags
129 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:131-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
131 | resource "aws_ecs_cluster" "op_scim_bridge" {
132 | name = var.name_prefix == "" ? "op-scim-bridge" : format("%s-%s", local.name_prefix, "scim-bridge")
133 |
134 | tags = local.tags
135 | }
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
FAILED for resource: aws_ecs_service.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:168-191
168 | resource "aws_ecs_service" "op_scim_bridge" {
169 | name = format("%s_%s", local.name_prefix, "service")
170 | cluster = aws_ecs_cluster.op_scim_bridge.id
171 | task_definition = aws_ecs_task_definition.op_scim_bridge.arn
172 | launch_type = "FARGATE"
173 | platform_version = "1.4.0"
174 | desired_count = 1
175 |
176 | load_balancer {
177 | target_group_arn = aws_lb_target_group.op_scim_bridge.arn
178 | container_name = jsondecode(file("${path.module}/task-definitions/scim.json"))[0].name
179 | container_port = 3002
180 | }
181 |
182 | network_configuration {
183 | subnets = data.aws_subnet_ids.public.ids
184 | assign_public_ip = true
185 | security_groups = [aws_security_group.service.id]
186 | }
187 |
188 | tags = local.tags
189 |
190 | depends_on = [aws_lb_listener.https]
191 | }
Check: CKV_AWS_332: "Ensure ECS Fargate services run on the latest Fargate platform version"
FAILED for resource: aws_ecs_service.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:168-191
168 | resource "aws_ecs_service" "op_scim_bridge" {
169 | name = format("%s_%s", local.name_prefix, "service")
170 | cluster = aws_ecs_cluster.op_scim_bridge.id
171 | task_definition = aws_ecs_task_definition.op_scim_bridge.arn
172 | launch_type = "FARGATE"
173 | platform_version = "1.4.0"
174 | desired_count = 1
175 |
176 | load_balancer {
177 | target_group_arn = aws_lb_target_group.op_scim_bridge.arn
178 | container_name = jsondecode(file("${path.module}/task-definitions/scim.json"))[0].name
179 | container_port = 3002
180 | }
181 |
182 | network_configuration {
183 | subnets = data.aws_subnet_ids.public.ids
184 | assign_public_ip = true
185 | security_groups = [aws_security_group.service.id]
186 | }
187 |
188 | tags = local.tags
189 |
190 | depends_on = [aws_lb_listener.https]
191 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_alb.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:193-200
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
193 | resource "aws_alb" "op_scim_bridge" {
194 | name = var.name_prefix == "" ? "op-scim-bridge-alb" : format("%s-%s", local.name_prefix, "alb")
195 | load_balancer_type = "application"
196 | subnets = data.aws_subnet_ids.public.ids
197 | security_groups = [aws_security_group.alb.id]
198 |
199 | tags = local.tags
200 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_alb.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:193-200
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
193 | resource "aws_alb" "op_scim_bridge" {
194 | name = var.name_prefix == "" ? "op-scim-bridge-alb" : format("%s-%s", local.name_prefix, "alb")
195 | load_balancer_type = "application"
196 | subnets = data.aws_subnet_ids.public.ids
197 | security_groups = [aws_security_group.alb.id]
198 |
199 | tags = local.tags
200 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_alb.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:193-200
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
193 | resource "aws_alb" "op_scim_bridge" {
194 | name = var.name_prefix == "" ? "op-scim-bridge-alb" : format("%s-%s", local.name_prefix, "alb")
195 | load_balancer_type = "application"
196 | subnets = data.aws_subnet_ids.public.ids
197 | security_groups = [aws_security_group.alb.id]
198 |
199 | tags = local.tags
200 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /aws-ecsfargate-terraform/main.tf:202-222
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
202 | resource "aws_security_group" "alb" {
203 | # Create a security group for the load balancer
