Workflow
Generate
Pick policies and targets, then download the rendered artifacts as a zip. The server skips any policy whose fields aren't expressible in the selected target.
0 / 88 selected
| Policy | Severity | Targets | |
|---|---|---|---|
Nothing selected yet — pick policies below, or | |||
| 30-Day Scan Age | medium | ||
| 90-Day Image Age | low | ||
| ADD Command used instead of COPY | low | ||
| Alpine Linux Package Manager (apk) in Image | low | ||
| Alpine Linux Package Manager Execution | low | ||
| Apache Struts: CVE-2017-5638 | critical | ||
| CAP_SYS_ADMIN capability added | medium | ||
| chkconfig Execution | low | ||
| Compiler Tool Execution | low | ||
| Container using read-write root filesystem | medium | ||
| Container with privilege escalation allowed | medium | ||
| crontab Execution | medium | ||
| Cryptocurrency Mining Process Execution | high | ||
| Curl in Image | low | ||
| Deployments should have at least one ingress Network Policy | medium | ||
| Deployments with externally exposed endpoints | medium | ||
| Docker CIS 4.1: Ensure That a User for the Container Has Been Created | low | ||
| Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches | medium | ||
| Docker CIS 4.7: Alert on Update Instruction | low | ||
| Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled | medium | ||
| Docker CIS 5.15: Ensure that the host's process namespace is not shared | medium | ||
| Docker CIS 5.16: Ensure that the host's IPC namespace is not shared | medium | ||
| Docker CIS 5.19: Ensure mount propagation mode is not enabled | medium | ||
| Docker CIS 5.21: Ensure the default seccomp profile is not disabled | medium | ||
| Docker CIS 5.7: Ensure privileged ports are not mapped within containers | medium | ||
| Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared | medium | ||
| Drop All Capabilities | low | ||
| Emergency Deployment Annotation | high | ||
| Environment Variable Contains Secret | high | ||
| Fixable CVSS >= 6 and Privileged | high | — | |
| Fixable CVSS >= 7 | high | ||
| Fixable Severity at least Important | high | ||
| Images with no scans | medium | ||
| Improper Usage of Orchestrator Secrets Volume | low | ||
| Insecure specified in CMD | low | ||
| iptables Execution | high | ||
| Iptables or nftables Executed in Privileged Container | critical | — | |
| Kubernetes Actions: Exec into Pod | high | ||
| Kubernetes Actions: Port Forward to Pod | medium | ||
| Kubernetes Dashboard Deployed | low | ||
| Latest tag | low | ||
| Linux Group Add Execution | high | ||
| Linux User Add Execution | high | ||
| Log4Shell: log4j Remote Code Execution vulnerability | critical | ||
| Login Binaries | high | ||
| Mount Container Runtime Socket | medium | ||
| Mounting Sensitive Host Directories | medium | ||
| Netcat Execution Detected | medium | ||
| Network Management Execution | high | ||
| nmap Execution | high | ||
| No CPU request or memory limit specified | medium | ||
| OpenShift: Central Admin Secret Accessed | medium | ||
| OpenShift: Kubeadmin Secret Accessed | high | ||
| OpenShift: Kubernetes Secret Accessed by an Impersonated User | medium | ||
| Password Binaries | high | ||
| Pod Service Account Token Automatically Mounted | medium | ||
| Privileged Container | medium | ||
| Privileged Containers with Important and Critical Fixable CVEs | high | — | |
| Process Targeting Cluster Kubelet Endpoint | high | ||
| Process Targeting Cluster Kubernetes Docker Stats Endpoint | high | ||
| Process Targeting Kubernetes Service Endpoint | high | ||
| Process with UID 0 | high | ||
| Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol | high | ||
| Red Hat images must be signed by a Red Hat release key | high | ||
| Red Hat Package Manager Execution | low | ||
| Red Hat Package Manager in Image | low | ||
| Remote File Copy Binary Execution | medium | ||
| Required Annotation: Email | low | ||
| Required Annotation: Owner/Team | low | ||
| Required Image Label | low | ||
| Required Label: Owner/Team | low | ||
| Secret Mounted as Environment Variable | high | ||
| Secure Shell (ssh) Port Exposed | high | ||
| Secure Shell (ssh) Port Exposed in Image | high | ||
| Secure Shell Server (sshd) Execution | high | ||
| SetUID Processes | high | ||
| Shadow File Modification | high | ||
| Shell Management | low | ||
| Shell Spawned by Java Application | high | ||
| Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities | critical | ||
| systemctl Execution | low | ||
| systemd Execution | low | ||
| Ubuntu Package Manager Execution | low | ||
| Ubuntu Package Manager in Image | low | ||
| Unauthorized Network Flow | high | ||
| Unauthorized Process Execution | high | ||
| Wget in Image | low | ||
| Require Signed Images | high | ||