@runsec/mcp 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +578 -0
- package/package.json +43 -0
- package/src/rules/data/rule-compliance-map.json +43563 -0
- package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
- package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
- package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
- package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
- package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
- package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
- package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
- package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
- package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
- package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
- package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
- package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
- package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
- package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
- package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
- package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
- package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
- package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
- package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
- package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
- package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
- package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
- package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
- package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
- package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
- package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
- package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
- package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
- package/src/rules/data/semgrep-rules/observability.yaml +381 -0
- package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
- package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
- package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
- package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
- package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
- package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
|
@@ -0,0 +1,4968 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: runsec.infra-k8s-helm.inf-4.1
|
|
3
|
+
metadata:
|
|
4
|
+
runsec_version: v1.0
|
|
5
|
+
confidence: |-
|
|
6
|
+
0.9
|
|
7
|
+
exploit_scenario: |-
|
|
8
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
9
|
+
fix_template: |-
|
|
10
|
+
FROM python:3.11 WORKDIR /app RUN groupadd -r app && useradd -r -g app app COPY . /app RUN chown -R app:app /app USER app CMD ["python","main.py"]
|
|
11
|
+
pattern-either:
|
|
12
|
+
- pattern: |-
|
|
13
|
+
FROM python:3.11
|
|
14
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-4\\.1\\b'
|
|
15
|
+
message: |-
|
|
16
|
+
RunSec Detection [INF-4.1]: CIS_Docker_Benchmark_v1.8.0.pdf, п. 4.1
|
|
17
|
+
languages:
|
|
18
|
+
- generic
|
|
19
|
+
severity: WARNING
|
|
20
|
+
- id: runsec.infra-k8s-helm.inf-5.10
|
|
21
|
+
metadata:
|
|
22
|
+
runsec_version: v1.0
|
|
23
|
+
confidence: |-
|
|
24
|
+
0.9
|
|
25
|
+
exploit_scenario: |-
|
|
26
|
+
Атакующий исчерпывает CPU/RAM контейнера множеством запросов; при отсутствии limits — отказ в обслуживании (обычно не прямой RCE).
|
|
27
|
+
fix_template: |-
|
|
28
|
+
services: api: image: example/api:1.0.0 mem_limit: "512m" cpu_shares: 512
|
|
29
|
+
pattern-either:
|
|
30
|
+
- pattern: |-
|
|
31
|
+
services:
|
|
32
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.10\\b'
|
|
33
|
+
message: |-
|
|
34
|
+
RunSec Detection [INF-5.10]: CIS_Docker_Benchmark_v1.8.0.pdf, п. 5.10
|
|
35
|
+
languages:
|
|
36
|
+
- generic
|
|
37
|
+
severity: WARNING
|
|
38
|
+
- id: runsec.infra-k8s-helm.inf-5.2.1
|
|
39
|
+
metadata:
|
|
40
|
+
runsec_version: v1.0
|
|
41
|
+
confidence: |-
|
|
42
|
+
0.9
|
|
43
|
+
exploit_scenario: |-
|
|
44
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
45
|
+
fix_template: |-
|
|
46
|
+
apiVersion: v1 kind: Pod metadata: name: restricted-pod spec: containers: - name: app image: nginx:1.27 securityContext: privileged: false
|
|
47
|
+
pattern-either:
|
|
48
|
+
- pattern: |-
|
|
49
|
+
apiVersion: v1
|
|
50
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.2\\.1\\b'
|
|
51
|
+
message: |-
|
|
52
|
+
RunSec Detection [INF-5.2.1]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.1
|
|
53
|
+
languages:
|
|
54
|
+
- generic
|
|
55
|
+
severity: WARNING
|
|
56
|
+
- id: runsec.infra-k8s-helm.inf-5.2.4
|
|
57
|
+
metadata:
|
|
58
|
+
runsec_version: v1.0
|
|
59
|
+
confidence: |-
|
|
60
|
+
0.9
|
|
61
|
+
exploit_scenario: |-
|
|
62
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
63
|
+
fix_template: |-
|
|
64
|
+
apiVersion: apps/v1 kind: Deployment metadata: name: ape-off spec: template: spec: containers: - name: app image: example/app:1.0.0 securityContext: allowPrivilegeEscalation: false
|
|
65
|
+
pattern-either:
|
|
66
|
+
- pattern: |-
|
|
67
|
+
apiVersion: apps/v1
|
|
68
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.2\\.4\\b'
|
|
69
|
+
message: |-
|
|
70
|
+
RunSec Detection [INF-5.2.4]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.4
|
|
71
|
+
languages:
|
|
72
|
+
- generic
|
|
73
|
+
severity: WARNING
|
|
74
|
+
- id: runsec.infra-k8s-helm.inf-5.2.5
|
|
75
|
+
metadata:
|
|
76
|
+
runsec_version: v1.0
|
|
77
|
+
confidence: |-
|
|
78
|
+
0.9
|
|
79
|
+
exploit_scenario: |-
|
|
80
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
81
|
+
fix_template: |-
|
|
82
|
+
apiVersion: v1 kind: Pod metadata: name: non-root-gid spec: containers: - name: app image: example/app:1.0.0 securityContext: runAsNonRoot: true runAsGroup: 10001
|
|
83
|
+
pattern-either:
|
|
84
|
+
- pattern: |-
|
|
85
|
+
apiVersion: v1
|
|
86
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.2\\.5\\b'
|
|
87
|
+
message: |-
|
|
88
|
+
RunSec Detection [INF-5.2.5]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.5
|
|
89
|
+
languages:
|
|
90
|
+
- generic
|
|
91
|
+
severity: WARNING
|
|
92
|
+
- id: runsec.infra-k8s-helm.inf-5.3.1
|
|
93
|
+
metadata:
|
|
94
|
+
runsec_version: v1.0
|
|
95
|
+
confidence: |-
|
|
96
|
+
0.9
|
|
97
|
+
exploit_scenario: |-
|
|
98
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
99
|
+
fix_template: |-
|
|
100
|
+
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: app-default-deny namespace: default spec: podSelector: matchLabels: app: app policyTypes: - Ingress - Egress ingress: [] egress: []
|
|
101
|
+
pattern-either:
|
|
102
|
+
- pattern: |-
|
|
103
|
+
apiVersion: apps/v1
|
|
104
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.3\\.1\\b'
|
|
105
|
+
message: |-
|
|
106
|
+
RunSec Detection [INF-5.3.1]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.3.1
|
|
107
|
+
languages:
|
|
108
|
+
- generic
|
|
109
|
+
severity: WARNING
|
|
110
|
+
- id: runsec.infra-k8s-helm.inf-2.5.1
|
|
111
|
+
metadata:
|
|
112
|
+
runsec_version: v1.0
|
|
113
|
+
confidence: |-
|
|
114
|
+
0.9
|
|
115
|
+
exploit_scenario: |-
|
|
116
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
117
|
+
fix_template: |-
|
|
118
|
+
server { listen 80; server_tokens off; # CIS: скрыть версию NGINX }
|
|
119
|
+
pattern-either:
|
|
120
|
+
- pattern: |-
|
|
121
|
+
server {
|
|
122
|
+
listen 80;
|
|
123
|
+
server_tokens on;
|
|
124
|
+
}
|
|
125
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-2\\.5\\.1\\b'
|
|
126
|
+
message: |-
|
|
127
|
+
RunSec Detection [INF-2.5.1]: CIS_NGINX_Benchmark_v3.0.0.pdf, п. 2.5.1
|
|
128
|
+
languages:
|
|
129
|
+
- generic
|
|
130
|
+
severity: WARNING
|
|
131
|
+
- id: runsec.infra-k8s-helm.inf-5.3.2
|
|
132
|
+
metadata:
|
|
133
|
+
runsec_version: v1.0
|
|
134
|
+
confidence: |-
|
|
135
|
+
0.9
|
|
136
|
+
exploit_scenario: |-
|
|
137
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
138
|
+
fix_template: |-
|
|
139
|
+
server { listen 443 ssl; add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; object-src 'none'" always; # CIS: CSP обязателен location / { proxy_pass http://app; } }
|
|
140
|
+
pattern-either:
|
|
141
|
+
- pattern: |-
|
|
142
|
+
location / { proxy_pass http://app; }
|
|
143
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.3\\.2\\b'
|
|
144
|
+
message: |-
|
|
145
|
+
RunSec Detection [INF-5.3.2]: CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.3.2
|
|
146
|
+
languages:
|
|
147
|
+
- generic
|
|
148
|
+
severity: WARNING
|
|
149
|
+
- id: runsec.infra-k8s-helm.inf-5.3.1-ngx
|
|
150
|
+
metadata:
|
|
151
|
+
runsec_version: v1.0
|
|
152
|
+
confidence: |-
|
|
153
|
+
0.9
|
|
154
|
+
exploit_scenario: |-
|
|
155
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
156
|
+
fix_template: |-
|
|
157
|
+
server { listen 443 ssl; add_header X-Frame-Options "DENY" always; # CIS: разрешено DENY или SAMEORIGIN location / { proxy_pass http://app; } }
|
|
158
|
+
pattern-either:
|
|
159
|
+
- pattern: |-
|
|
160
|
+
location / { proxy_pass http://app; }
|
|
161
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.3\\.1\\-NGX\\b'
|
|
162
|
+
message: |-
|
|
163
|
+
RunSec Detection [INF-5.3.1-NGX]: CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.3.1
|
|
164
|
+
languages:
|
|
165
|
+
- generic
|
|
166
|
+
severity: WARNING
|
|
167
|
+
- id: runsec.infra-k8s-helm.inf-1.2.1
|
|
168
|
+
metadata:
|
|
169
|
+
runsec_version: v1.0
|
|
170
|
+
confidence: |-
|
|
171
|
+
0.9
|
|
172
|
+
exploit_scenario: |-
|
|
173
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
174
|
+
fix_template: |-
|
|
175
|
+
apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: containers: - name: kube-apiserver command: - kube-apiserver - --anonymous-auth=false # CIS: запрет неаутентифицированного доступа
|
|
176
|
+
pattern-either:
|
|
177
|
+
- pattern: |-
|
|
178
|
+
apiVersion: v1
|
|
179
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-1\\.2\\.1\\b'
|
|
180
|
+
message: |-
|
|
181
|
+
RunSec Detection [INF-1.2.1]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.1
|
|
182
|
+
languages:
|
|
183
|
+
- generic
|
|
184
|
+
severity: WARNING
|
|
185
|
+
- id: runsec.infra-k8s-helm.inf-1.2.6
|
|
186
|
+
metadata:
|
|
187
|
+
runsec_version: v1.0
|
|
188
|
+
confidence: |-
|
|
189
|
+
0.9
|
|
190
|
+
exploit_scenario: |-
|
|
191
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
192
|
+
fix_template: |-
|
|
193
|
+
apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: containers: - name: kube-apiserver command: - kube-apiserver - --admission-control-config-file=/etc/kubernetes/admission-control.yaml # CIS: явно задать политику admission
|
|
194
|
+
pattern-either:
|
|
195
|
+
- pattern: |-
|
|
196
|
+
apiVersion: v1
|
|
197
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-1\\.2\\.6\\b'
|
|
198
|
+
message: |-
|
|
199
|
+
RunSec Detection [INF-1.2.6]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.6
|
|
200
|
+
languages:
|
|
201
|
+
- generic
|
|
202
|
+
severity: WARNING
|
|
203
|
+
- id: runsec.infra-k8s-helm.inf-5.1.1
|
|
204
|
+
metadata:
|
|
205
|
+
runsec_version: v1.0
|
|
206
|
+
confidence: |-
|
|
207
|
+
0.9
|
|
208
|
+
exploit_scenario: |-
|
|
209
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
210
|
+
fix_template: |-
|
|
211
|
+
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-read-only namespace: app rules: - apiGroups: [""] resources: ["pods","services"] verbs: ["get","list","watch"] # CIS: минимум привилегий --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-read-only-binding namespace: app subjects: - kind: ServiceAccount name: app-sa namespace: app roleRef: kind: Role name: app-read-only apiGroup: rbac.authorization.k8s.io
|
|
212
|
+
pattern-either:
|
|
213
|
+
- pattern: |-
|
|
214
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
215
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.1\\.1\\b'
|
|
216
|
+
message: |-
|
|
217
|
+
RunSec Detection [INF-5.1.1]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.1.1