204 | vpc_id = data.aws_vpc.this.id
205 | # Allow HTTPS traffic to the load balancer from anywhere
206 | ingress {
207 | from_port = 443
208 | to_port = 443
209 | protocol = "tcp"
210 | cidr_blocks = ["0.0.0.0/0"]
211 | }
212 |
213 | # Restrict outgoing traffic from the load balancer to the ECS service
214 | egress {
215 | from_port = 3002
216 | to_port = 3002
217 | protocol = "tcp"
218 | cidr_blocks = [data.aws_vpc.this.cidr_block]
219 | }
220 |
221 | tags = local.tags
222 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.service
File: /aws-ecsfargate-terraform/main.tf:224-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
224 | resource "aws_security_group" "service" {
225 | # Create a security group for the service
226 | vpc_id = data.aws_vpc.this.id
227 |
228 | # Restrict incoming traffic to the service from the load balancer security group
229 | ingress {
230 | from_port = 3002
231 | to_port = 3002
232 | protocol = "tcp"
233 | security_groups = [aws_security_group.alb.id]
234 | }
235 |
236 | # Allow HTTPS traffic from the service to anywhere (to allow TCP traffic to 1Password servers)
237 | egress {
238 | from_port = 443
239 | to_port = 443
240 | protocol = "tcp"
241 | cidr_blocks = ["0.0.0.0/0"]
242 | }
243 |
244 | tags = local.tags
245 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.https
File: /aws-ecsfargate-terraform/main.tf:261-273
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
261 | resource "aws_lb_listener" "https" {
262 | load_balancer_arn = aws_alb.op_scim_bridge.arn
263 | port = 443
264 | protocol = "HTTPS"
265 | certificate_arn = !var.wildcard_cert ? (
266 | var.using_route53 ?
267 | aws_acm_certificate_validation.op_scim_bridge[0].certificate_arn : aws_acm_certificate.op_scim_bridge[0].arn
268 | ) : data.aws_acm_certificate.wildcard_cert[0].arn
269 | default_action {
270 | type = "forward"
271 | target_group_arn = aws_lb_target_group.op_scim_bridge.arn
272 | }
273 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_alb.op_scim_bridge
File: /aws-ecsfargate-terraform/main.tf:193-200
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
193 | resource "aws_alb" "op_scim_bridge" {
194 | name = var.name_prefix == "" ? "op-scim-bridge-alb" : format("%s-%s", local.name_prefix, "alb")
195 | load_balancer_type = "application"
196 | subnets = data.aws_subnet_ids.public.ids
197 | security_groups = [aws_security_group.alb.id]
198 |
199 | tags = local.tags
200 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.scimsession
File: /aws-ecsfargate-terraform/main.tf:111-117
111 | resource "aws_secretsmanager_secret" "scimsession" {
112 | name_prefix = local.name_prefix
113 | # Allow `terraform destroy` to delete secret (hint: save your scimsession file in 1Password)
114 | recovery_window_in_days = 0
115 |
116 | tags = local.tags
117 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.google_workspace[0].aws_secretsmanager_secret.workspace_settings
File: /aws-ecsfargate-terraform/modules/google-workspace/main.tf:36-40
36 | resource "aws_secretsmanager_secret" "workspace_settings" {
37 | name_prefix = var.name_prefix
38 |
39 | recovery_window_in_days = 0
40 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.google_workspace[0].aws_secretsmanager_secret.workspace_credentials
File: /aws-ecsfargate-terraform/modules/google-workspace/main.tf:50-54
50 | resource "aws_secretsmanager_secret" "workspace_credentials" {
51 | name_prefix = var.name_prefix
52 |
53 | recovery_window_in_days = 0
54 | }
cloudformation scan results:
Passed checks: 24, Failed checks: 13, Skipped checks: 0
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: AWS::SecretsManager::Secret.scimsessionSecret
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:133-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
133 | scimsessionSecret:
134 | Type: "AWS::SecretsManager::Secret"
135 | Properties:
136 | SecretString: !Base64
137 | Ref: scimsession
