Repository | kbst / terraform-kubestack |
Description | Kubestack is a framework for Kubernetes platform engineering teams to define the entire cloud native stack in one Terraform code base and continuously evolve the platform safely through GitOps. |
Stars | 587 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:45:11,990 [MainThread ] [WARNI] Failed to download module github.com/kbst/terraform-kubestack//kind/cluster?ref={{version}}:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:11,991 [MainThread ] [WARNI] Failed to download module github.com/kbst/terraform-kubestack//google/cluster?ref={{version}}:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:11,991 [MainThread ] [WARNI] Failed to download module github.com/kbst/terraform-kubestack//azurerm/cluster?ref={{version}}:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:11,991 [MainThread ] [WARNI] Failed to download module github.com/kbst/terraform-kubestack//aws/cluster?ref={{version}}:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:11,991 [MainThread ] [WARNI] Failed to download module github.com/kbst/terraform-kubestack//common/configuration?ref=v0.15.1-beta.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 120, Failed checks: 31, Skipped checks: 0
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.eks_zero.module.cluster.aws_eks_cluster.current
File: /aws/_modules/eks/master.tf:1-32
Calling File: /aws/cluster/main.tf:14-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
1 | resource "aws_eks_cluster" "current" {
2 | name = var.metadata_name
3 | role_arn = aws_iam_role.master.arn
4 |
5 | vpc_config {
6 | security_group_ids = [aws_security_group.masters.id]
7 | subnet_ids = aws_subnet.current.*.id
8 | endpoint_private_access = var.cluster_endpoint_private_access
9 | endpoint_public_access = var.cluster_endpoint_public_access
10 | public_access_cidrs = var.cluster_public_access_cidrs
11 | }
12 |
13 | dynamic "encryption_config" {
14 | for_each = var.cluster_encryption_key_arn != null ? toset([1]) : toset([])
15 | content {
16 | resources = ["secrets"]
17 |
18 | provider {
19 | key_arn = var.cluster_encryption_key_arn
20 | }
21 | }
22 | }
23 |
24 | depends_on = [
25 | aws_iam_role_policy_attachment.master_cluster_policy,
26 | aws_iam_role_policy_attachment.master_service_policy,
27 | ]
28 |
29 | version = var.cluster_version
30 |
31 | enabled_cluster_log_types = var.enabled_cluster_log_types
32 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.eks_zero.module.cluster.aws_security_group.masters
File: /aws/_modules/eks/sg_masters.tf:1-14
Calling File: /aws/cluster/main.tf:14-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "masters" {
2 | name = var.metadata_name
3 | description = "Cluster communication with worker nodes."
4 | vpc_id = aws_vpc.current.id
5 |
6 | egress {
7 | from_port = 0
8 | to_port = 0
9 | protocol = "-1"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | tags = local.eks_metadata_tags
14 | }
Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_117: "Ensure that AKS uses disk encryption set"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-uses-disk-encryption-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_6: "Ensure AKS has an API Server Authorized IP Ranges enabled"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-3.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_141: "Ensure AKS local admin account is disabled"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-kubernetes-service-aks-local-admin-account-is-disabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_115: "Ensure that AKS enables private clusters"
FAILED for resource: module.aks_zero.module.cluster.azurerm_kubernetes_cluster.current
File: /azurerm/_modules/aks/main.tf:5-80
Calling File: /azurerm/cluster/main.tf:18-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-enables-private-clusters.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.aks_zero_node_pool.module.node_pool.azurerm_kubernetes_cluster_node_pool.current
File: /azurerm/_modules/aks/node_pool/main.tf:10-37
Calling File: /azurerm/cluster/node-pool/main.tf:1-22
10 | resource "azurerm_kubernetes_cluster_node_pool" "current" {
11 | name = var.node_pool_name
12 | kubernetes_cluster_id = data.azurerm_kubernetes_cluster.current.id
13 | enable_auto_scaling = var.enable_auto_scaling
14 | max_count = var.max_count
15 | min_count = var.min_count
16 | node_count = var.node_count
17 | vm_size = var.vm_size
18 | node_labels = var.node_labels
19 | node_taints = var.node_taints
20 | zones = var.availability_zones
21 | max_pods = var.max_pods
22 | os_disk_type = var.os_disk_type
23 | os_disk_size_gb = var.os_disk_size_gb
24 | priority = var.priority
25 | eviction_policy = var.eviction_policy
26 | spot_max_price = var.max_spot_price
27 |
28 | # The data source returned agent_pool_profiles in some configurations contain
29 | # empty strings in vnet_subnet_id. In that case we rely on the defaults
30 | vnet_subnet_id = length(local.vnet_subnets) == 0 ? null : coalesce(tolist(local.vnet_subnets)...)