|
|
218
|
+
languages:
|
|
219
|
+
- generic
|
|
220
|
+
severity: WARNING
|
|
221
|
+
- id: runsec.infra-k8s-helm.inf-5.6.2
|
|
222
|
+
metadata:
|
|
223
|
+
runsec_version: v1.0
|
|
224
|
+
confidence: |-
|
|
225
|
+
0.9
|
|
226
|
+
exploit_scenario: |-
|
|
227
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
228
|
+
fix_template: |-
|
|
229
|
+
apiVersion: v1 kind: Pod metadata: name: with-seccomp spec: containers: - name: app image: nginx:1.27 securityContext: seccompProfile: type: RuntimeDefault # CIS: docker/default или runtime/default
|
|
230
|
+
pattern-either:
|
|
231
|
+
- pattern: |-
|
|
232
|
+
apiVersion: v1
|
|
233
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.6\\.2\\b'
|
|
234
|
+
message: |-
|
|
235
|
+
RunSec Detection [INF-5.6.2]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.6.2
|
|
236
|
+
languages:
|
|
237
|
+
- generic
|
|
238
|
+
severity: WARNING
|
|
239
|
+
- id: runsec.infra-k8s-helm.inf-1.2.33
|
|
240
|
+
metadata:
|
|
241
|
+
runsec_version: v1.0
|
|
242
|
+
confidence: |-
|
|
243
|
+
0.9
|
|
244
|
+
exploit_scenario: |-
|
|
245
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
246
|
+
fix_template: |-
|
|
247
|
+
apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: containers: - name: kube-apiserver command: - kube-apiserver - --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml # CIS: encryption at rest for secrets
|
|
248
|
+
pattern-either:
|
|
249
|
+
- pattern: |-
|
|
250
|
+
apiVersion: v1
|
|
251
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-1\\.2\\.33\\b'
|
|
252
|
+
message: |-
|
|
253
|
+
RunSec Detection [INF-1.2.33]: CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.33
|
|
254
|
+
languages:
|
|
255
|
+
- generic
|
|
256
|
+
severity: WARNING
|
|
257
|
+
- id: runsec.infra-k8s-helm.inf-4.4
|
|
258
|
+
metadata:
|
|
259
|
+
runsec_version: v1.0
|
|
260
|
+
confidence: |-
|
|
261
|
+
0.9
|
|
262
|
+
exploit_scenario: |-
|
|
263
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
264
|
+
fix_template: |-
|
|
265
|
+
FROM python:3.11 ENV DB_PASSWORD_FILE=/run/secrets/db_password LABEL security.secrets=\"external-secret-store\" # no plaintext secrets
|
|
266
|
+
pattern-either:
|
|
267
|
+
- pattern: |-
|
|
268
|
+
FROM python:3.11
|
|
269
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-4\\.4\\b'
|
|
270
|
+
message: |-
|
|
271
|
+
RunSec Detection [INF-4.4]: CIS_Docker_Benchmark_v1.8.0.pdf, п. 4.4
|
|
272
|
+
languages:
|
|
273
|
+
- generic
|
|
274
|
+
severity: WARNING
|
|
275
|
+
- id: runsec.infra-k8s-helm.inf-5.25
|
|
276
|
+
metadata:
|
|
277
|
+
runsec_version: v1.0
|
|
278
|
+
confidence: |-
|
|
279
|
+
0.9
|
|
280
|
+
exploit_scenario: |-
|
|
281
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
282
|
+
fix_template: |-
|
|
283
|
+
apiVersion: v1 kind: Pod metadata: name: no-docker-sock spec: containers: - name: app image: alpine:3.20 volumeMounts: - name: app-tmp mountPath: /tmp volumes: - name: app-tmp emptyDir: {}
|
|
284
|
+
pattern-either:
|
|
285
|
+
- pattern: |-
|
|
286
|
+
apiVersion: v1
|
|
287
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.25\\b'
|
|
288
|
+
message: |-
|
|
289
|
+
RunSec Detection [INF-5.25]: CIS_Docker_Benchmark_v1.8.0.pdf, п. 5.25
|
|
290
|
+
languages:
|
|
291
|
+
- generic
|
|
292
|
+
severity: WARNING
|
|
293
|
+
- id: runsec.infra-k8s-helm.inf-5.1.2-tls
|
|
294
|
+
metadata:
|
|
295
|
+
runsec_version: v1.0
|
|
296
|
+
confidence: |-
|
|
297
|
+
0.9
|
|
298
|
+
exploit_scenario: |-
|
|
299
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
300
|
+
fix_template: |-
|
|
301
|
+
server { listen 443 ssl; ssl_protocols TLSv1.2 TLSv1.3; # CIS: disable legacy TLS }
|
|
302
|
+
pattern-either:
|
|
303
|
+
- pattern: |-
|
|
304
|
+
server {
|
|
305
|
+
listen 443 ssl;
|
|
306
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
307
|
+
}
|
|
308
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.1\\.2\\-TLS\\b'
|
|
309
|
+
message: |-
|
|
310
|
+
RunSec Detection [INF-5.1.2-TLS]: CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.1.2
|
|
311
|
+
languages:
|
|
312
|
+
- generic
|
|
313
|
+
severity: WARNING
|
|
314
|
+
- id: runsec.infra-k8s-helm.inf-5.5.1
|
|
315
|
+
metadata:
|
|
316
|
+
runsec_version: v1.0
|
|
317
|
+
confidence: |-
|
|
318
|
+
0.9
|
|
319
|
+
exploit_scenario: |-
|
|
320
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
321
|
+
fix_template: |-
|
|
322
|
+
location /api/ { limit_except GET POST HEAD { deny all; # CIS: allow only approved methods } proxy_pass http://backend; }
|
|
323
|
+
pattern-either:
|
|
324
|
+
- pattern: |-
|
|
325
|
+
proxy_pass http://backend;
|
|
326
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-5\\.5\\.1\\b'
|
|
327
|
+
message: |-
|
|
328
|
+
RunSec Detection [INF-5.5.1]: CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.5.1
|
|
329
|
+
languages:
|
|
330
|
+
- generic
|
|
331
|
+
severity: WARNING
|
|
332
|
+
- id: runsec.infra-k8s-helm.inf-010
|
|
333
|
+
metadata:
|
|
334
|
+
runsec_version: v1.0
|
|
335
|
+
confidence: |-
|
|
336
|
+
0.9
|
|
337
|
+
exploit_scenario: |-
|
|
338
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
339
|
+
fix_template: |-
|
|
340
|
+
services: db: image: postgres:16 environment: POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password API_TOKEN_FILE: /run/secrets/api_token secrets: postgres_password: file: ./secrets/postgres_password api_token: file: ./secrets/api_token
|
|
341
|
+
pattern-either:
|
|
342
|
+
- pattern: |-
|
|
343
|
+
services:
|
|
344
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-010\\b'
|
|
345
|
+
message: |-
|
|
346
|
+
RunSec Detection [INF-010]: OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (secret management)
|
|
347
|
+
languages:
|
|
348
|
+
- generic
|
|
349
|
+
severity: WARNING
|
|
350
|
+
- id: runsec.infra-k8s-helm.inf-011
|
|
351
|
+
metadata:
|
|
352
|
+
runsec_version: v1.0
|
|
353
|
+
confidence: |-
|
|
354
|
+
0.9
|
|
355
|
+
exploit_scenario: |-
|
|
356
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
357
|
+
fix_template: |-
|
|
358
|
+
tls.crt tls.key # secrets are provisioned at deploy time via external secret manager apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: app-tls spec: secretStoreRef: name: vault-store kind: ClusterSecretStore target: name: app-tls data: - secretKey: tls.key remoteRef: key: kv/prod/app/tls_key
|
|
359
|
+
pattern-either:
|
|
360
|
+
- pattern: |-
|
|
361
|
+
-----BEGIN RSA PRIVATE KEY-----
|
|
362
|
+
MIIEowIBAAKCAQEA...
|
|
363
|
+
-----END RSA PRIVATE KEY-----
|
|
364
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-011\\b'
|
|
365
|
+
message: |-
|
|
366
|
+
RunSec Detection [INF-011]: OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (key material handling)
|
|
367
|
+
languages:
|
|
368
|
+
- generic
|
|
369
|
+
severity: WARNING
|
|
370
|
+
- id: runsec.infra-k8s-helm.inf-012
|
|
371
|
+
metadata:
|
|
372
|
+
runsec_version: v1.0
|
|
373
|
+
confidence: |-
|
|
374
|
+
0.9
|
|
375
|
+
exploit_scenario: |-
|
|
376
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
377
|
+
fix_template: |-
|
|
378
|
+
# .gitignore .env .env.* secrets/ *.pem *.key *credentials*.json !.env.example
|
|
379
|
+
pattern-either:
|
|
380
|
+
- pattern: |-
|
|
381
|
+
# .gitignore
|
|
382
|
+
__pycache__/
|
|
383
|
+
*.pyc
|
|
384
|
+
# secrets are not ignored
|
|
385
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-012\\b'
|
|
386
|
+
message: |-
|
|
387
|
+
RunSec Detection [INF-012]: OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (repository hygiene)
|
|
388
|
+
languages:
|
|
389
|
+
- generic
|
|
390
|
+
severity: WARNING
|
|
391
|
+
- id: runsec.infra-k8s-helm.inf-013
|
|
392
|
+
metadata:
|
|
393
|
+
runsec_version: v1.0
|
|
394
|
+
confidence: |-
|
|
395
|
+
0.9
|
|
396
|
+
exploit_scenario: |-
|
|
397
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
398
|
+
fix_template: |-
|
|
399
|
+
apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: api ... image: org/api@sha256:3b5f...
|
|
400
|
+
pattern-either:
|
|
401
|
+
- pattern: |-
|
|
402
|
+
apiVersion: apps/v1
|
|
403
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-013\\b'
|
|
404
|
+
message: |-
|
|
405
|
+
RunSec Detection [INF-013]: CWE-494
|
|
406
|
+
languages:
|
|
407
|
+
- generic
|
|
408
|
+
severity: WARNING
|
|
409
|
+
- id: runsec.infra-k8s-helm.inf-014
|
|
410
|
+
metadata:
|
|
411
|
+
runsec_version: v1.0
|
|
412
|
+
confidence: |-
|
|
413
|
+
0.9
|
|
414
|
+
exploit_scenario: |-
|
|
415
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
416
|
+
fix_template: |-
|
|
417
|
+
apiVersion: v1 kind: Pod metadata: name: app-pod spec: automountServiceAccountToken: false ... containers: - name: app image: org/app:1.0.0
|
|
418
|
+
pattern-either:
|
|
419
|
+
- pattern: |-
|
|
420
|
+
apiVersion: v1
|
|
421
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-014\\b'
|
|
422
|
+
message: |-
|
|
423
|
+
RunSec Detection [INF-014]: CWE-269
|
|
424
|
+
languages:
|
|
425
|
+
- generic
|
|
426
|
+
severity: WARNING
|
|
427
|
+
- id: runsec.infra-k8s-helm.k8s-010
|
|
428
|
+
metadata:
|
|
429
|
+
runsec_version: v1.0
|
|
430
|
+
confidence: |-
|
|
431
|
+
0.9
|
|
432
|
+
exploit_scenario: |-
|
|
433
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
434
|
+
fix_template: |-
|
|
435
|
+
securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"]
|
|
436
|
+
pattern-either:
|
|
437
|
+
- pattern: |-
|
|
438
|
+
securityContext:
|
|
439
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-010\\b'
|
|
440
|
+
message: |-
|
|
441
|
+
RunSec Detection [K8S-010]: CIS Kubernetes
|
|
442
|
+
languages:
|
|
443
|
+
- generic
|
|
444
|
+
severity: WARNING
|
|
445
|
+
- id: runsec.infra-k8s-helm.k8s-011
|
|
446
|
+
metadata:
|
|
447
|
+
runsec_version: v1.0
|
|
448
|
+
confidence: |-
|
|
449
|
+
0.9
|
|
450
|
+
exploit_scenario: |-
|
|
451
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
452
|
+
fix_template: |-
|
|
453
|
+
spec: hostNetwork: false
|
|
454
|
+
pattern-either:
|
|
455
|
+
- pattern: |-
|
|
456
|
+
spec:
|
|
457
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-011\\b'
|
|
458
|
+
message: |-
|
|
459
|
+
RunSec Detection [K8S-011]: CIS Kubernetes
|
|
460
|
+
languages:
|
|
461
|
+
- generic
|
|
462
|
+
severity: WARNING
|
|
463
|
+
- id: runsec.infra-k8s-helm.k8s-012
|
|
464
|
+
metadata:
|
|
465
|
+
runsec_version: v1.0
|
|
466
|
+
confidence: |-
|
|
467
|
+
0.9
|
|
468
|
+
exploit_scenario: |-
|
|
469
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
470
|
+
fix_template: |-
|
|
471
|
+
spec: hostPID: false
|
|
472
|
+
pattern-either:
|
|
473
|
+
- pattern: |-
|
|
474
|
+
spec:
|
|
475
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-012\\b'
|
|
476
|
+
message: |-
|
|
477
|
+
RunSec Detection [K8S-012]: CIS Kubernetes
|
|
478
|
+
languages:
|
|
479
|
+
- generic
|
|
480
|
+
severity: WARNING
|
|
481
|
+
- id: runsec.infra-k8s-helm.k8s-013
|
|
482
|
+
metadata:
|
|
483
|
+
runsec_version: v1.0
|
|
484
|
+
confidence: |-
|
|
485
|
+
0.9
|
|
486
|
+
exploit_scenario: |-
|
|
487
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
488
|
+
fix_template: |-
|
|
489
|
+
spec: hostIPC: false
|
|
490
|
+
pattern-either:
|
|
491
|
+
- pattern: |-
|
|
492
|
+
spec:
|
|
493
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-013\\b'
|
|
494
|
+
message: |-
|
|
495
|
+
RunSec Detection [K8S-013]: CIS Kubernetes
|
|
496
|
+
languages:
|
|
497
|
+
- generic
|
|
498
|
+
severity: WARNING
|
|
499
|
+
- id: runsec.infra-k8s-helm.k8s-014
|
|
500
|
+
metadata:
|
|
501
|
+
runsec_version: v1.0
|
|
502
|
+
confidence: |-
|
|
503
|
+
0.9
|
|
504
|
+
exploit_scenario: |-
|
|
505
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
506
|
+
fix_template: |-
|
|
507
|
+
securityContext: readOnlyRootFilesystem: true
|
|
508
|
+
pattern-either:
|
|
509
|
+
- pattern: |-
|
|
510
|
+
securityContext:
|
|
511
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-014\\b'
|
|
512
|
+
message: |-
|
|
513
|
+
RunSec Detection [K8S-014]: CIS Kubernetes
|
|
514
|
+
languages:
|
|
515
|
+
- generic
|
|
516
|
+
severity: WARNING
|
|