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: AWS::SecretsManager::Secret.WorkspaceCredentialsSecret
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:138-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
138 | WorkspaceCredentialsSecret:
139 | Type: "AWS::SecretsManager::Secret"
140 | Condition: UsingGoogleWorkspace
141 | Properties:
142 | SecretString: !Base64
143 | Ref: WorkspaceCredentials
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: AWS::SecretsManager::Secret.WorkspaceSettingsSecret
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:144-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
144 | WorkspaceSettingsSecret:
145 | Type: "AWS::SecretsManager::Secret"
146 | Condition: UsingGoogleWorkspace
147 | Properties:
148 | SecretString:
149 | Fn::Base64: !Sub |
150 | {
151 | "actor":"${WorkspaceActor}",
152 | "bridgeAddress":"https://${DNSRecord}"
153 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: AWS::ECS::Cluster.ECSCluster
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:155-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
155 | ECSCluster:
156 | Type: "AWS::ECS::Cluster"
157 | Properties:
158 | CapacityProviders:
159 | - FARGATE
160 | DefaultCapacityProviderStrategy:
161 | - CapacityProvider: FARGATE
162 | Weight: 1
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: AWS::Logs::LogGroup.LogGroup
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:315-316
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
315 | LogGroup:
316 | Type: "AWS::Logs::LogGroup"
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: AWS::Logs::LogGroup.LogGroup
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:315-316
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
315 | LogGroup:
316 | Type: "AWS::Logs::LogGroup"
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: AWS::ElasticLoadBalancingV2::LoadBalancer.LoadBalancer
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:362-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
362 | LoadBalancer:
363 | DependsOn: GatewayAttachment
364 | Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"
365 | Properties:
366 | Scheme: internet-facing
367 | Subnets:
368 | - !Ref PublicSubnet1
369 | - !Ref PublicSubnet2
370 | SecurityGroups:
371 | - !Ref LoadBalancerSecurityGroup
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: AWS::ElasticLoadBalancingV2::LoadBalancer.LoadBalancer
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:362-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
362 | LoadBalancer:
363 | DependsOn: GatewayAttachment
364 | Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"
365 | Properties:
366 | Scheme: internet-facing
367 | Subnets:
368 | - !Ref PublicSubnet1
369 | - !Ref PublicSubnet2
370 | SecurityGroups:
371 | - !Ref LoadBalancerSecurityGroup
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: AWS::EC2::SecurityGroup.LoadBalancerSecurityGroup
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:372-388
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
372 | LoadBalancerSecurityGroup:
373 | Type: "AWS::EC2::SecurityGroup"
374 | Properties:
375 | GroupDescription: >-
376 | Allow public HTTPS ingress to the load balancer from the identity
377 | provider, restrict egress to the VPC for 1Password SCIM Bridge
378 | VpcId: !Ref VPC
379 | SecurityGroupIngress:
380 | - IpProtocol: tcp
381 | FromPort: 443
382 | ToPort: 443
383 | CidrIp: 0.0.0.0/0
384 | SecurityGroupEgress:
385 | - IpProtocol: tcp
386 | FromPort: 3002
387 | ToPort: 3002
388 | CidrIp: !GetAtt VPC.CidrBlock
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: AWS::EC2::SecurityGroup.ServiceSecurityGroup
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:389-405
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
389 | ServiceSecurityGroup:
390 | Type: "AWS::EC2::SecurityGroup"
391 | Properties:
392 | GroupDescription: >-
393 | Restrict ingress to ECS Service from load balancer, allow egress to
394 | 1Password.com for 1Password SCIM Bridge.