31 |
32 | # When autoscaling acts, the node_count gets changed, but it should not be
33 | # forced to match the config
34 | lifecycle {
35 | ignore_changes = [node_count]
36 | }
37 | }
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.aks_zero_node_pool.module.node_pool.azurerm_kubernetes_cluster_node_pool.current
File: /azurerm/_modules/aks/node_pool/main.tf:10-37
Calling File: /azurerm/cluster/node-pool/main.tf:1-22
10 | resource "azurerm_kubernetes_cluster_node_pool" "current" {
11 | name = var.node_pool_name
12 | kubernetes_cluster_id = data.azurerm_kubernetes_cluster.current.id
13 | enable_auto_scaling = var.enable_auto_scaling
14 | max_count = var.max_count
15 | min_count = var.min_count
16 | node_count = var.node_count
17 | vm_size = var.vm_size
18 | node_labels = var.node_labels
19 | node_taints = var.node_taints
20 | zones = var.availability_zones
21 | max_pods = var.max_pods
22 | os_disk_type = var.os_disk_type
23 | os_disk_size_gb = var.os_disk_size_gb
24 | priority = var.priority
25 | eviction_policy = var.eviction_policy
26 | spot_max_price = var.max_spot_price
27 |
28 | # The data source returned agent_pool_profiles in some configurations contain
29 | # empty strings in vnet_subnet_id. In that case we rely on the defaults
30 | vnet_subnet_id = length(local.vnet_subnets) == 0 ? null : coalesce(tolist(local.vnet_subnets)...)
31 |
32 | # When autoscaling acts, the node_count gets changed, but it should not be
33 | # forced to match the config
34 | lifecycle {
35 | ignore_changes = [node_count]
36 | }
37 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_70: "Ensure the GKE Release Channel is set"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-release-channel-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.gke_zero.module.cluster.google_container_cluster.current
File: /google/_modules/gke/cluster.tf:1-111
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_16: "Ensure that DNSSEC is enabled for Cloud DNS"
FAILED for resource: module.gke_zero.module.cluster.google_dns_managed_zone.current
File: /google/_modules/gke/ingress.tf:10-17
Calling File: /google/cluster/main.tf:11-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-5.html
10 | resource "google_dns_managed_zone" "current" {
11 | count = var.disable_default_ingress ? 0 : 1
12 |
13 | project = var.project
14 |
15 | name = var.metadata_name
16 | dns_name = "${var.metadata_fqdn}."
17 | }
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.gke_zero.module.cluster.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/_modules/gke/node_pool.tf:1-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.gke_zero.module.cluster.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/_modules/gke/node_pool.tf:1-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: module.gke_zero.module.cluster.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/_modules/gke/node_pool.tf:1-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.gke_zero_node_pool.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/cluster/node-pool/main.tf:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.gke_zero_node_pool.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/cluster/node-pool/main.tf:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: module.gke_zero_node_pool.module.node_pool.google_container_node_pool.current
File: /google/_modules/gke/node_pool/main.tf:1-59
Calling File: /google/cluster/node-pool/main.tf:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.aks_zero.module.cluster.azurerm_subnet.current
File: /azurerm/_modules/aks/vnet.tf:11-20
11 | resource "azurerm_subnet" "current" {
12 | count = var.network_plugin == "azure" ? 1 : 0
13 |
14 | name = var.legacy_vnet_name ? "aks-node-subnet" : "${var.metadata_name}-${var.default_node_pool_name}-node-pool"
15 | address_prefixes = var.subnet_address_prefixes
16 | resource_group_name = data.azurerm_resource_group.current.name
17 | virtual_network_name = azurerm_virtual_network.current[0].name
18 |
19 | service_endpoints = length(var.subnet_service_endpoints) > 0 ? var.subnet_service_endpoints : null
20 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.gke_zero.module.cluster.google_compute_network.current
File: /google/_modules/gke/network.tf:1-5
1 | resource "google_compute_network" "current" {
2 | name = var.metadata_name
3 | project = var.project
4 | auto_create_subnetworks = "true"
5 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.eks_zero.module.cluster.aws_vpc.current
File: /aws/_modules/eks/vpc.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "current" {
2 | cidr_block = var.vpc_cidr
3 |
4 | enable_dns_hostnames = var.vpc_dns_hostnames
5 | enable_dns_support = var.vpc_dns_support
6 |
7 | tags = local.eks_metadata_tags
8 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.eks_zero.module.cluster.aws_route53_zone.current
File: /aws/_modules/eks/ingress.tf:1-5
1 | resource "aws_route53_zone" "current" {
2 | count = var.disable_default_ingress ? 0 : 1
3 |
4 | name = "${var.metadata_fqdn}."