517
|
+
- id: runsec.infra-k8s-helm.k8s-015
|
|
518
|
+
metadata:
|
|
519
|
+
runsec_version: v1.0
|
|
520
|
+
confidence: |-
|
|
521
|
+
0.9
|
|
522
|
+
exploit_scenario: |-
|
|
523
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
524
|
+
fix_template: |-
|
|
525
|
+
securityContext: runAsNonRoot: true
|
|
526
|
+
pattern-either:
|
|
527
|
+
- pattern: |-
|
|
528
|
+
securityContext:
|
|
529
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-015\\b'
|
|
530
|
+
message: |-
|
|
531
|
+
RunSec Detection [K8S-015]: CIS Kubernetes
|
|
532
|
+
languages:
|
|
533
|
+
- generic
|
|
534
|
+
severity: WARNING
|
|
535
|
+
- id: runsec.infra-k8s-helm.k8s-016
|
|
536
|
+
metadata:
|
|
537
|
+
runsec_version: v1.0
|
|
538
|
+
confidence: |-
|
|
539
|
+
0.9
|
|
540
|
+
exploit_scenario: |-
|
|
541
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
542
|
+
fix_template: |-
|
|
543
|
+
metadata: annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default
|
|
544
|
+
pattern-either:
|
|
545
|
+
- pattern: |-
|
|
546
|
+
metadata:
|
|
547
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-016\\b'
|
|
548
|
+
message: |-
|
|
549
|
+
RunSec Detection [K8S-016]: Kubernetes Hardening
|
|
550
|
+
languages:
|
|
551
|
+
- generic
|
|
552
|
+
severity: WARNING
|
|
553
|
+
- id: runsec.infra-k8s-helm.k8s-017
|
|
554
|
+
metadata:
|
|
555
|
+
runsec_version: v1.0
|
|
556
|
+
confidence: |-
|
|
557
|
+
0.9
|
|
558
|
+
exploit_scenario: |-
|
|
559
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
560
|
+
fix_template: |-
|
|
561
|
+
seccompProfile: type: RuntimeDefault
|
|
562
|
+
pattern-either:
|
|
563
|
+
- pattern: |-
|
|
564
|
+
seccompProfile:
|
|
565
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-017\\b'
|
|
566
|
+
message: |-
|
|
567
|
+
RunSec Detection [K8S-017]: CIS Kubernetes
|
|
568
|
+
languages:
|
|
569
|
+
- generic
|
|
570
|
+
severity: WARNING
|
|
571
|
+
- id: runsec.infra-k8s-helm.k8s-018
|
|
572
|
+
metadata:
|
|
573
|
+
runsec_version: v1.0
|
|
574
|
+
confidence: |-
|
|
575
|
+
0.9
|
|
576
|
+
exploit_scenario: |-
|
|
577
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
578
|
+
fix_template: |-
|
|
579
|
+
containers: - name: api livenessProbe: httpGet: path: /healthz
|
|
580
|
+
pattern-either:
|
|
581
|
+
- pattern: |-
|
|
582
|
+
containers:
|
|
583
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-018\\b'
|
|
584
|
+
message: |-
|
|
585
|
+
RunSec Detection [K8S-018]: Kubernetes Reliability
|
|
586
|
+
languages:
|
|
587
|
+
- generic
|
|
588
|
+
severity: WARNING
|
|
589
|
+
- id: runsec.infra-k8s-helm.k8s-019
|
|
590
|
+
metadata:
|
|
591
|
+
runsec_version: v1.0
|
|
592
|
+
confidence: |-
|
|
593
|
+
0.9
|
|
594
|
+
exploit_scenario: |-
|
|
595
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
596
|
+
fix_template: |-
|
|
597
|
+
containers: - name: api readinessProbe: httpGet: path: /ready
|
|
598
|
+
pattern-either:
|
|
599
|
+
- pattern: |-
|
|
600
|
+
containers:
|
|
601
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-019\\b'
|
|
602
|
+
message: |-
|
|
603
|
+
RunSec Detection [K8S-019]: Kubernetes Reliability
|
|
604
|
+
languages:
|
|
605
|
+
- generic
|
|
606
|
+
severity: WARNING
|
|
607
|
+
- id: runsec.infra-k8s-helm.k8s-020
|
|
608
|
+
metadata:
|
|
609
|
+
runsec_version: v1.0
|
|
610
|
+
confidence: |-
|
|
611
|
+
0.9
|
|
612
|
+
exploit_scenario: |-
|
|
613
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
614
|
+
fix_template: |-
|
|
615
|
+
resources: limits: cpu: "500m" memory: "512Mi"
|
|
616
|
+
pattern-either:
|
|
617
|
+
- pattern: |-
|
|
618
|
+
resources: {}
|
|
619
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-020\\b'
|
|
620
|
+
message: |-
|
|
621
|
+
RunSec Detection [K8S-020]: CIS Kubernetes
|
|
622
|
+
languages:
|
|
623
|
+
- generic
|
|
624
|
+
severity: WARNING
|
|
625
|
+
- id: runsec.infra-k8s-helm.k8s-021
|
|
626
|
+
metadata:
|
|
627
|
+
runsec_version: v1.0
|
|
628
|
+
confidence: |-
|
|
629
|
+
0.9
|
|
630
|
+
exploit_scenario: |-
|
|
631
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
632
|
+
fix_template: |-
|
|
633
|
+
kind: NetworkPolicy metadata: namespace: prod spec: policyTypes: ["Ingress","Egress"]
|
|
634
|
+
pattern-either:
|
|
635
|
+
- pattern: |-
|
|
636
|
+
kind: Deployment
|
|
637
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-021\\b'
|
|
638
|
+
message: |-
|
|
639
|
+
RunSec Detection [K8S-021]: Kubernetes NetworkPolicy
|
|
640
|
+
languages:
|
|
641
|
+
- generic
|
|
642
|
+
severity: WARNING
|
|
643
|
+
- id: runsec.infra-k8s-helm.k8s-022
|
|
644
|
+
metadata:
|
|
645
|
+
runsec_version: v1.0
|
|
646
|
+
confidence: |-
|
|
647
|
+
0.9
|
|
648
|
+
exploit_scenario: |-
|
|
649
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
650
|
+
fix_template: |-
|
|
651
|
+
kind: Service spec: type: ClusterIP
|
|
652
|
+
pattern-either:
|
|
653
|
+
- pattern: |-
|
|
654
|
+
kind: Service
|
|
655
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-022\\b'
|
|
656
|
+
message: |-
|
|
657
|
+
RunSec Detection [K8S-022]: Kubernetes Exposure
|
|
658
|
+
languages:
|
|
659
|
+
- generic
|
|
660
|
+
severity: WARNING
|
|
661
|
+
- id: runsec.infra-k8s-helm.k8s-023
|
|
662
|
+
metadata:
|
|
663
|
+
runsec_version: v1.0
|
|
664
|
+
confidence: |-
|
|
665
|
+
0.9
|
|
666
|
+
exploit_scenario: |-
|
|
667
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
668
|
+
fix_template: |-
|
|
669
|
+
verbs: ["get","list"] resources: ["pods"]
|
|
670
|
+
pattern-either:
|
|
671
|
+
- pattern: |-
|
|
672
|
+
verbs: ["*"]
|
|
673
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-023\\b'
|
|
674
|
+
message: |-
|
|
675
|
+
RunSec Detection [K8S-023]: CIS Kubernetes RBAC
|
|
676
|
+
languages:
|
|
677
|
+
- generic
|
|
678
|
+
severity: WARNING
|
|
679
|
+
- id: runsec.infra-k8s-helm.k8s-024
|
|
680
|
+
metadata:
|
|
681
|
+
runsec_version: v1.0
|
|
682
|
+
confidence: |-
|
|
683
|
+
0.9
|
|
684
|
+
exploit_scenario: |-
|
|
685
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
686
|
+
fix_template: |-
|
|
687
|
+
automountServiceAccountToken: false
|
|
688
|
+
pattern-either:
|
|
689
|
+
- pattern: |-
|
|
690
|
+
automountServiceAccountToken: true
|
|
691
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-024\\b'
|
|
692
|
+
message: |-
|
|
693
|
+
RunSec Detection [K8S-024]: CIS Kubernetes
|
|
694
|
+
languages:
|
|
695
|
+
- generic
|
|
696
|
+
severity: WARNING
|
|
697
|
+
- id: runsec.infra-k8s-helm.k8s-025
|
|
698
|
+
metadata:
|
|
699
|
+
runsec_version: v1.0
|
|
700
|
+
confidence: |-
|
|
701
|
+
0.9
|
|
702
|
+
exploit_scenario: |-
|
|
703
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
704
|
+
fix_template: |-
|
|
705
|
+
image: org/api@sha256:abcd...
|
|
706
|
+
pattern-either:
|
|
707
|
+
- pattern: |-
|
|
708
|
+
image: org/api:latest
|
|
709
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-025\\b'
|
|
710
|
+
message: |-
|
|
711
|
+
RunSec Detection [K8S-025]: Supply Chain
|
|
712
|
+
languages:
|
|
713
|
+
- generic
|
|
714
|
+
severity: WARNING
|
|
715
|
+
- id: runsec.infra-k8s-helm.dock-010
|
|
716
|
+
metadata:
|
|
717
|
+
runsec_version: v1.0
|
|
718
|
+
confidence: |-
|
|
719
|
+
0.9
|
|
720
|
+
exploit_scenario: |-
|
|
721
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
722
|
+
fix_template: |-
|
|
723
|
+
RUN adduser -D appuser USER appuser
|
|
724
|
+
pattern-either:
|
|
725
|
+
- pattern: |-
|
|
726
|
+
USER root
|
|
727
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-010\\b'
|
|
728
|
+
message: |-
|
|
729
|
+
RunSec Detection [DOCK-010]: CIS Docker
|
|
730
|
+
languages:
|
|
731
|
+
- generic
|
|
732
|
+
severity: WARNING
|
|
733
|
+
- id: runsec.infra-k8s-helm.dock-011
|
|
734
|
+
metadata:
|
|
735
|
+
runsec_version: v1.0
|
|
736
|
+
confidence: |-
|
|
737
|
+
0.9
|
|
738
|
+
exploit_scenario: |-
|
|
739
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
740
|
+
fix_template: |-
|
|
741
|
+
FROM alpine:3.20 USER 10001 CMD ["app"]
|
|
742
|
+
pattern-either:
|
|
743
|
+
- pattern: |-
|
|
744
|
+
FROM alpine:3.20
|
|
745
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-011\\b'
|
|
746
|
+
message: |-
|
|
747
|
+
RunSec Detection [DOCK-011]: CIS Docker
|
|
748
|
+
languages:
|
|
749
|
+
- generic
|
|
750
|
+
severity: WARNING
|
|
751
|
+
- id: runsec.infra-k8s-helm.dock-012
|
|
752
|
+
metadata:
|
|
753
|
+
runsec_version: v1.0
|
|
754
|
+
confidence: |-
|
|
755
|
+
0.9
|
|
756
|
+
exploit_scenario: |-
|
|
757
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
758
|
+
fix_template: |-
|
|
759
|
+
docker run --read-only --tmpfs /tmp app@sha256:...
|
|
760
|
+
pattern-either:
|
|
761
|
+
- pattern: |-
|
|
762
|
+
docker run app:latest
|
|
763
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-012\\b'
|
|
764
|
+
message: |-
|
|
765
|
+
RunSec Detection [DOCK-012]: Docker Runtime Hardening
|
|
766
|
+
languages:
|
|
767
|
+
- generic
|
|
768
|
+
severity: WARNING
|
|
769
|
+
- id: runsec.infra-k8s-helm.dock-013
|
|
770
|
+
metadata:
|
|
771
|
+
runsec_version: v1.0
|
|
772
|
+
confidence: |-
|
|
773
|
+
0.9
|
|
774
|
+
exploit_scenario: |-
|
|
775
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
776
|
+
fix_template: |-
|
|
777
|
+
FROM node:20.11.1@sha256:...
|
|
778
|
+
pattern-either:
|
|
779
|
+
- pattern: |-
|
|
780
|
+
FROM node:latest
|
|
781
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-013\\b'
|
|
782
|
+
message: |-
|
|
783
|
+
RunSec Detection [DOCK-013]: Supply Chain
|
|
784
|
+
languages:
|
|
785
|
+
- generic
|
|
786
|
+
severity: WARNING
|
|
787
|
+
- id: runsec.infra-k8s-helm.dock-014
|
|
788
|
+
metadata:
|
|
789
|
+
runsec_version: v1.0
|
|
790
|
+
confidence: |-
|
|
791
|
+
0.9
|
|
792
|
+
exploit_scenario: |-
|
|
793
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
794
|
+
fix_template: |-
|
|
795
|
+
COPY app.tar.gz /opt/
|
|
796
|
+
pattern-either:
|
|
797
|
+
- pattern: |-
|
|
798
|
+
ADD https://example.com/app.tar.gz /opt/
|
|
799
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-014\\b'
|
|
800
|
+
message: |-
|
|
801
|
+
RunSec Detection [DOCK-014]: Docker Best Practices
|
|
802
|
+
languages:
|
|
803
|
+
- generic
|
|
804
|
+
severity: WARNING
|
|
805
|
+
- id: runsec.infra-k8s-helm.dock-015
|
|
806
|
+
metadata:
|
|
807
|
+
runsec_version: v1.0
|
|
808
|
+
confidence: |-
|
|
809
|
+
0.9
|
|
810
|
+
exploit_scenario: |-
|
|
811
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
812
|
+
fix_template: |-
|
|
813
|
+
RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*
|
|
814
|
+
pattern-either:
|
|
815
|
+
- pattern: |-
|
|
816
|
+
RUN apt-get update && apt-get install -y curl
|
|
817
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-015\\b'
|
|
818
|
+
message: |-
|
|
819
|
+
RunSec Detection [DOCK-015]: Container Minimization
|
|
820
|
+
languages:
|
|
821
|
+
- generic
|
|
822
|
+
severity: WARNING
|
|
823
|
+
- id: runsec.infra-k8s-helm.dock-016
|
|
824
|
+
metadata:
|
|
825
|
+
runsec_version: v1.0
|
|
826
|
+
confidence: |-
|
|
827
|
+
0.9
|
|
828
|
+
exploit_scenario: |-
|
|
829
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
830
|
+
fix_template: |-
|
|
831
|
+
ARG API_TOKEN # inject via runtime secrets
|
|
832
|
+
pattern-either:
|
|
833
|
+
- pattern: |-
|
|
834
|
+
ARG API_TOKEN=prod-secret
|
|
835
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-016\\b'
|
|
836
|
+
message: |-
|
|
837
|
+
RunSec Detection [DOCK-016]: Secret Management
|
|
838
|
+
languages:
|
|
839
|
+
- generic
|
|
840
|
+
severity: WARNING
|
|
841
|
+
- id: runsec.infra-k8s-helm.dock-017
|
|
842
|
+
metadata:
|
|
843
|
+
runsec_version: v1.0
|
|
844
|
+
confidence: |-
|
|
845
|
+
0.9
|
|
846
|
+
exploit_scenario: |-
|
|
847
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
848
|
+
fix_template: |-
|
|
849
|
+
Container Reliability
|
|
850
|
+
pattern-either:
|
|
851
|
+
- pattern: |-
|
|
852
|
+
FROM python:3.11
|
|
853
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-017\\b'
|
|
854
|
+
message: |-
|
|
855
|
+
RunSec Detection [DOCK-017]: exit 1
|
|
856
|
+
languages:
|
|
857
|
+
- generic
|
|
858
|
+
severity: WARNING
|
|
859
|
+
- id: runsec.infra-k8s-helm.dock-018
|
|
860
|
+
metadata:
|
|
861
|
+
runsec_version: v1.0
|
|
862
|
+
confidence: |-
|
|
863
|
+
0.9
|
|
864
|
+
exploit_scenario: |-
|
|
865
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
866
|
+
fix_template: |-
|
|
867
|
+
docker run --cap-drop ALL --security-opt no-new-privileges app:1.0
|
|
868
|
+
pattern-either:
|
|
869
|
+
- pattern: |-
|
|
870
|
+
docker run --privileged app:1.0
|
|
871
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-018\\b'
|
|
872
|
+
message: |-
|
|
873
|
+
RunSec Detection [DOCK-018]: Docker Runtime Hardening
|
|
874
|
+
languages:
|
|
875
|
+
- generic
|
|
876
|
+
severity: WARNING
|
|
877
|
+
- id: runsec.infra-k8s-helm.dock-019
|
|
878
|
+
metadata:
|
|
879
|
+
runsec_version: v1.0
|
|
880
|
+
confidence: |-
|
|
881
|
+
0.9
|
|
882
|
+
exploit_scenario: |-
|
|
883
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
884
|
+
fix_template: |-
|
|
885
|
+
# do not mount docker.sock
|
|
886
|
+
pattern-either:
|
|
887
|
+
- pattern: |-
|
|
888
|
+
-v /var/run/docker.sock:/var/run/docker.sock
|
|
889
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-019\\b'
|
|
890
|
+
message: |-
|
|
891
|
+
RunSec Detection [DOCK-019]: Container Escape Prevention
|
|
892
|
+
languages:
|
|
893
|
+
- generic
|
|
894
|
+
severity: WARNING
|
|
895
|
+
- id: runsec.infra-k8s-helm.dock-020
|
|
896
|
+
metadata:
|
|
897
|
+
runsec_version: v1.0
|
|
898
|
+
confidence: |-
|
|
899
|
+
0.9
|
|
900
|
+
exploit_scenario: |-
|
|
901
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
902
|
+
fix_template: |-
|
|
903
|
+
docker run --security-opt seccomp=default.json app:1.0
|
|
904
|
+
pattern-either:
|
|
905
|
+
- pattern: |-
|
|
906
|
+
docker run app:1.0
|
|
907
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-020\\b'
|
|
908
|
+
message: |-
|
|
909
|
+
RunSec Detection [DOCK-020]: Docker Runtime Hardening
|
|
910
|
+
languages:
|
|
911
|
+
- generic
|
|
912
|
+
severity: WARNING
|
|
913
|
+
- id: runsec.infra-k8s-helm.ngx-001
|
|
914
|
+
metadata:
|
|
915
|
+
runsec_version: v1.0
|
|
916
|
+
confidence: |-
|
|
917
|
+
0.9
|
|
918
|
+
exploit_scenario: |-
|
|
919
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
920
|
+
fix_template: |-
|
|
921
|
+
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
922
|
+
pattern-either:
|
|
923
|
+
- pattern: |-
|
|
924
|
+
server {
|
|
925
|
+
listen 443 ssl;
|
|
926
|
+
}
|
|
927
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-001\\b'
|
|
928
|
+
message: |-
|
|
929
|
+
RunSec Detection [NGX-001]: CIS NGINX
|
|
930
|
+
languages:
|
|
931
|
+
- generic
|
|
932
|
+
severity: WARNING
|
|
933
|
+
- id: runsec.infra-k8s-helm.ngx-002
|
|
934
|
+
metadata:
|
|
935
|
+
runsec_version: v1.0
|
|
936
|
+
confidence: |-
|
|
937
|
+
0.9
|
|
938
|
+
exploit_scenario: |-
|
|
939
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
940
|
+
fix_template: |-
|
|
941
|
+
add_header Content-Security-Policy "default-src 'self'" always;
|
|
942
|
+
pattern-either:
|
|
943
|
+
- pattern: |-
|
|
944
|
+
# no CSP header
|
|
945
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-002\\b'
|
|
946
|
+
message: |-
|
|
947
|
+
RunSec Detection [NGX-002]: CIS NGINX
|
|
948
|
+
languages:
|
|
949
|
+
- generic
|
|
950
|
+
severity: WARNING
|
|
951
|
+
- id: runsec.infra-k8s-helm.ngx-003
|
|
952
|
+
metadata:
|
|
953
|
+
runsec_version: v1.0
|
|
954
|
+
confidence: |-
|
|
955
|
+
0.9
|
|
956
|
+
exploit_scenario: |-
|
|
957
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
958
|
+
fix_template: |-
|
|
959
|
+
add_header X-Content-Type-Options "nosniff" always;
|
|
960
|
+
pattern-either:
|
|
961
|
+
- pattern: |-
|
|
962
|
+
# no X-Content-Type-Options
|
|
963
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-003\\b'
|
|
964
|
+
message: |-
|
|
965
|
+
RunSec Detection [NGX-003]: CIS NGINX
|
|
966
|
+
languages:
|
|
967
|
+
- generic
|
|
968
|
+
severity: WARNING
|
|
969
|
+
- id: runsec.infra-k8s-helm.ngx-004
|
|
970
|
+
metadata:
|
|
971
|
+
runsec_version: v1.0
|
|
972
|
+
confidence: |-
|
|
973
|
+
0.9
|
|
974
|
+
exploit_scenario: |-
|
|
975
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
976
|
+
fix_template: |-
|
|
977
|
+
add_header X-Frame-Options "DENY" always;
|
|
978
|
+
pattern-either:
|
|
979
|
+
- pattern: |-
|
|
980
|
+
# no X-Frame-Options
|
|
981
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-004\\b'
|
|
982
|
+
message: |-
|
|
983
|
+
RunSec Detection [NGX-004]: CIS NGINX
|
|
984
|
+
languages:
|
|
985
|
+
- generic
|
|
986
|
+
severity: WARNING
|
|
987
|
+
- id: runsec.infra-k8s-helm.ngx-005
|
|
988
|
+
metadata:
|
|
989
|
+
runsec_version: v1.0
|
|
990
|
+
confidence: |-
|
|
991
|
+
0.9
|
|
992
|
+
exploit_scenario: |-
|
|
993
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
994
|
+
fix_template: |-
|
|
995
|
+
ssl_protocols TLSv1.2 TLSv1.3;
|
|
996
|
+
pattern-either:
|
|
997
|
+
- pattern: |-
|
|
998
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
999
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-005\\b'
|
|
1000
|
+
message: |-
|
|
1001
|
+
RunSec Detection [NGX-005]: TLS hardening
|
|
1002
|
+
languages:
|
|
1003
|
+
- generic
|
|
1004
|
+
severity: WARNING
|
|
1005
|
+
- id: runsec.infra-k8s-helm.ngx-006
|
|
1006
|
+
metadata:
|
|
1007
|
+
runsec_version: v1.0
|
|
1008
|
+
confidence: |-
|
|
1009
|
+
0.9
|
|
1010
|
+
exploit_scenario: |-
|
|
1011
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1012
|
+
fix_template: |-
|
|
1013
|
+
ssl_protocols TLSv1.3;
|
|
1014
|
+
pattern-either:
|
|
1015
|
+
- pattern: |-
|
|
1016
|
+
ssl_protocols TLSv1.2;
|
|
1017
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-006\\b'
|
|
1018
|
+
message: |-
|
|
1019
|
+
RunSec Detection [NGX-006]: Fortress Policy
|
|
1020
|
+
languages:
|
|
1021
|
+
- generic
|
|
1022
|
+
severity: WARNING
|
|
1023
|
+
- id: runsec.infra-k8s-helm.ngx-007
|
|
1024
|
+
metadata:
|
|
1025
|
+
runsec_version: v1.0
|
|
1026
|
+
confidence: |-
|
|
1027
|
+
0.9
|
|
1028
|
+
exploit_scenario: |-
|
|
1029
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1030
|
+
fix_template: |-
|
|
1031
|
+
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
|
1032
|
+
pattern-either:
|
|
1033
|
+
- pattern: |-
|
|
1034
|
+
location /api { proxy_pass http://api; }
|
|
1035
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-007\\b'
|
|
1036
|
+
message: |-
|
|
1037
|
+
RunSec Detection [NGX-007]: DDoS resilience
|
|
1038
|
+
languages:
|
|
1039
|
+
- generic
|
|
1040
|
+
severity: WARNING
|
|
1041
|
+
- id: runsec.infra-k8s-helm.ngx-008
|
|
1042
|
+
metadata:
|
|
1043
|
+
runsec_version: v1.0
|
|
1044
|
+
confidence: |-
|
|
1045
|
+
0.9
|
|
1046
|
+
exploit_scenario: |-
|
|
1047
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1048
|
+
fix_template: |-
|
|
1049
|
+
client_max_body_size 10m;
|
|
1050
|
+
pattern-either:
|
|
1051
|
+
- pattern: |-
|
|
1052
|
+
# no client_max_body_size
|
|
1053
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-008\\b'
|
|
1054
|
+
message: |-
|
|
1055
|
+
RunSec Detection [NGX-008]: NGINX hardening
|
|
1056
|
+
languages:
|
|
1057
|
+
- generic
|
|
1058
|
+
severity: WARNING
|
|
1059
|
+
- id: runsec.infra-k8s-helm.ngx-009
|
|
1060
|
+
metadata:
|
|
1061
|
+
runsec_version: v1.0
|
|
1062
|
+
confidence: |-
|
|
1063
|
+
0.9
|
|
1064
|
+
exploit_scenario: |-
|
|
1065
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1066
|
+
fix_template: |-
|
|
1067
|
+
proxy_connect_timeout 5s; proxy_read_timeout 30s;
|
|
1068
|
+
pattern-either:
|
|
1069
|
+
- pattern: |-
|
|
1070
|
+
proxy_pass http://backend;
|
|
1071
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-009\\b'
|
|
1072
|
+
message: |-
|
|
1073
|
+
RunSec Detection [NGX-009]: Gateway resilience
|
|
1074
|
+
languages:
|
|
1075
|
+
- generic
|
|
1076
|
+
severity: WARNING
|
|
1077
|
+
- id: runsec.infra-k8s-helm.ngx-010
|
|
1078
|
+
metadata:
|
|
1079
|
+
runsec_version: v1.0
|
|
1080
|
+
confidence: |-
|
|
1081
|
+
0.9
|
|
1082
|
+
exploit_scenario: |-
|
|
1083
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1084
|
+
fix_template: |-
|
|
1085
|
+
server_tokens off;
|
|
1086
|
+
pattern-either:
|
|
1087
|
+
- pattern: |-
|
|
1088
|
+
server_tokens on;
|
|
1089
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-010\\b'
|
|
1090
|
+
message: |-
|
|
1091
|
+
RunSec Detection [NGX-010]: CIS NGINX
|
|
1092
|
+
languages:
|
|
1093
|
+
- generic
|
|
1094
|
+
severity: WARNING
|
|
1095
|
+
- id: runsec.infra-k8s-helm.sqd-001
|
|
1096
|
+
metadata:
|
|
1097
|
+
runsec_version: v1.0
|
|
1098
|
+
confidence: |-
|
|
1099
|
+
0.9
|
|
1100
|
+
exploit_scenario: |-
|
|
1101
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1102
|
+
fix_template: |-
|
|
1103
|
+
http_access deny all http_access allow localnet
|
|
1104
|
+
pattern-either:
|
|
1105
|
+
- pattern: |-
|
|
1106
|
+
http_access allow all
|
|
1107
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-001\\b'
|
|
1108
|
+
message: |-
|
|
1109
|
+
RunSec Detection [SQD-001]: Squid hardening
|
|
1110
|
+
languages:
|
|
1111
|
+
- generic
|
|
1112
|
+
severity: WARNING
|
|
1113
|
+
- id: runsec.infra-k8s-helm.sqd-002
|
|
1114
|
+
metadata:
|
|
1115
|
+
runsec_version: v1.0
|
|
1116
|
+
confidence: |-
|
|
1117
|
+
0.9
|
|
1118
|
+
exploit_scenario: |-
|
|
1119
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1120
|
+
fix_template: |-
|
|
1121
|
+
cache_peer upstream.example parent 3129 0 no-query tls
|
|
1122
|
+
pattern-either:
|
|
1123
|
+
- pattern: |-
|
|
1124
|
+
cache_peer upstream.example parent 3128 0 no-query
|
|
1125
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-002\\b'
|
|
1126
|
+
message: |-
|
|
1127
|
+
RunSec Detection [SQD-002]: Proxy transport security
|
|
1128
|
+
languages:
|
|
1129
|
+
- generic
|
|
1130
|
+
severity: WARNING
|
|
1131
|
+
- id: runsec.infra-k8s-helm.sqd-003
|
|
1132
|
+
metadata:
|
|
1133
|
+
runsec_version: v1.0
|
|
1134
|
+
confidence: |-
|
|
1135
|
+
0.9
|
|
1136
|
+
exploit_scenario: |-
|
|
1137
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1138
|
+
fix_template: |-
|
|
1139
|
+
sslproxy_cert_error deny all
|
|
1140
|
+
pattern-either:
|
|
1141
|
+
- pattern: |-
|
|
1142
|
+
ssl_bump stare all
|
|
1143
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-003\\b'
|
|
1144
|
+
message: |-
|
|
1145
|
+
RunSec Detection [SQD-003]: Squid TLS interception
|
|
1146
|
+
languages:
|
|
1147
|
+
- generic
|
|
1148
|
+
severity: WARNING
|
|
1149
|
+
- id: runsec.infra-k8s-helm.sqd-004
|
|
1150
|
+
metadata:
|
|
1151
|
+
runsec_version: v1.0
|
|
1152
|
+
confidence: |-
|
|
1153
|
+
0.9
|
|
1154
|
+
exploit_scenario: |-
|
|
1155
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1156
|
+
fix_template: |-
|
|
1157
|
+
acl SSL_ports port 443
|
|
1158
|
+
pattern-either:
|
|
1159
|
+
- pattern: |-
|
|
1160
|
+
acl SSL_ports port 1-65535
|
|
1161
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-004\\b'
|
|
1162
|
+
message: |-
|
|
1163
|
+
RunSec Detection [SQD-004]: Squid ACL hardening
|
|
1164
|
+
languages:
|
|
1165
|
+
- generic
|
|
1166
|
+
severity: WARNING
|
|
1167
|
+
- id: runsec.infra-k8s-helm.sqd-005
|
|
1168
|
+
metadata:
|
|
1169
|
+
runsec_version: v1.0
|
|
1170
|
+
confidence: |-
|
|
1171
|
+
0.9
|
|
1172
|
+
exploit_scenario: |-
|
|
1173
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1174
|
+
fix_template: |-
|
|
1175
|
+
maxconn 100
|
|
1176
|
+
pattern-either:
|
|
1177
|
+
- pattern: |-
|
|
1178
|
+
# no delay_pools / conn limits
|
|
1179
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-005\\b'
|
|
1180
|
+
message: |-
|
|
1181
|
+
RunSec Detection [SQD-005]: Proxy abuse prevention
|
|
1182
|
+
languages:
|
|
1183
|
+
- generic
|
|
1184
|
+
severity: WARNING
|
|
1185
|
+
- id: runsec.infra-k8s-helm.sqd-006
|
|
1186
|
+
metadata:
|
|
1187
|
+
runsec_version: v1.0
|
|
1188
|
+
confidence: |-
|
|
1189
|
+
0.9
|
|
1190
|
+
exploit_scenario: |-
|
|
1191
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1192
|
+
fix_template: |-
|
|
1193
|
+
access_log stdio:/var/log/squid/access.log
|
|
1194
|
+
pattern-either:
|
|
1195
|
+
- pattern: |-
|
|
1196
|
+
access_log none
|
|
1197
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-006\\b'
|
|
1198
|
+
message: |-
|
|
1199
|
+
RunSec Detection [SQD-006]: Audit logging
|
|
1200
|
+
languages:
|
|
1201
|
+
- generic
|
|
1202
|
+
severity: WARNING
|
|
1203
|
+
- id: runsec.infra-k8s-helm.sqd-007
|
|
1204
|
+
metadata:
|
|
1205
|
+
runsec_version: v1.0
|
|
1206
|
+
confidence: |-
|
|
1207
|
+
0.9
|
|
1208
|
+
exploit_scenario: |-
|
|
1209
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1210
|
+
fix_template: |-
|
|
1211
|
+
Cache control security
|
|
1212
|
+
pattern-either:
|
|
1213
|
+
- pattern: |-
|
|
1214
|
+
refresh_pattern . 0 100% 4320 override-expire
|
|
1215
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-007\\b'
|
|
1216
|
+
message: |-
|
|
1217
|
+
RunSec Detection [SQD-007]: js)$ 0 20% 1440
|
|
1218
|
+
languages:
|
|
1219
|
+
- generic
|
|
1220
|
+
severity: WARNING
|
|
1221
|
+
- id: runsec.infra-k8s-helm.sqd-008
|
|
1222
|
+
metadata:
|
|
1223
|
+
runsec_version: v1.0
|
|
1224
|
+
confidence: |-
|
|
1225
|
+
0.9
|
|
1226
|
+
exploit_scenario: |-
|
|
1227
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1228
|
+
fix_template: |-
|
|
1229
|
+
dns_nameservers 10.0.0.53
|
|
1230
|
+
pattern-either:
|
|
1231
|
+
- pattern: |-
|
|
1232
|
+
dns_nameservers 8.8.8.8
|
|
1233
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-008\\b'
|
|
1234
|
+
message: |-
|
|
1235
|
+
RunSec Detection [SQD-008]: Regulatory resolver policy
|
|
1236
|
+
languages:
|
|
1237
|
+
- generic
|
|
1238
|
+
severity: WARNING
|
|
1239
|
+
- id: runsec.infra-k8s-helm.sqd-009
|
|
1240
|
+
metadata:
|
|
1241
|
+
runsec_version: v1.0
|
|
1242
|
+
confidence: |-
|
|
1243
|
+
0.9
|
|
1244
|
+
exploit_scenario: |-
|
|
1245
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1246
|
+
fix_template: |-
|
|
1247
|
+
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
|
|
1248
|
+
pattern-either:
|
|
1249
|
+
- pattern: |-
|
|
1250
|
+
http_access allow corp_users
|
|
1251
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-009\\b'
|
|
1252
|
+
message: |-
|
|
1253
|
+
RunSec Detection [SQD-009]: Proxy authentication
|
|
1254
|
+
languages:
|
|
1255
|
+
- generic
|
|
1256
|
+
severity: WARNING
|
|
1257
|
+
- id: runsec.infra-k8s-helm.sqd-010
|
|
1258
|
+
metadata:
|
|
1259
|
+
runsec_version: v1.0
|
|
1260
|
+
confidence: |-
|
|
1261
|
+
0.9
|
|
1262
|
+
exploit_scenario: |-
|
|
1263
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1264
|
+
fix_template: |-
|
|
1265
|
+
acl allowed_domains dstdomain .corp.local http_access allow allowed_domains
|
|
1266
|
+
pattern-either:
|
|
1267
|
+
- pattern: |-
|
|
1268
|
+
http_access allow all
|
|
1269
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-010\\b'
|
|
1270
|
+
message: |-
|
|
1271
|
+
RunSec Detection [SQD-010]: Egress control
|
|
1272
|
+
languages:
|
|
1273
|
+
- generic
|
|
1274
|
+
severity: WARNING
|
|
1275
|
+
- id: runsec.infra-k8s-helm.sqd-011
|
|
1276
|
+
metadata:
|
|
1277
|
+
runsec_version: v1.0
|
|
1278
|
+
confidence: |-
|
|
1279
|
+
0.9
|
|
1280
|
+
exploit_scenario: |-
|
|
1281
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1282
|
+
fix_template: |-
|
|
1283
|
+
forwarded_for transparent
|
|
1284
|
+
pattern-either:
|
|
1285
|
+
- pattern: |-
|
|
1286
|
+
forwarded_for off
|
|
1287
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-011\\b'
|
|
1288
|
+
message: |-
|
|
1289
|
+
RunSec Detection [SQD-011]: Proxy traceability
|
|
1290
|
+
languages:
|
|
1291
|
+
- generic
|
|
1292
|
+
severity: WARNING
|
|
1293
|
+
- id: runsec.infra-k8s-helm.sqd-012
|
|
1294
|
+
metadata:
|
|
1295
|
+
runsec_version: v1.0
|
|
1296
|
+
confidence: |-
|
|
1297
|
+
0.9
|
|
1298
|
+
exploit_scenario: |-
|
|
1299
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1300
|
+
fix_template: |-
|
|
1301
|
+
cache_effective_user squid cache_effective_group squid
|
|
1302
|
+
pattern-either:
|
|
1303
|
+
- pattern: |-
|
|
1304
|
+
cache_dir ufs /var/spool/squid 100 16 256
|
|
1305
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-012\\b'
|
|
1306
|
+
message: |-
|
|
1307
|
+
RunSec Detection [SQD-012]: Proxy filesystem hardening
|
|
1308
|
+
languages:
|
|
1309
|
+
- generic
|
|
1310
|
+
severity: WARNING
|
|
1311
|
+
- id: runsec.infra-k8s-helm.sqd-013
|
|
1312
|
+
metadata:
|
|
1313
|
+
runsec_version: v1.0
|
|
1314
|
+
confidence: |-
|
|
1315
|
+
0.9
|
|
1316
|
+
exploit_scenario: |-
|
|
1317
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1318
|
+
fix_template: |-
|
|
1319
|
+
acl cloud_meta dst 169.254.169.254/32 http_access deny cloud_meta
|
|
1320
|
+
pattern-either:
|
|
1321
|
+
- pattern: |-
|
|
1322
|
+
http_access allow all
|
|
1323
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-013\\b'
|
|
1324
|
+
message: |-
|
|
1325
|
+
RunSec Detection [SQD-013]: SSRF/metadata protection
|
|
1326
|
+
languages:
|
|
1327
|
+
- generic
|
|
1328
|
+
severity: WARNING
|
|
1329
|
+
- id: runsec.infra-k8s-helm.sqd-014
|
|
1330
|
+
metadata:
|
|
1331
|
+
runsec_version: v1.0
|
|
1332
|
+
confidence: |-
|
|
1333
|
+
0.9
|
|
1334
|
+
exploit_scenario: |-
|
|
1335
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1336
|
+
fix_template: |-
|
|
1337
|
+
Завершать ACL цепочку http_access deny all и ограничивать localnet только доверенными CIDR-сетями.
|
|
1338
|
+
pattern-either:
|
|
1339
|
+
- pattern: |-
|
|
1340
|
+
Отсутствует http_access deny all в конце
|
|
1341
|
+
acl localnet src 0.0.0.0/0
|
|
1342
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-014\\b'
|
|
1343
|
+
message: |-
|
|
1344
|
+
RunSec Detection [SQD-014]: CWE Final Certification
|
|
1345
|
+
languages:
|
|
1346
|
+
- generic
|
|
1347
|
+
severity: WARNING
|
|
1348
|
+
- id: runsec.infra-k8s-helm.ngx-011
|
|
1349
|
+
metadata:
|
|
1350
|
+
runsec_version: v1.0
|
|
1351
|
+
confidence: |-
|
|
1352
|
+
0.9
|
|
1353
|
+
exploit_scenario: |-
|
|
1354
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1355
|
+
fix_template: |-
|
|
1356
|
+
Добавить limit_req_zone с разумным rate/burst и применять limit_req на чувствительных location.
|
|
1357
|
+
pattern-either:
|
|
1358
|
+
- pattern: |-
|
|
1359
|
+
Нет limit_req_zone $binary_remote_addr ... в http block
|
|
1360
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-011\\b'
|
|
1361
|
+
message: |-
|
|
1362
|
+
RunSec Detection [NGX-011]: CWE Final Certification
|
|
1363
|
+
languages:
|
|
1364
|
+
- generic
|
|
1365
|
+
severity: WARNING
|
|
1366
|
+
- id: runsec.infra-k8s-helm.ngx-012
|
|
1367
|
+
metadata:
|
|
1368
|
+
runsec_version: v1.0
|
|
1369
|
+
confidence: |-
|
|
1370
|
+
0.9
|
|
1371
|
+
exploit_scenario: |-
|
|
1372
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1373
|
+
fix_template: |-
|
|
1374
|
+
Отключить server_tokens, скрывать версию веб-сервера и минимизировать fingerprinting surface.
|
|
1375
|
+
pattern-either:
|
|
1376
|
+
- pattern: |-
|
|
1377
|
+
Отсутствует server_tokens off;
|
|
1378
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-012\\b'
|
|
1379
|
+
message: |-
|
|
1380
|
+
RunSec Detection [NGX-012]: CWE Final Certification
|
|
1381
|
+
languages:
|
|
1382
|
+
- generic
|
|
1383
|
+
severity: WARNING
|
|
1384
|
+
- id: runsec.infra-k8s-helm.dock-021
|
|
1385
|
+
metadata:
|
|
1386
|
+
runsec_version: v1.0
|
|
1387
|
+
confidence: |-
|
|
1388
|
+
0.9
|
|
1389
|
+
exploit_scenario: |-
|
|
1390
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1391
|
+
fix_template: |-
|
|
1392
|
+
Пиновать base image на конкретную версию и digest (FROM python:3.12.3@sha256:...) для воспроизводимости и supply-chain контроля.
|
|
1393
|
+
pattern-either:
|
|
1394
|
+
- pattern: |-
|
|
1395
|
+
FROM python:latest
|
|
1396
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-021\\b'
|
|
1397
|
+
message: |-
|
|
1398
|
+
RunSec Detection [DOCK-021]: CWE Final Certification
|
|
1399
|
+
languages:
|
|
1400
|
+
- generic
|
|
1401
|
+
severity: WARNING
|
|
1402
|
+
- id: runsec.infra-k8s-helm.dock-022
|
|
1403
|
+
metadata:
|
|
1404
|
+
runsec_version: v1.0
|
|
1405
|
+
confidence: |-
|
|
1406
|
+
0.9
|
|
1407
|
+
exploit_scenario: |-
|
|
1408
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1409
|
+
fix_template: |-
|
|
1410
|
+
Фиксировать версии пакетов (curl=... openssl=...), использовать --no-install-recommends и очищать apt cache.
|
|
1411
|
+
pattern-either:
|
|
1412
|
+
- pattern: |-
|
|
1413
|
+
RUN apt-get update && apt-get install -y curl openssl
|
|
1414
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-022\\b'
|
|
1415
|
+
message: |-
|
|
1416
|
+
RunSec Detection [DOCK-022]: CWE Final Certification
|
|
1417
|
+
languages:
|
|
1418
|
+
- generic
|
|
1419
|
+
severity: WARNING
|
|
1420
|
+
- id: runsec.infra-k8s-helm.inf-015
|
|
1421
|
+
metadata:
|
|
1422
|
+
runsec_version: v1.0
|
|
1423
|
+
confidence: |-
|
|
1424
|
+
0.9
|
|
1425
|
+
exploit_scenario: |-
|
|
1426
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1427
|
+
fix_template: |-
|
|
1428
|
+
Блокировать proxy к internal ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) и использовать strict upstream allowlist.
|
|
1429
|
+
pattern-either:
|
|
1430
|
+
- pattern: |-
|
|
1431
|
+
location /proxy/ { proxy_pass $arg_url; } без denylist внутренних CIDR/metadata
|
|
1432
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-015\\b'
|
|
1433
|
+
message: |-
|
|
1434
|
+
RunSec Detection [INF-015]: CWE Final Certification
|
|
1435
|
+
languages:
|
|
1436
|
+
- generic
|
|
1437
|
+
severity: WARNING
|
|
1438
|
+
- id: runsec.infra-k8s-helm.inf-016
|
|
1439
|
+
metadata:
|
|
1440
|
+
runsec_version: v1.0
|
|
1441
|
+
confidence: |-
|
|
1442
|
+
0.9
|
|
1443
|
+
exploit_scenario: |-
|
|
1444
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1445
|
+
fix_template: |-
|
|
1446
|
+
Дефолтно выставлять безопасные значения (privileged: false, allowPrivilegeEscalation: false, runAsNonRoot: true).
|
|
1447
|
+
pattern-either:
|
|
1448
|
+
- pattern: |-
|
|
1449
|
+
values.yaml: securityContext.privileged: true
|
|
1450
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-016\\b'
|
|
1451
|
+
message: |-
|
|
1452
|
+
RunSec Detection [INF-016]: CWE Final Certification
|
|
1453
|
+
languages:
|
|
1454
|
+
- generic
|
|
1455
|
+
severity: WARNING
|
|
1456
|
+
- id: runsec.infra-k8s-helm.inf-017
|
|
1457
|
+
metadata:
|
|
1458
|
+
runsec_version: v1.0
|
|
1459
|
+
confidence: |-
|
|
1460
|
+
0.9
|
|
1461
|
+
exploit_scenario: |-
|
|
1462
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1463
|
+
fix_template: |-
|
|
1464
|
+
По умолчанию отключать host namespaces и разрешать их только explicit opt-in с security review.
|
|
1465
|
+
pattern-either:
|
|
1466
|
+
- pattern: |-
|
|
1467
|
+
hostNetwork: true/hostPID: true в values по умолчанию
|
|
1468
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-017\\b'
|
|
1469
|
+
message: |-
|
|
1470
|
+
RunSec Detection [INF-017]: CWE Final Certification
|
|
1471
|
+
languages:
|
|
1472
|
+
- generic
|
|
1473
|
+
severity: WARNING
|
|
1474
|
+
- id: runsec.infra-k8s-helm.inf-018
|
|
1475
|
+
metadata:
|
|
1476
|
+
runsec_version: v1.0
|
|
1477
|
+
confidence: |-
|
|
1478
|
+
0.9
|
|
1479
|
+
exploit_scenario: |-
|
|
1480
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1481
|
+
fix_template: |-
|
|
1482
|
+
В chart defaults задавать drop: ["ALL"] и точечно добавлять только необходимые capabilities.
|
|
1483
|
+
pattern-either:
|
|
1484
|
+
- pattern: |-
|
|
1485
|
+
Отсутствует capabilities.drop: ["ALL"] в chart defaults
|
|
1486
|
+
- pattern-regex: 'Vulnerable:\\s*INF\\-018\\b'
|
|
1487
|
+
message: |-
|
|
1488
|
+
RunSec Detection [INF-018]: CWE Final Certification
|
|
1489
|
+
languages:
|
|
1490
|
+
- generic
|
|
1491
|
+
severity: WARNING
|
|
1492
|
+
- id: runsec.infra-k8s-helm.ngx-013
|
|
1493
|
+
metadata:
|
|
1494
|
+
runsec_version: v1.0
|
|
1495
|
+
confidence: |-
|
|
1496
|
+
0.9
|
|
1497
|
+
exploit_scenario: |-
|
|
1498
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1499
|
+
fix_template: |-
|
|
1500
|
+
Запретить dynamic upstream от пользовательских заголовков, фиксировать upstreams и блокировать internal dns zones/cluster domains.
|
|
1501
|
+
pattern-either:
|
|
1502
|
+
- pattern: |-
|
|
1503
|
+
resolver ...; proxy_pass http://$http_host$request_uri;
|
|
1504
|
+
- pattern-regex: 'Vulnerable:\\s*NGX\\-013\\b'
|
|
1505
|
+
message: |-
|
|
1506
|
+
RunSec Detection [NGX-013]: CWE Final Certification
|
|
1507
|
+
languages:
|
|
1508
|
+
- generic
|
|
1509
|
+
severity: WARNING
|
|
1510
|
+
- id: runsec.infra-k8s-helm.sqd-015
|
|
1511
|
+
metadata:
|
|
1512
|
+
runsec_version: v1.0
|
|
1513
|
+
confidence: |-
|
|
1514
|
+
0.9
|
|
1515
|
+
exploit_scenario: |-
|
|
1516
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1517
|
+
fix_template: |-
|
|
1518
|
+
Добавить explicit deny ACL для *.svc, control-plane IPs и metadata endpoints перед allow rules.
|
|
1519
|
+
pattern-either:
|
|
1520
|
+
- pattern: |-
|
|
1521
|
+
http_access allow localnet без deny для kubernetes.default.svc/cluster CIDR
|
|
1522
|
+
- pattern-regex: 'Vulnerable:\\s*SQD\\-015\\b'
|
|
1523
|
+
message: |-
|
|
1524
|
+
RunSec Detection [SQD-015]: CWE Final Certification
|
|
1525
|
+
languages:
|
|
1526
|
+
- generic
|
|
1527
|
+
severity: WARNING
|
|
1528
|
+
- id: runsec.infra-k8s-helm.k8s-026
|
|
1529
|
+
metadata:
|
|
1530
|
+
runsec_version: v1.0
|
|
1531
|
+
confidence: |-
|
|
1532
|
+
0.9
|
|
1533
|
+
exploit_scenario: |-
|
|
1534
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1535
|
+
fix_template: |-
|
|
1536
|
+
Устанавливать default false и включать токен только для конкретных сервисов, где это необходимо.
|
|
1537
|
+
pattern-either:
|
|
1538
|
+
- pattern: |-
|
|
1539
|
+
automountServiceAccountToken: true в chart defaults
|
|
1540
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-026\\b'
|
|
1541
|
+
message: |-
|
|
1542
|
+
RunSec Detection [K8S-026]: CWE Final Certification
|
|
1543
|
+
languages:
|
|
1544
|
+
- generic
|
|
1545
|
+
severity: WARNING
|
|
1546
|
+
- id: runsec.infra-k8s-helm.dock-023
|
|
1547
|
+
metadata:
|
|
1548
|
+
runsec_version: v1.0
|
|
1549
|
+
confidence: |-
|
|
1550
|
+
0.9
|
|
1551
|
+
exploit_scenario: |-
|
|
1552
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1553
|
+
fix_template: |-
|
|
1554
|
+
Подпись артефакта в registry; SBOM + verify в pipeline.
|
|
1555
|
+
pattern-either:
|
|
1556
|
+
- pattern: |-
|
|
1557
|
+
docker load -i release.tar
|
|
1558
|
+
# cosign verify skipped
|
|
1559
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-023\\b'
|
|
1560
|
+
message: |-
|
|
1561
|
+
RunSec Detection [DOCK-023]: CWE-347
|
|
1562
|
+
languages:
|
|
1563
|
+
- generic
|
|
1564
|
+
severity: WARNING
|
|
1565
|
+
- id: runsec.infra-k8s-helm.dock-024
|
|
1566
|
+
metadata:
|
|
1567
|
+
runsec_version: v1.0
|
|
1568
|
+
confidence: |-
|
|
1569
|
+
0.9
|
|
1570
|
+
exploit_scenario: |-
|
|
1571
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1572
|
+
fix_template: |-
|
|
1573
|
+
FROM repo/img@sha256:... + verify attestation.
|
|
1574
|
+
pattern-either:
|
|
1575
|
+
- pattern: |-
|
|
1576
|
+
docker build -t app:latest . без cosign verify base
|
|
1577
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-024\\b'
|
|
1578
|
+
message: |-
|
|
1579
|
+
RunSec Detection [DOCK-024]: CWE-347
|
|
1580
|
+
languages:
|
|
1581
|
+
- generic
|
|
1582
|
+
severity: WARNING
|
|
1583
|
+
- id: runsec.infra-k8s-helm.dock-025
|
|
1584
|
+
metadata:
|
|
1585
|
+
runsec_version: v1.0
|
|
1586
|
+
confidence: |-
|
|
1587
|
+
0.9
|
|
1588
|
+
exploit_scenario: |-
|
|
1589
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1590
|
+
fix_template: |-
|
|
1591
|
+
Подписанные образы и политика deploy only if verified.
|
|
1592
|
+
pattern-either:
|
|
1593
|
+
- pattern: |-
|
|
1594
|
+
docker compose pull без Notary/cosign
|
|
1595
|
+
- pattern-regex: 'Vulnerable:\\s*DOCK\\-025\\b'
|
|
1596
|
+
message: |-
|
|
1597
|
+
RunSec Detection [DOCK-025]: CWE-347
|
|
1598
|
+
languages:
|
|
1599
|
+
- generic
|
|
1600
|
+
severity: WARNING
|
|
1601
|
+
- id: runsec.infra-k8s-helm.k8s-027
|
|
1602
|
+
metadata:
|
|
1603
|
+
runsec_version: v1.0
|
|
1604
|
+
confidence: |-
|
|
1605
|
+
0.9
|
|
1606
|
+
exploit_scenario: |-
|
|
1607
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1608
|
+
fix_template: |-
|
|
1609
|
+
Helm provenance + GPG/cosign для chart packages.
|
|
1610
|
+
pattern-either:
|
|
1611
|
+
- pattern: |-
|
|
1612
|
+
helm install rel ./chart.tgz без .prov
|
|
1613
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-027\\b'
|
|
1614
|
+
message: |-
|
|
1615
|
+
RunSec Detection [K8S-027]: CWE-347
|
|
1616
|
+
languages:
|
|
1617
|
+
- generic
|
|
1618
|
+
severity: WARNING
|
|
1619
|
+
- id: runsec.infra-k8s-helm.k8s-028
|
|
1620
|
+
metadata:
|
|
1621
|
+
runsec_version: v1.0
|
|
1622
|
+
confidence: |-
|
|
1623
|
+
0.9
|
|
1624
|
+
exploit_scenario: |-
|
|
1625
|
+
Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
|
|
1626
|
+
fix_template: |-
|
|
1627
|
+
OCI artifact signing + Kyborio/OPA policy.
|
|
1628
|
+
pattern-either:
|
|
1629
|
+
- pattern: |-
|
|
1630
|
+
image: myreg/app:1.0.0 без digest
|
|
1631
|
+
- pattern-regex: 'Vulnerable:\\s*K8S\\-028\\b'
|
|
1632
|
+
message: |-
|
|
1633
|
+
RunSec Detection [K8S-028]: CWE-347
|
|
1634
|
+
languages:
|
|
1635
|
+
- generic
|
|
1636
|
+
severity: WARNING
|
|
1637
|
+
- id: runsec.infra-k8s-helm.iac-001
|
|
1638
|
+
metadata:
|
|
1639
|
+
runsec_version: v1.0
|
|
1640
|
+
confidence: |-
|
|
1641
|
+
0.9
|
|
1642
|
+
exploit_scenario: |-
|
|
1643
|
+
N/A
|
|
1644
|
+
fix_template: |-
|
|
1645
|
+
Enforce public access block on all buckets.
|
|
1646
|
+
pattern-either:
|
|
1647
|
+
- pattern: |-
|
|
1648
|
+
resource "aws_s3_bucket_public_access_block" "b" {
|
|
1649
|
+
block_public_acls = false
|
|
1650
|
+
}
|
|
1651
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-001\\b'
|
|
1652
|
+
message: |-
|
|
1653
|
+
RunSec Detection [IAC-001]: CWE-1188
|
|
1654
|
+
languages:
|
|
1655
|
+
- generic
|
|
1656
|
+
severity: WARNING
|
|
1657
|
+
- id: runsec.infra-k8s-helm.iac-002
|
|
1658
|
+
metadata:
|
|
1659
|
+
runsec_version: v1.0
|
|
1660
|
+
confidence: |-
|
|
1661
|
+
0.9
|
|
1662
|
+
exploit_scenario: |-
|
|
1663
|
+
N/A
|
|
1664
|
+
fix_template: |-
|
|
1665
|
+
Require KMS-backed encryption by default.
|
|
1666
|
+
pattern-either:
|
|
1667
|
+
- pattern: |-
|
|
1668
|
+
resource "aws_s3_bucket" "logs" { bucket = "corp-logs" }
|
|
1669
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-002\\b'
|
|
1670
|
+
message: |-
|
|
1671
|
+
RunSec Detection [IAC-002]: CWE-311
|
|
1672
|
+
languages:
|
|
1673
|
+
- generic
|
|
1674
|
+
severity: WARNING
|
|
1675
|
+
- id: runsec.infra-k8s-helm.iac-003
|
|
1676
|
+
metadata:
|
|
1677
|
+
runsec_version: v1.0
|
|
1678
|
+
confidence: |-
|
|
1679
|
+
0.9
|
|
1680
|
+
exploit_scenario: |-
|
|
1681
|
+
N/A
|
|
1682
|
+
fix_template: |-
|
|
1683
|
+
Restrict principals with least privilege policy.
|
|
1684
|
+
pattern-either:
|
|
1685
|
+
- pattern: |-
|
|
1686
|
+
"Principal":"*"
|
|
1687
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-003\\b'
|
|
1688
|
+
message: |-
|
|
1689
|
+
RunSec Detection [IAC-003]: CWE-284
|
|
1690
|
+
languages:
|
|
1691
|
+
- generic
|
|
1692
|
+
severity: WARNING
|
|
1693
|
+
- id: runsec.infra-k8s-helm.iac-004
|
|
1694
|
+
metadata:
|
|
1695
|
+
runsec_version: v1.0
|
|
1696
|
+
confidence: |-
|
|
1697
|
+
0.9
|
|
1698
|
+
exploit_scenario: |-
|
|
1699
|
+
N/A
|
|
1700
|
+
fix_template: |-
|
|
1701
|
+
Disable ACL-based ownership drift.
|
|
1702
|
+
pattern-either:
|
|
1703
|
+
- pattern: |-
|
|
1704
|
+
object_ownership = "BucketOwnerPreferred"
|
|
1705
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-004\\b'
|
|
1706
|
+
message: |-
|
|
1707
|
+
RunSec Detection [IAC-004]: CWE-1188
|
|
1708
|
+
languages:
|
|
1709
|
+
- generic
|
|
1710
|
+
severity: WARNING
|
|
1711
|
+
- id: runsec.infra-k8s-helm.iac-005
|
|
1712
|
+
metadata:
|
|
1713
|
+
runsec_version: v1.0
|
|
1714
|
+
confidence: |-
|
|
1715
|
+
0.9
|
|
1716
|
+
exploit_scenario: |-
|
|
1717
|
+
N/A
|
|
1718
|
+
fix_template: |-
|
|
1719
|
+
Enable versioning for rollback and integrity.
|
|
1720
|
+
pattern-either:
|
|
1721
|
+
- pattern: |-
|
|
1722
|
+
status = "Disabled"
|
|
1723
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-005\\b'
|
|
1724
|
+
message: |-
|
|
1725
|
+
RunSec Detection [IAC-005]: CWE-1025
|
|
1726
|
+
languages:
|
|
1727
|
+
- generic
|
|
1728
|
+
severity: WARNING
|
|
1729
|
+
- id: runsec.infra-k8s-helm.iac-006
|
|
1730
|
+
metadata:
|
|
1731
|
+
runsec_version: v1.0
|
|
1732
|
+
confidence: |-
|
|
1733
|
+
0.9
|
|
1734
|
+
exploit_scenario: |-
|
|
1735
|
+
N/A
|
|
1736
|
+
fix_template: |-
|
|
1737
|
+
Apply retention policy for forensic recovery.
|
|
1738
|
+
pattern-either:
|
|
1739
|
+
- pattern: |-
|
|
1740
|
+
expiration { days = 1 }
|
|
1741
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-006\\b'
|
|
1742
|
+
message: |-
|
|
1743
|
+
RunSec Detection [IAC-006]: CWE-1188
|
|
1744
|
+
languages:
|
|
1745
|
+
- generic
|
|
1746
|
+
severity: WARNING
|
|
1747
|
+
- id: runsec.infra-k8s-helm.iac-007
|
|
1748
|
+
metadata:
|
|
1749
|
+
runsec_version: v1.0
|
|
1750
|
+
confidence: |-
|
|
1751
|
+
0.9
|
|
1752
|
+
exploit_scenario: |-
|
|
1753
|
+
N/A
|
|
1754
|
+
fix_template: |-
|
|
1755
|
+
Enable immutable audit logging.
|
|
1756
|
+
pattern-either:
|
|
1757
|
+
- pattern: |-
|
|
1758
|
+
resource "aws_s3_bucket" "tf_state" { ... }
|
|
1759
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-007\\b'
|
|
1760
|
+
message: |-
|
|
1761
|
+
RunSec Detection [IAC-007]: CWE-778
|
|
1762
|
+
languages:
|
|
1763
|
+
- generic
|
|
1764
|
+
severity: WARNING
|
|
1765
|
+
- id: runsec.infra-k8s-helm.iac-008
|
|
1766
|
+
metadata:
|
|
1767
|
+
runsec_version: v1.0
|
|
1768
|
+
confidence: |-
|
|
1769
|
+
0.9
|
|
1770
|
+
exploit_scenario: |-
|
|
1771
|
+
N/A
|
|
1772
|
+
fix_template: |-
|
|
1773
|
+
Scope IAM actions/resources minimally.
|
|
1774
|
+
pattern-either:
|
|
1775
|
+
- pattern: |-
|
|
1776
|
+
"Action":"s3:*","Resource":"*"
|
|
1777
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-008\\b'
|
|
1778
|
+
message: |-
|
|
1779
|
+
RunSec Detection [IAC-008]: CWE-732
|
|
1780
|
+
languages:
|
|
1781
|
+
- generic
|
|
1782
|
+
severity: WARNING
|
|
1783
|
+
- id: runsec.infra-k8s-helm.iac-009
|
|
1784
|
+
metadata:
|
|
1785
|
+
runsec_version: v1.0
|
|
1786
|
+
confidence: |-
|
|
1787
|
+
0.9
|
|
1788
|
+
exploit_scenario: |-
|
|
1789
|
+
N/A
|
|
1790
|
+
fix_template: |-
|
|
1791
|
+
Use internal exposure by default.
|
|
1792
|
+
pattern-either:
|
|
1793
|
+
- pattern: |-
|
|
1794
|
+
service:
|
|
1795
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-009\\b'
|
|
1796
|
+
message: |-
|
|
1797
|
+
RunSec Detection [IAC-009]: CWE-1188
|
|
1798
|
+
languages:
|
|
1799
|
+
- generic
|
|
1800
|
+
severity: WARNING
|
|
1801
|
+
- id: runsec.infra-k8s-helm.iac-010
|
|
1802
|
+
metadata:
|
|
1803
|
+
runsec_version: v1.0
|
|
1804
|
+
confidence: |-
|
|
1805
|
+
0.9
|
|
1806
|
+
exploit_scenario: |-
|
|
1807
|
+
N/A
|
|
1808
|
+
fix_template: |-
|
|
1809
|
+
Require TLS secrets in default values.
|
|
1810
|
+
pattern-either:
|
|
1811
|
+
- pattern: |-
|
|
1812
|
+
ingress:
|
|
1813
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-010\\b'
|
|
1814
|
+
message: |-
|
|
1815
|
+
RunSec Detection [IAC-010]: CWE-319
|
|
1816
|
+
languages:
|
|
1817
|
+
- generic
|
|
1818
|
+
severity: WARNING
|
|
1819
|
+
- id: runsec.infra-k8s-helm.iac-011
|
|
1820
|
+
metadata:
|
|
1821
|
+
runsec_version: v1.0
|
|
1822
|
+
confidence: |-
|
|
1823
|
+
0.9
|
|
1824
|
+
exploit_scenario: |-
|
|
1825
|
+
N/A
|
|
1826
|
+
fix_template: |-
|
|
1827
|
+
Ship safe resource defaults for pods.
|
|
1828
|
+
pattern-either:
|
|
1829
|
+
- pattern: |-
|
|
1830
|
+
resources: {}
|
|
1831
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-011\\b'
|
|
1832
|
+
message: |-
|
|
1833
|
+
RunSec Detection [IAC-011]: CWE-770
|
|
1834
|
+
languages:
|
|
1835
|
+
- generic
|
|
1836
|
+
severity: WARNING
|
|
1837
|
+
- id: runsec.infra-k8s-helm.iac-012
|
|
1838
|
+
metadata:
|
|
1839
|
+
runsec_version: v1.0
|
|
1840
|
+
confidence: |-
|
|
1841
|
+
0.9
|
|
1842
|
+
exploit_scenario: |-
|
|
1843
|
+
N/A
|
|
1844
|
+
fix_template: |-
|
|
1845
|
+
Pin digest and deterministic pull policy.
|
|
1846
|
+
pattern-either:
|
|
1847
|
+
- pattern: |-
|
|
1848
|
+
image:
|
|
1849
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-012\\b'
|
|
1850
|
+
message: |-
|
|
1851
|
+
RunSec Detection [IAC-012]: CWE-494
|
|
1852
|
+
languages:
|
|
1853
|
+
- generic
|
|
1854
|
+
severity: WARNING
|
|
1855
|
+
- id: runsec.infra-k8s-helm.iac-013
|
|
1856
|
+
metadata:
|
|
1857
|
+
runsec_version: v1.0
|
|
1858
|
+
confidence: |-
|
|
1859
|
+
0.9
|
|
1860
|
+
exploit_scenario: |-
|
|
1861
|
+
N/A
|
|
1862
|
+
fix_template: |-
|
|
1863
|
+
Harden pod runtime baseline defaults.
|
|
1864
|
+
pattern-either:
|
|
1865
|
+
- pattern: |-
|
|
1866
|
+
securityContext: {}
|
|
1867
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-013\\b'
|
|
1868
|
+
message: |-
|
|
1869
|
+
RunSec Detection [IAC-013]: CWE-250
|
|
1870
|
+
languages:
|
|
1871
|
+
- generic
|
|
1872
|
+
severity: WARNING
|
|
1873
|
+
- id: runsec.infra-k8s-helm.iac-014
|
|
1874
|
+
metadata:
|
|
1875
|
+
runsec_version: v1.0
|
|
1876
|
+
confidence: |-
|
|
1877
|
+
0.9
|
|
1878
|
+
exploit_scenario: |-
|
|
1879
|
+
N/A
|
|
1880
|
+
fix_template: |-
|
|
1881
|
+
Disable privilege escalation by default.
|
|
1882
|
+
pattern-either:
|
|
1883
|
+
- pattern: |-
|
|
1884
|
+
allowPrivilegeEscalation: true
|
|
1885
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-014\\b'
|
|
1886
|
+
message: |-
|
|
1887
|
+
RunSec Detection [IAC-014]: CWE-269
|
|
1888
|
+
languages:
|
|
1889
|
+
- generic
|
|
1890
|
+
severity: WARNING
|
|
1891
|
+
- id: runsec.infra-k8s-helm.iac-015
|
|
1892
|
+
metadata:
|
|
1893
|
+
runsec_version: v1.0
|
|
1894
|
+
confidence: |-
|
|
1895
|
+
0.9
|
|
1896
|
+
exploit_scenario: |-
|
|
1897
|
+
N/A
|
|
1898
|
+
fix_template: |-
|
|
1899
|
+
Keep admin routes disabled by default.
|
|
1900
|
+
pattern-either:
|
|
1901
|
+
- pattern: |-
|
|
1902
|
+
ingress.paths: ["/", "/admin"]
|
|
1903
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-015\\b'
|
|
1904
|
+
message: |-
|
|
1905
|
+
RunSec Detection [IAC-015]: CWE-200
|
|
1906
|
+
languages:
|
|
1907
|
+
- generic
|
|
1908
|
+
severity: WARNING
|
|
1909
|
+
- id: runsec.infra-k8s-helm.iac-016
|
|
1910
|
+
metadata:
|
|
1911
|
+
runsec_version: v1.0
|
|
1912
|
+
confidence: |-
|
|
1913
|
+
0.9
|
|
1914
|
+
exploit_scenario: |-
|
|
1915
|
+
N/A
|
|
1916
|
+
fix_template: |-
|
|
1917
|
+
Opt-in token mount only where needed.
|
|
1918
|
+
pattern-either:
|
|
1919
|
+
- pattern: |-
|
|
1920
|
+
automountServiceAccountToken: true
|
|
1921
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-016\\b'
|
|
1922
|
+
message: |-
|
|
1923
|
+
RunSec Detection [IAC-016]: CWE-1188
|
|
1924
|
+
languages:
|
|
1925
|
+
- generic
|
|
1926
|
+
severity: WARNING
|
|
1927
|
+
- id: runsec.infra-k8s-helm.iac-017
|
|
1928
|
+
metadata:
|
|
1929
|
+
runsec_version: v1.0
|
|
1930
|
+
confidence: |-
|
|
1931
|
+
0.9
|
|
1932
|
+
exploit_scenario: |-
|
|
1933
|
+
N/A
|
|
1934
|
+
fix_template: |-
|
|
1935
|
+
Enable deny-by-default network policy.
|
|
1936
|
+
pattern-either:
|
|
1937
|
+
- pattern: |-
|
|
1938
|
+
networkPolicy.enabled: false
|
|
1939
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-017\\b'
|
|
1940
|
+
message: |-
|
|
1941
|
+
RunSec Detection [IAC-017]: CWE-284
|
|
1942
|
+
languages:
|
|
1943
|
+
- generic
|
|
1944
|
+
severity: WARNING
|
|
1945
|
+
- id: runsec.infra-k8s-helm.iac-018
|
|
1946
|
+
metadata:
|
|
1947
|
+
runsec_version: v1.0
|
|
1948
|
+
confidence: |-
|
|
1949
|
+
0.9
|
|
1950
|
+
exploit_scenario: |-
|
|
1951
|
+
N/A
|
|
1952
|
+
fix_template: |-
|
|
1953
|
+
Restrict egress to approved CIDRs/services.
|
|
1954
|
+
pattern-either:
|
|
1955
|
+
- pattern: |-
|
|
1956
|
+
egress { cidr_blocks = ["0.0.0.0/0"] }
|
|
1957
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-018\\b'
|
|
1958
|
+
message: |-
|
|
1959
|
+
RunSec Detection [IAC-018]: CWE-918
|
|
1960
|
+
languages:
|
|
1961
|
+
- generic
|
|
1962
|
+
severity: WARNING
|
|
1963
|
+
- id: runsec.infra-k8s-helm.iac-019
|
|
1964
|
+
metadata:
|
|
1965
|
+
runsec_version: v1.0
|
|
1966
|
+
confidence: |-
|
|
1967
|
+
0.9
|
|
1968
|
+
exploit_scenario: |-
|
|
1969
|
+
N/A
|
|
1970
|
+
fix_template: |-
|
|
1971
|
+
Force IMDSv2 for metadata protection.
|
|
1972
|
+
pattern-either:
|
|
1973
|
+
- pattern: |-
|
|
1974
|
+
metadata_options { http_tokens = "optional" }
|
|
1975
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-019\\b'
|
|
1976
|
+
message: |-
|
|
1977
|
+
RunSec Detection [IAC-019]: CWE-1188
|
|
1978
|
+
languages:
|
|
1979
|
+
- generic
|
|
1980
|
+
severity: WARNING
|
|
1981
|
+
- id: runsec.infra-k8s-helm.iac-020
|
|
1982
|
+
metadata:
|
|
1983
|
+
runsec_version: v1.0
|
|
1984
|
+
confidence: |-
|
|
1985
|
+
0.9
|
|
1986
|
+
exploit_scenario: |-
|
|
1987
|
+
N/A
|
|
1988
|
+
fix_template: |-
|
|
1989
|
+
Block host alias overrides to metadata IPs.
|
|
1990
|
+
pattern-either:
|
|
1991
|
+
- pattern: |-
|
|
1992
|
+
hostAliases:
|
|
1993
|
+
- pattern-regex: 'Vulnerable:\\s*IAC\\-020\\b'
|
|
1994
|
+
message: |-
|
|
1995
|
+
RunSec Detection [IAC-020]: CWE-918
|
|
1996
|
+
languages:
|
|
1997
|
+
- generic
|
|
1998
|
+
severity: WARNING
|
|
1999
|
+
- id: runsec.infra-k8s-helm.msh-001
|
|
2000
|
+
metadata:
|
|
2001
|
+
runsec_version: v1.0
|
|
2002
|
+
confidence: |-
|
|
2003
|
+
0.9
|
|
2004
|
+
exploit_scenario: |-
|
|
2005
|
+
N/A
|
|
2006
|
+
fix_template: |-
|
|
2007
|
+
Enforce STRICT mTLS for workload identity.
|
|
2008
|
+
pattern-either:
|
|
2009
|
+
- pattern: |-
|
|
2010
|
+
mode: PERMISSIVE
|
|
2011
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-001\\b'
|
|
2012
|
+
message: |-
|
|
2013
|
+
RunSec Detection [MSH-001]: CWE-295
|
|
2014
|
+
languages:
|
|
2015
|
+
- generic
|
|
2016
|
+
severity: WARNING
|
|
2017
|
+
- id: runsec.infra-k8s-helm.msh-002
|
|
2018
|
+
metadata:
|
|
2019
|
+
runsec_version: v1.0
|
|
2020
|
+
confidence: |-
|
|
2021
|
+
0.9
|
|
2022
|
+
exploit_scenario: |-
|
|
2023
|
+
N/A
|
|
2024
|
+
fix_template: |-
|
|
2025
|
+
Default-deny with explicit STRICT policy.
|
|
2026
|
+
pattern-either:
|
|
2027
|
+
- pattern: |-
|
|
2028
|
+
# no PeerAuthentication in prod-ns
|
|
2029
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-002\\b'
|
|
2030
|
+
message: |-
|
|
2031
|
+
RunSec Detection [MSH-002]: CWE-295
|
|
2032
|
+
languages:
|
|
2033
|
+
- generic
|
|
2034
|
+
severity: WARNING
|
|
2035
|
+
- id: runsec.infra-k8s-helm.msh-003
|
|
2036
|
+
metadata:
|
|
2037
|
+
runsec_version: v1.0
|
|
2038
|
+
confidence: |-
|
|
2039
|
+
0.9
|
|
2040
|
+
exploit_scenario: |-
|
|
2041
|
+
N/A
|
|
2042
|
+
fix_template: |-
|
|
2043
|
+
Never disable TLS to upstream.
|
|
2044
|
+
pattern-either:
|
|
2045
|
+
- pattern: |-
|
|
2046
|
+
trafficPolicy: { tls: { mode: DISABLE } }
|
|
2047
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-003\\b'
|
|
2048
|
+
message: |-
|
|
2049
|
+
RunSec Detection [MSH-003]: CWE-319
|
|
2050
|
+
languages:
|
|
2051
|
+
- generic
|
|
2052
|
+
severity: WARNING
|
|
2053
|
+
- id: runsec.infra-k8s-helm.msh-004
|
|
2054
|
+
metadata:
|
|
2055
|
+
runsec_version: v1.0
|
|
2056
|
+
confidence: |-
|
|
2057
|
+
0.9
|
|
2058
|
+
exploit_scenario: |-
|
|
2059
|
+
N/A
|
|
2060
|
+
fix_template: |-
|
|
2061
|
+
Scope to SPIFFE IDs.
|
|
2062
|
+
pattern-either:
|
|
2063
|
+
- pattern: |-
|
|
2064
|
+
principals: ["*"]
|
|
2065
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-004\\b'
|
|
2066
|
+
message: |-
|
|
2067
|
+
RunSec Detection [MSH-004]: CWE-284
|
|
2068
|
+
languages:
|
|
2069
|
+
- generic
|
|
2070
|
+
severity: WARNING
|
|
2071
|
+
- id: runsec.infra-k8s-helm.msh-005
|
|
2072
|
+
metadata:
|
|
2073
|
+
runsec_version: v1.0
|
|
2074
|
+
confidence: |-
|
|
2075
|
+
0.9
|
|
2076
|
+
exploit_scenario: |-
|
|
2077
|
+
N/A
|
|
2078
|
+
fix_template: |-
|
|
2079
|
+
Limit egress to required services.
|
|
2080
|
+
pattern-either:
|
|
2081
|
+
- pattern: |-
|
|
2082
|
+
egress: { hosts: ["*/*"] }
|
|
2083
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-005\\b'
|
|
2084
|
+
message: |-
|
|
2085
|
+
RunSec Detection [MSH-005]: CWE-918
|
|
2086
|
+
languages:
|
|
2087
|
+
- generic
|
|
2088
|
+
severity: WARNING
|
|
2089
|
+
- id: runsec.infra-k8s-helm.msh-006
|
|
2090
|
+
metadata:
|
|
2091
|
+
runsec_version: v1.0
|
|
2092
|
+
confidence: |-
|
|
2093
|
+
0.9
|
|
2094
|
+
exploit_scenario: |-
|
|
2095
|
+
N/A
|
|
2096
|
+
fix_template: |-
|
|
2097
|
+
Explicit TLS termination policy.