395 | VpcId: !Ref VPC
396 | SecurityGroupIngress:
397 | - IpProtocol: tcp
398 | FromPort: 3002
399 | ToPort: 3002
400 | SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
401 | SecurityGroupEgress:
402 | - IpProtocol: tcp
403 | FromPort: 443
404 | ToPort: 443
405 | CidrIp: 0.0.0.0/0
Check: CKV_AWS_103: "Ensure that Load Balancer Listener is using at least TLS v1.2"
FAILED for resource: AWS::ElasticLoadBalancingV2::Listener.HTTPSListener
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:406-416
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
406 | HTTPSListener:
407 | Type: "AWS::ElasticLoadBalancingV2::Listener"
408 | Properties:
409 | DefaultActions:
410 | - Type: forward
411 | TargetGroupArn: !Ref TargetGroup
412 | LoadBalancerArn: !Ref LoadBalancer
413 | Port: 443
414 | Protocol: HTTPS
415 | Certificates:
416 | - CertificateArn: !Ref TLSCertificate
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::Role.ExecutionRole
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:417-467
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::Role.TaskRole
File: /beta/aws-ecsfargate-cfn/op-scim-bridge.yaml:486-530
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
486 | TaskRole:
487 | Type: "AWS::IAM::Role"
488 | Properties:
489 | AssumeRolePolicyDocument:
490 | Version: 2012-10-17
491 | Statement:
492 | - Effect: Allow
493 | Principal:
494 | Service:
495 | - ecs-tasks.amazonaws.com
496 | Action:
497 | - "sts:AssumeRole"
498 | Path: /
499 | Policies:
500 | - PolicyName: cloudwatch_logging
501 | PolicyDocument:
502 | Version: 2012-10-17
503 | Statement:
504 | - Effect: Allow
505 | Action:
506 | - "logs:CreateLogGroup"
507 | - "logs:CreateLogStream"
508 | - "logs:PutLogEvents"
509 | Resource: "*"
510 | - PolicyName: vpc_access
511 | PolicyDocument:
512 | Version: 2012-10-17
513 | Statement:
514 | - Effect: Allow
515 | Action:
516 | - "ec2:CreateNetworkInterface"
517 | - "ec2:DescribeNetworkInterfaces"
518 | - "ec2:DeleteNetworkInterface"
519 | Resource: "*"
520 | - PolicyName: task_execution_role_policy
521 | PolicyDocument:
522 | Version: 2012-10-17
523 | Statement:
524 | - Effect: Allow
525 | Action:
526 | - "ecr:GetAuthorizationToken"
527 | - "ecr:BatchCheckLayerAvailability"
528 | - "ecr:GetDownloadUrlForLayer"
529 | - "ecr:BatchGetImage"
530 | Resource: "*"
kubernetes scan results:
Passed checks: 288, Failed checks: 72, Skipped checks: 0
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.op-scim-configmap
File: /kubernetes/op-scim-config.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: op-scim-configmap
5 | data:
6 | # Set this to the FQDN you've selected for your SCIM Bridge deployment
7 | # this will enable the complimentary LetsEncrypt challenge server if OP_TLS_CERT_FILE and OP_TLS_KEY_FILE are not set (or valid)
8 | OP_TLS_DOMAIN: ""
9 | # (advanced) only change the options below if you need to
10 | OP_REDIS_URL: "redis://op-scim-redis:6379"
11 | OP_PRETTY_LOGS: "0"
12 | OP_DEBUG: "0"
13 | OP_TRACE: "0"
14 | OP_PING_SERVER: "0"
15 | OP_SESSION: "/secrets/scimsession"
16 | # OP_CONFIRMATION_INTERVAL sets the interval for the ConfirmationWatcher service, responsible for automatically confirming users who have accepted their invite (default: 300 seconds, minimum: 30 seconds)
17 | #OP_CONFIRMATION_INTERVAL=300
18 | # OP_DNS_CHALLENGE_CONFIG_FILE sets the path for a Let's Encrypt DNS-01 configuration file
19 | #OP_DNS_CHALLENGE_CONFIG_FILE=/secrets/dns01-config
20 | # OP_TLS_KEY_FILE and OP_TLS_CERT_FILE define the path of a valid SSL key/cert files
21 | # if not present, Let's Encrypt will be used to acquire a TLS certificate
22 | # NOTE: both of these variables must be defined together to work as expected
23 | #OP_TLS_KEY_FILE: "/secrets/tls.key"
24 | #OP_TLS_CERT_FILE: "/secrets/tls.crt"
25 | # (optional) uncomment this line to change the email that is used when Let's Encrypt issues your SCIM bridge a certificate
26 | # default: "1pw@[OP_TLS_DOMAIN]"
27 | #OP_LETSENCRYPT_EMAIL: "[email protected]"
28 | # (Workspace Beta) these settings are specific to those participating in the Google Workspace provisioning beta
29 | OP_WORKSPACE_CREDENTIALS: "/secrets/workspace-credentials.json"
30 | OP_WORKSPACE_SETTINGS: "/secrets/workspace-settings.json"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.op-scim-redis
File: /kubernetes/redis-service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: op-scim-redis
5 | labels:
6 | app: op-scim-redis
7 | spec:
8 | ports:
9 | - port: 6379
10 | targetPort: redis
11 | selector:
12 | app: op-scim-redis
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.op-scim-bridge
