KICS #418
Annotations
12 warnings
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/checkout@v3, github/codeql-action/upload-sarif@v2. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
|
Upload SARIF file for GitHub Advanced Security Dashboard
CodeQL Action v2 will be deprecated on December 5th, 2024. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/
|
KICS scan:
charts/country-risk/charts/country-risk-frontend/templates/deployment.yaml#L1
Check if containers are running with low UID, which might cause conflicts with the host's user table.
|
KICS scan:
docker-compose.yml#L5
Incoming container traffic should be bound to a specific host interface
|
KICS scan:
docker-compose.yml#L3
Check containers periodically to see if they are running properly.
|
KICS scan:
docker-compose.yml#L3
The hosts process namespace should not be shared by containers
|
KICS scan:
docker-compose.yml#L3
Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
|
KICS scan:
docker-compose.yml#L3
Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
|
KICS scan:
docker-compose.yml#L3
'pids_limit' should be set and different than -1
|
KICS scan:
charts/country-risk/charts/country-risk-frontend/templates/deployment.yaml#L1
Check if Readiness Probe is not configured.
|
KICS scan:
docker-compose.yml#L3
Attribute 'security_opt' should be defined.
|
KICS scan:
.github/workflows/docker-hub-build.yml#L42
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
The logs for this run have expired and are no longer available.
Loading