Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(query): k8s rule service_account_token_automount_not_disabled should also consider automount option in ServiceAccount #4887

Merged
merged 3 commits into from
Mar 15, 2022
Merged

fix(query): k8s rule service_account_token_automount_not_disabled should also consider automount option in ServiceAccount #4887

merged 3 commits into from
Mar 15, 2022

Conversation

Churro
Copy link
Contributor

@Churro Churro commented Feb 27, 2022

Problem

  • Since K8s v1.6, automountServiceAccountToken can also be defined at Service Account level. Pods may override this setting. The current rule inspects automountServiceAccountToken only on pod level and yields false positive alerts in case this setting is defined together with the Service Account.

Proposed Changes

  • Match specInfo with SA definition and check whether the SA defines automountServiceAccountToken

I submit this contribution under the Apache-2.0 license.

@Churro
fix(query): k8s rule service_account_token_automount_not_disabled sho…
99b746f 
…uld also consider automount option in ServiceAccount
@kicsbot
Copy link
Contributor

kicsbot commented Feb 27, 2022

Scan submitted to Checkmarx

joaoReigota1
joaoReigota1 requested changes Mar 9, 2022
View reviewed changes
Copy link
Collaborator

@joaoReigota1 joaoReigota1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Churro, thank you for contributing to KICS and helping us improve our Kubernetes queries.
Indeed you are correct, other than a change that is required for our k8s files validator, everything seems good to me and I will be happy to merge it

assets/queries/k8s/service_account_token_automount_not_disabled/test/negative2.yaml Show resolved Hide resolved
@kicsbot
Copy link
Contributor

kicsbot commented Mar 9, 2022

Scan not submitted to Checkmarx due to existing Active scan for the same project.

@kicsbot
Copy link
Contributor

kicsbot commented Mar 9, 2022

Logo
Checkmarx SAST - Scan Summary & Details

Cx-SAST Summary

Total of 5 vulnerabilities
High 0 High
Medium 0 Medium
Low 5 Low
Info 0 Info

Violation Summary

No policy violation found

joaoReigota1
joaoReigota1 approved these changes Mar 15, 2022
View reviewed changes
Copy link
Collaborator

@joaoReigota1 joaoReigota1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joaoReigota1 joaoReigota1 merged commit 71ab7a8 into Checkmarx:master Mar 15, 2022
@rafaela-soares rafaela-soares added the community Community contribution label Mar 16, 2022
@rafaela-soares rafaela-soares added the query New query feature label Aug 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joaoReigota1 joaoReigota1 joaoReigota1 approved these changes

Assignees
No one assigned
Labels
community Community contribution query New query feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Churro @kicsbot @joaoReigota1 @rafaela-soares