File: /kubernetes/op-scim-service.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: op-scim-bridge
5 | labels:
6 | app: op-scim-bridge
7 | spec:
8 | type: LoadBalancer
9 | ports:
10 | # Use this port in the standard configuration to terminate TLS at the SCIM
11 | # bridge container using Let's Encrypt
12 | - protocol: TCP
13 | name: https
14 | port: 443
15 | targetPort: https
16 | # Use this port when terminating TLS in front of the SCIM bridge to listen
17 | # for unencrypted traffic redirected from a reverse proxy or load balancer
18 | # - protocol: TCP
19 | # name: http
20 | # port: 80
21 | # targetPort: http
22 | selector:
23 | app: op-scim-bridge
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.op-redis-configmap
File: /kubernetes/redis-config.yaml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: op-redis-configmap
5 | data:
6 | # Set the arguments passed to Redis
7 | # - maxmemory configures Redis to use a specified amount of memory for the data set
8 | # - maxmemory-policy is the eviction policy used when the maximum memory is reached
9 | REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.op-scim-configmap
File: /beta/kustomize/base/op-scim-config.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: op-scim-configmap
5 | data:
6 | # Set this to the FQDN you've selected for your SCIM Bridge deployment
7 | # this will enable the complimentary LetsEncrypt challenge server if OP_TLS_CERT_FILE and OP_TLS_KEY_FILE are not set (or valid)
8 | # OP_TLS_DOMAIN: ""
9 | # (advanced) only change the options below if you need to
10 | OP_REDIS_URL: "redis://op-scim-redis:6379"
11 | OP_PRETTY_LOGS: "0"
12 | OP_DEBUG: "0"
13 | OP_TRACE: "0"
14 | OP_PING_SERVER: "0"
15 | OP_SESSION: "/secrets/scimsession"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.op-scim-redis
File: /beta/kustomize/base/redis-service.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | app: op-scim-redis
8 | ports:
9 | - port: 6379
10 | targetPort: redis
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.op-scim-service
File: /beta/kustomize/base/op-scim-service.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: op-scim-service
5 | spec:
6 | type: LoadBalancer
7 | ports:
8 | # Use this port in the standard configuration to terminate TLS at the SCIM
9 | # bridge container using Let's Encrypt
10 | # - protocol: TCP
11 | # name: https
12 | # port: 443
13 | # targetPort: https
14 | # Use this port when terminating TLS in front of the SCIM bridge to listen
15 | # for unencrypted traffic redirected from a reverse proxy or load balancer
16 | - protocol: TCP
17 | name: http
18 | port: 80
19 | targetPort: http
20 | selector:
21 | app: op-scim-bridge
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.op-redis-configmap
File: /beta/kustomize/base/redis-config.yaml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: op-redis-configmap
5 | data:
6 | # Set the arguments passed to Redis
7 | # - maxmemory configures Redis to use a specified amount of memory for the data set
8 | # - maxmemory-policy is the eviction policy used when the maximum memory is reached
9 | REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.op-scim-redis.app-op-scim-redis
File: /kubernetes/redis-deployment.yaml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.op-scim-bridge.app-op-scim-bridge
File: /kubernetes/op-scim-deployment.yaml:1-58
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.op-scim-redis.app-op-scim-redis
File: /beta/kustomize/base/redis-deployment.yaml:1-30
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: op-scim-redis
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: op-scim-redis
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: op-scim-redis
14 | spec:
15 | containers:
16 | - name: op-scim-redis
17 | image: redis:latest
18 | ports:
19 | - containerPort: 6379
20 | name: redis
21 | resources:
22 | requests:
23 | cpu: 125m
24 | memory: 256M
25 | limits:
26 | cpu: 250m
27 | memory: 512M
28 | envFrom:
29 | - configMapRef:
30 | name: op-redis-configmap
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.op-scim-bridge.app-op-scim-bridge
File: /beta/kustomize/base/op-scim-deployment.yaml:1-52
Code lines for this resource are too many. Please use IDE of your choice to review the file.
secrets scan results:
Passed checks: 0, Failed checks: 1, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: b8fae40dd5f2fabe392554a03b0b8bd2942b605b
File: /dns01.example.json:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | "api_token": "API-***************"
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools