Resolve maintainer's comments

stackrox · Oct 30, 2023 · 65ade9b · 65ade9b
1 parent 4a63e93
commit 65ade9b
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 11 deletions.
diff --git a/docs/generated/checks.md b/docs/generated/checks.md
@@ -517,9 +517,9 @@ key: owner
 
 **Enabled by default**: No
 
-**Description**: Indicates when allowPrivilegedContainer SSC set to True
+**Description**: Indicates when allowPrivilegedContainer SecurityContextConstraints set to true
 
-**Remediation**: SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead.
+**Remediation**: SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details.
 
 **Template**: [scc-deny-privileged-container](templates.md#securitycontextconstraints-allowprivilegedcontainer)
 

diff --git a/pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml b/pkg/builtinchecks/yamls/scc-deny-privileged-container.yaml
@@ -1,7 +1,7 @@
 name: "scc-deny-privileged-container"
-description: "Indicates when allowPrivilegedContainer SSC set to True"
+description: "Indicates when allowPrivilegedContainer SecurityContextConstraints set to true"
 remediation: >-
-  SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead.
+  SecurityContextConstraints has AllowPrivilegedContainer set to "true". Using this option is dangerous, please consider using allowedCapabilities instead. Refer to https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#scc-settings_configuring-internal-oauth for details.
 scope:
   objectKinds:
     - SecurityContextConstraints

diff --git a/pkg/templates/sccdenypriv/template.go b/pkg/templates/sccdenypriv/template.go
@@ -30,10 +30,7 @@ func init() {
 		Instantiate: params.WrapInstantiateFunc(func(p params.Params) (check.Func, error) {
 			return func(_ lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
 				state, found := extract.SCCallowPrivilegedContainer(object.K8sObject)
-				if !found {
-					return nil
-				}
-				if state == p.AllowPrivilegedContainer {
+				if found && state == p.AllowPrivilegedContainer {
 					return []diagnostic.Diagnostic{
 						{Message: fmt.Sprintf("SCC has allowPrivilegedContainer set to %v", state)},
 					}

diff --git a/pkg/templates/sccdenypriv/template_test.go b/pkg/templates/sccdenypriv/template_test.go
@@ -30,9 +30,7 @@ func (s *SCCPrivTestSuite) addSCCWithPriv(name string, allowFlag bool) {
 }
 
 func (s *SCCPrivTestSuite) TestPrivFalse() {
-	const (
-		acceptableScc = "scc-priv-false"
-	)
+	const acceptableScc = "scc-priv-false"
 
 	s.addSCCWithPriv(acceptableScc, false)