5 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.eks_zero.module.cluster.aws_vpc.current
File: /aws/_modules/eks/vpc.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "current" {
2 | cidr_block = var.vpc_cidr
3 |
4 | enable_dns_hostnames = var.vpc_dns_hostnames
5 | enable_dns_support = var.vpc_dns_support
6 |
7 | tags = local.eks_metadata_tags
8 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.eks_zero.module.cluster.aws_route53_zone.current
File: /aws/_modules/eks/ingress.tf:1-5
1 | resource "aws_route53_zone" "current" {
2 | count = var.disable_default_ingress ? 0 : 1
3 |
4 | name = "${var.metadata_fqdn}."
5 | }
dockerfile scan results:
Passed checks: 620, Failed checks: 21, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/multi-cloud/Dockerfile.
File: /quickstart/src/configurations/multi-cloud/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/multi-cloud/Dockerfile.
File: /quickstart/src/configurations/multi-cloud/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/eks/Dockerfile.
File: /quickstart/src/configurations/eks/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-eks
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/eks/Dockerfile.
File: /quickstart/src/configurations/eks/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-eks
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/gke/Dockerfile.loc.
File: /quickstart/src/configurations/gke/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/gke/Dockerfile.loc.
File: /quickstart/src/configurations/gke/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /oci/Dockerfile.FROM
File: /oci/Dockerfile:11-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
11 | FROM ${BASE_BUILDER} AS builder
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /oci/Dockerfile.
File: /oci/Dockerfile:1-278
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /oci/Dockerfile.
File: /oci/Dockerfile:1-278
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/gke/Dockerfile.
File: /quickstart/src/configurations/gke/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-gke
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/gke/Dockerfile.
File: /quickstart/src/configurations/gke/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-gke
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/aks/Dockerfile.
File: /quickstart/src/configurations/aks/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-aks
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/aks/Dockerfile.
File: /quickstart/src/configurations/aks/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-aks
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/multi-cloud/Dockerfile.loc.
File: /quickstart/src/configurations/multi-cloud/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/multi-cloud/Dockerfile.loc.
File: /quickstart/src/configurations/multi-cloud/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/kind/Dockerfile.
File: /quickstart/src/configurations/kind/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-kind
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/kind/Dockerfile.
File: /quickstart/src/configurations/kind/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-kind
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/aks/Dockerfile.loc.
File: /quickstart/src/configurations/aks/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/aks/Dockerfile.loc.
File: /quickstart/src/configurations/aks/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /quickstart/src/configurations/eks/Dockerfile.loc.
File: /quickstart/src/configurations/eks/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /quickstart/src/configurations/eks/Dockerfile.loc.
File: /quickstart/src/configurations/eks/Dockerfile.loc:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM {{image_name}}:{{image_tag}}-kind
2 |
3 | ARG UID
4 | ARG GID
5 |
6 | RUN mkdir -p /infra/terraform.tfstate.d &&\
7 | chown ${UID}:${GID} -R /infra
8 |
9 | COPY manifests /infra/manifests
10 | COPY *.tf *.tfvars /infra/
github_actions scan results:
Passed checks: 143, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build Test Publish)
File: /.github/workflows/main.yml:49-50
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools