Repository | Azure / caf-terraform-landingzones |
Description | Azure Terraform SRE framework |
Stars | 709 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:44:49,500 [MainThread ] [WARNI] Failed to download module aztfmod/caf/azurerm:5.7.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:44:49,501 [MainThread ] [WARNI] Failed to download module aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets:5.7.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:44:49,501 [MainThread ] [WARNI] Failed to download module aztfmod/caf/azurerm:~>5.6.8 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:44:49,501 [MainThread ] [WARNI] Failed to download module aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets:~>5.6.8 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:44:49,501 [MainThread ] [WARNI] Failed to download module aztfmod/caf/azurerm:~>5.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:44:49,502 [MainThread ] [WARNI] Failed to download module Azure/caf-enterprise-scale/azurerm:4.2.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 6, Failed checks: 0, Skipped checks: 0
kubernetes scan results:
Passed checks: 136, Failed checks: 39, Skipped checks: 0
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.azdopat-secret
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/azdopat-secret.yaml:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: azdopat-secret
5 | data:
6 | personalAccessToken: ${pat}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.default.placeholder-agent
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderjob.yaml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: placeholder-agent
5 | labels:
6 | app: placeholder-agent
7 | spec:
8 | activeDeadlineSeconds: 180
9 | template:
10 | metadata:
11 | labels:
12 | aadpodidbinding: ${podmi}
13 | app: placeholder-agent
14 | spec:
15 | containers:
16 | - name: azdevops-agent-job
17 | image: ${image}
18 | imagePullPolicy: Always
19 | env:
20 | - name: VSTS_AGENT_INPUT_URL
21 | value: ${VSTS_AGENT_INPUT_URL}
22 | - name: VSTS_AGENT_INPUT_TOKEN
23 | valueFrom:
24 | secretKeyRef:
25 | name: pat-secret-sync
26 | key: personalAccessToken
27 | - name: VSTS_AGENT_INPUT_POOL
28 | value: ${VSTS_AGENT_INPUT_POOL}
29 | - name: VSTS_AGENT_INPUT_AUTH
30 | value: "pat"
31 | - name: VSTS_AGENT_INPUT_RUN_ARGS
32 | value: "--once"
33 | # lifecycle:
34 | # preStop:
35 | # exec:
36 | # # SIGTERM triggers a quick exit; gracefully terminate instead
37 | # command: ["/home/vscode/agent/config.sh","remove","--unattended"]
38 | restartPolicy: Never
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.rover-deployment
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
secrets scan results:
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 5c7728b39a9544057a72ebdcd71bea6be7e6032f
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/placeholderagent.yaml:51-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
51 | secretProviderClass: "az********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: dcf45a655d7e5546b436e6acbe294381a9b406f5
File: /caf_solution/add-ons/aks_azure_devops_agents/yamls/roverjob.yaml:48-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
48 | personalAccessTokenFromEnv: "VSTS_*****************"
github_actions scan results:
Passed checks: 138, Failed checks: 2, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(landingzones-tf100)
File: /.github/workflows/landingzones-tf100.yml:55-56
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Release Drafter)
File: /.github/workflows/release-drafter.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools