Workflow

Generate

Pick policies and targets, then download the rendered artifacts as a zip. The server skips any policy whose fields aren't expressible in the selected target.

0 / 88 selected
PolicySeverityTargets

Nothing selected yet — pick policies below, or

30-Day Scan Agemedium
90-Day Image Agelow
ADD Command used instead of COPYlow
Alpine Linux Package Manager (apk) in Imagelow
Alpine Linux Package Manager Executionlow
Apache Struts: CVE-2017-5638critical
CAP_SYS_ADMIN capability addedmedium
chkconfig Executionlow
Compiler Tool Executionlow
Container using read-write root filesystemmedium
Container with privilege escalation allowedmedium
crontab Executionmedium
Cryptocurrency Mining Process Executionhigh
Curl in Imagelow
Deployments should have at least one ingress Network Policymedium
Deployments with externally exposed endpointsmedium
Docker CIS 4.1: Ensure That a User for the Container Has Been Createdlow
Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesmedium
Docker CIS 4.7: Alert on Update Instructionlow
Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledmedium
Docker CIS 5.15: Ensure that the host's process namespace is not sharedmedium
Docker CIS 5.16: Ensure that the host's IPC namespace is not sharedmedium
Docker CIS 5.19: Ensure mount propagation mode is not enabledmedium
Docker CIS 5.21: Ensure the default seccomp profile is not disabledmedium
Docker CIS 5.7: Ensure privileged ports are not mapped within containersmedium
Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedmedium
Drop All Capabilitieslow
Emergency Deployment Annotationhigh
Environment Variable Contains Secrethigh
Fixable CVSS >= 6 and Privilegedhigh
Fixable CVSS >= 7high
Fixable Severity at least Importanthigh
Images with no scansmedium
Improper Usage of Orchestrator Secrets Volumelow
Insecure specified in CMDlow
iptables Executionhigh
Iptables or nftables Executed in Privileged Containercritical
Kubernetes Actions: Exec into Podhigh
Kubernetes Actions: Port Forward to Podmedium
Kubernetes Dashboard Deployedlow
Latest taglow
Linux Group Add Executionhigh
Linux User Add Executionhigh
Log4Shell: log4j Remote Code Execution vulnerabilitycritical
Login Binarieshigh
Mount Container Runtime Socketmedium
Mounting Sensitive Host Directoriesmedium
Netcat Execution Detectedmedium
Network Management Executionhigh
nmap Executionhigh
No CPU request or memory limit specifiedmedium
OpenShift: Central Admin Secret Accessedmedium
OpenShift: Kubeadmin Secret Accessedhigh
OpenShift: Kubernetes Secret Accessed by an Impersonated Usermedium
Password Binarieshigh
Pod Service Account Token Automatically Mountedmedium
Privileged Containermedium
Privileged Containers with Important and Critical Fixable CVEshigh
Process Targeting Cluster Kubelet Endpointhigh
Process Targeting Cluster Kubernetes Docker Stats Endpointhigh
Process Targeting Kubernetes Service Endpointhigh
Process with UID 0high
Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocolhigh
Red Hat images must be signed by a Red Hat release keyhigh
Red Hat Package Manager Executionlow
Red Hat Package Manager in Imagelow
Remote File Copy Binary Executionmedium
Required Annotation: Emaillow
Required Annotation: Owner/Teamlow
Required Image Labellow
Required Label: Owner/Teamlow
Secret Mounted as Environment Variablehigh
Secure Shell (ssh) Port Exposedhigh
Secure Shell (ssh) Port Exposed in Imagehigh
Secure Shell Server (sshd) Executionhigh
SetUID Processeshigh
Shadow File Modificationhigh
Shell Managementlow
Shell Spawned by Java Applicationhigh
Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilitiescritical
systemctl Executionlow
systemd Executionlow
Ubuntu Package Manager Executionlow
Ubuntu Package Manager in Imagelow
Unauthorized Network Flowhigh
Unauthorized Process Executionhigh
Wget in Imagelow
Require Signed Imageshigh