|
|
2098
|
+
pattern-either:
|
|
2099
|
+
- pattern: |-
|
|
2100
|
+
protocol: TLS
|
|
2101
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-006\\b'
|
|
2102
|
+
message: |-
|
|
2103
|
+
RunSec Detection [MSH-006]: CWE-295
|
|
2104
|
+
languages:
|
|
2105
|
+
- generic
|
|
2106
|
+
severity: WARNING
|
|
2107
|
+
- id: runsec.infra-k8s-helm.msh-007
|
|
2108
|
+
metadata:
|
|
2109
|
+
runsec_version: v1.0
|
|
2110
|
+
confidence: |-
|
|
2111
|
+
0.9
|
|
2112
|
+
exploit_scenario: |-
|
|
2113
|
+
N/A
|
|
2114
|
+
fix_template: |-
|
|
2115
|
+
Force HTTPS upgrade.
|
|
2116
|
+
pattern-either:
|
|
2117
|
+
- pattern: |-
|
|
2118
|
+
parentRefs: [{ name: public-gw }] без redirect
|
|
2119
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-007\\b'
|
|
2120
|
+
message: |-
|
|
2121
|
+
RunSec Detection [MSH-007]: CWE-319
|
|
2122
|
+
languages:
|
|
2123
|
+
- generic
|
|
2124
|
+
severity: WARNING
|
|
2125
|
+
- id: runsec.infra-k8s-helm.msh-008
|
|
2126
|
+
metadata:
|
|
2127
|
+
runsec_version: v1.0
|
|
2128
|
+
confidence: |-
|
|
2129
|
+
0.9
|
|
2130
|
+
exploit_scenario: |-
|
|
2131
|
+
N/A
|
|
2132
|
+
fix_template: |-
|
|
2133
|
+
Require auth at gateway/mesh.
|
|
2134
|
+
pattern-either:
|
|
2135
|
+
- pattern: |-
|
|
2136
|
+
path: { type: PathPrefix, value: "/" }
|
|
2137
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-008\\b'
|
|
2138
|
+
message: |-
|
|
2139
|
+
RunSec Detection [MSH-008]: CWE-306
|
|
2140
|
+
languages:
|
|
2141
|
+
- generic
|
|
2142
|
+
severity: WARNING
|
|
2143
|
+
- id: runsec.infra-k8s-helm.msh-009
|
|
2144
|
+
metadata:
|
|
2145
|
+
runsec_version: v1.0
|
|
2146
|
+
confidence: |-
|
|
2147
|
+
0.9
|
|
2148
|
+
exploit_scenario: |-
|
|
2149
|
+
N/A
|
|
2150
|
+
fix_template: |-
|
|
2151
|
+
Preserve audit trail.
|
|
2152
|
+
pattern-either:
|
|
2153
|
+
- pattern: |-
|
|
2154
|
+
accessLogging: [{ providers: [{ name: none }] }]
|
|
2155
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-009\\b'
|
|
2156
|
+
message: |-
|
|
2157
|
+
RunSec Detection [MSH-009]: CWE-778
|
|
2158
|
+
languages:
|
|
2159
|
+
- generic
|
|
2160
|
+
severity: WARNING
|
|
2161
|
+
- id: runsec.infra-k8s-helm.msh-010
|
|
2162
|
+
metadata:
|
|
2163
|
+
runsec_version: v1.0
|
|
2164
|
+
confidence: |-
|
|
2165
|
+
0.9
|
|
2166
|
+
exploit_scenario: |-
|
|
2167
|
+
N/A
|
|
2168
|
+
fix_template: |-
|
|
2169
|
+
Validate JWT at mesh edge.
|
|
2170
|
+
pattern-either:
|
|
2171
|
+
- pattern: |-
|
|
2172
|
+
# no RequestAuthentication
|
|
2173
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-010\\b'
|
|
2174
|
+
message: |-
|
|
2175
|
+
RunSec Detection [MSH-010]: CWE-287
|
|
2176
|
+
languages:
|
|
2177
|
+
- generic
|
|
2178
|
+
severity: WARNING
|
|
2179
|
+
- id: runsec.infra-k8s-helm.msh-011
|
|
2180
|
+
metadata:
|
|
2181
|
+
runsec_version: v1.0
|
|
2182
|
+
confidence: |-
|
|
2183
|
+
0.9
|
|
2184
|
+
exploit_scenario: |-
|
|
2185
|
+
N/A
|
|
2186
|
+
fix_template: |-
|
|
2187
|
+
Encrypt backend hop.
|
|
2188
|
+
pattern-either:
|
|
2189
|
+
- pattern: |-
|
|
2190
|
+
backendRefs: [{ name: api, namespace: other }]
|
|
2191
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-011\\b'
|
|
2192
|
+
message: |-
|
|
2193
|
+
RunSec Detection [MSH-011]: CWE-295
|
|
2194
|
+
languages:
|
|
2195
|
+
- generic
|
|
2196
|
+
severity: WARNING
|
|
2197
|
+
- id: runsec.infra-k8s-helm.msh-012
|
|
2198
|
+
metadata:
|
|
2199
|
+
runsec_version: v1.0
|
|
2200
|
+
confidence: |-
|
|
2201
|
+
0.9
|
|
2202
|
+
exploit_scenario: |-
|
|
2203
|
+
N/A
|
|
2204
|
+
fix_template: |-
|
|
2205
|
+
Control external workload registration.
|
|
2206
|
+
pattern-either:
|
|
2207
|
+
- pattern: |-
|
|
2208
|
+
address: 203.0.113.10
|
|
2209
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-012\\b'
|
|
2210
|
+
message: |-
|
|
2211
|
+
RunSec Detection [MSH-012]: CWE-284
|
|
2212
|
+
languages:
|
|
2213
|
+
- generic
|
|
2214
|
+
severity: WARNING
|
|
2215
|
+
- id: runsec.infra-k8s-helm.msh-013
|
|
2216
|
+
metadata:
|
|
2217
|
+
runsec_version: v1.0
|
|
2218
|
+
confidence: |-
|
|
2219
|
+
0.9
|
|
2220
|
+
exploit_scenario: |-
|
|
2221
|
+
N/A
|
|
2222
|
+
fix_template: |-
|
|
2223
|
+
Use TLS for gRPC listeners.
|
|
2224
|
+
pattern-either:
|
|
2225
|
+
- pattern: |-
|
|
2226
|
+
protocol: HTTP for gRPC
|
|
2227
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-013\\b'
|
|
2228
|
+
message: |-
|
|
2229
|
+
RunSec Detection [MSH-013]: CWE-319
|
|
2230
|
+
languages:
|
|
2231
|
+
- generic
|
|
2232
|
+
severity: WARNING
|
|
2233
|
+
- id: runsec.infra-k8s-helm.msh-014
|
|
2234
|
+
metadata:
|
|
2235
|
+
runsec_version: v1.0
|
|
2236
|
+
confidence: |-
|
|
2237
|
+
0.9
|
|
2238
|
+
exploit_scenario: |-
|
|
2239
|
+
N/A
|
|
2240
|
+
fix_template: |-
|
|
2241
|
+
Prevent arbitrary Lua injection.
|
|
2242
|
+
pattern-either:
|
|
2243
|
+
- pattern: |-
|
|
2244
|
+
lua: { inlineString: "..." }
|
|
2245
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-014\\b'
|
|
2246
|
+
message: |-
|
|
2247
|
+
RunSec Detection [MSH-014]: CWE-94
|
|
2248
|
+
languages:
|
|
2249
|
+
- generic
|
|
2250
|
+
severity: WARNING
|
|
2251
|
+
- id: runsec.infra-k8s-helm.msh-015
|
|
2252
|
+
metadata:
|
|
2253
|
+
runsec_version: v1.0
|
|
2254
|
+
confidence: |-
|
|
2255
|
+
0.9
|
|
2256
|
+
exploit_scenario: |-
|
|
2257
|
+
N/A
|
|
2258
|
+
fix_template: |-
|
|
2259
|
+
Enforce cross-namespace grants.
|
|
2260
|
+
pattern-either:
|
|
2261
|
+
- pattern: |-
|
|
2262
|
+
namespace: team-a route to team-b svc
|
|
2263
|
+
- pattern-regex: 'Vulnerable:\\s*MSH\\-015\\b'
|
|
2264
|
+
message: |-
|
|
2265
|
+
RunSec Detection [MSH-015]: CWE-284
|
|
2266
|
+
languages:
|
|
2267
|
+
- generic
|
|
2268
|
+
severity: WARNING
|
|
2269
|
+
- id: runsec.infra-k8s-helm.cld-001
|
|
2270
|
+
metadata:
|
|
2271
|
+
runsec_version: v1.0
|
|
2272
|
+
confidence: |-
|
|
2273
|
+
0.9
|
|
2274
|
+
exploit_scenario: |-
|
|
2275
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2276
|
+
fix_template: |-
|
|
2277
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2278
|
+
pattern-either:
|
|
2279
|
+
- pattern: |-
|
|
2280
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2281
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-001\\b'
|
|
2282
|
+
message: |-
|
|
2283
|
+
RunSec Detection [CLD-001]: CWE-284
|
|
2284
|
+
languages:
|
|
2285
|
+
- generic
|
|
2286
|
+
severity: WARNING
|
|
2287
|
+
- id: runsec.infra-k8s-helm.cld-002
|
|
2288
|
+
metadata:
|
|
2289
|
+
runsec_version: v1.0
|
|
2290
|
+
confidence: |-
|
|
2291
|
+
0.9
|
|
2292
|
+
exploit_scenario: |-
|
|
2293
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2294
|
+
fix_template: |-
|
|
2295
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2296
|
+
pattern-either:
|
|
2297
|
+
- pattern: |-
|
|
2298
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2299
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-002\\b'
|
|
2300
|
+
message: |-
|
|
2301
|
+
RunSec Detection [CLD-002]: CWE-311
|
|
2302
|
+
languages:
|
|
2303
|
+
- generic
|
|
2304
|
+
severity: WARNING
|
|
2305
|
+
- id: runsec.infra-k8s-helm.cld-003
|
|
2306
|
+
metadata:
|
|
2307
|
+
runsec_version: v1.0
|
|
2308
|
+
confidence: |-
|
|
2309
|
+
0.9
|
|
2310
|
+
exploit_scenario: |-
|
|
2311
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2312
|
+
fix_template: |-
|
|
2313
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2314
|
+
pattern-either:
|
|
2315
|
+
- pattern: |-
|
|
2316
|
+
allow_blob_public_access = true
|
|
2317
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-003\\b'
|
|
2318
|
+
message: |-
|
|
2319
|
+
RunSec Detection [CLD-003]: CWE-200
|
|
2320
|
+
languages:
|
|
2321
|
+
- generic
|
|
2322
|
+
severity: WARNING
|
|
2323
|
+
- id: runsec.infra-k8s-helm.cld-004
|
|
2324
|
+
metadata:
|
|
2325
|
+
runsec_version: v1.0
|
|
2326
|
+
confidence: |-
|
|
2327
|
+
0.9
|
|
2328
|
+
exploit_scenario: |-
|
|
2329
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2330
|
+
fix_template: |-
|
|
2331
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2332
|
+
pattern-either:
|
|
2333
|
+
- pattern: |-
|
|
2334
|
+
source_ranges = ['0.0.0.0/0']
|
|
2335
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-004\\b'
|
|
2336
|
+
message: |-
|
|
2337
|
+
RunSec Detection [CLD-004]: CWE-732
|
|
2338
|
+
languages:
|
|
2339
|
+
- generic
|
|
2340
|
+
severity: WARNING
|
|
2341
|
+
- id: runsec.infra-k8s-helm.cld-005
|
|
2342
|
+
metadata:
|
|
2343
|
+
runsec_version: v1.0
|
|
2344
|
+
confidence: |-
|
|
2345
|
+
0.9
|
|
2346
|
+
exploit_scenario: |-
|
|
2347
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2348
|
+
fix_template: |-
|
|
2349
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2350
|
+
pattern-either:
|
|
2351
|
+
- pattern: |-
|
|
2352
|
+
Action: '*'
|
|
2353
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-005\\b'
|
|
2354
|
+
message: |-
|
|
2355
|
+
RunSec Detection [CLD-005]: CWE-250
|
|
2356
|
+
languages:
|
|
2357
|
+
- generic
|
|
2358
|
+
severity: WARNING
|
|
2359
|
+
- id: runsec.infra-k8s-helm.cld-006
|
|
2360
|
+
metadata:
|
|
2361
|
+
runsec_version: v1.0
|
|
2362
|
+
confidence: |-
|
|
2363
|
+
0.9
|
|
2364
|
+
exploit_scenario: |-
|
|
2365
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2366
|
+
fix_template: |-
|
|
2367
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2368
|
+
pattern-either:
|
|
2369
|
+
- pattern: |-
|
|
2370
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2371
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-006\\b'
|
|
2372
|
+
message: |-
|
|
2373
|
+
RunSec Detection [CLD-006]: CWE-668
|
|
2374
|
+
languages:
|
|
2375
|
+
- generic
|
|
2376
|
+
severity: WARNING
|
|
2377
|
+
- id: runsec.infra-k8s-helm.cld-007
|
|
2378
|
+
metadata:
|
|
2379
|
+
runsec_version: v1.0
|
|
2380
|
+
confidence: |-
|
|
2381
|
+
0.9
|
|
2382
|
+
exploit_scenario: |-
|
|
2383
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2384
|
+
fix_template: |-
|
|
2385
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2386
|
+
pattern-either:
|
|
2387
|
+
- pattern: |-
|
|
2388
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2389
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-007\\b'
|
|
2390
|
+
message: |-
|
|
2391
|
+
RunSec Detection [CLD-007]: CWE-284
|
|
2392
|
+
languages:
|
|
2393
|
+
- generic
|
|
2394
|
+
severity: WARNING
|
|
2395
|
+
- id: runsec.infra-k8s-helm.cld-008
|
|
2396
|
+
metadata:
|
|
2397
|
+
runsec_version: v1.0
|
|
2398
|
+
confidence: |-
|
|
2399
|
+
0.9
|
|
2400
|
+
exploit_scenario: |-
|
|
2401
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2402
|
+
fix_template: |-
|
|
2403
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2404
|
+
pattern-either:
|
|
2405
|
+
- pattern: |-
|
|
2406
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2407
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-008\\b'
|
|
2408
|
+
message: |-
|
|
2409
|
+
RunSec Detection [CLD-008]: CWE-311
|
|
2410
|
+
languages:
|
|
2411
|
+
- generic
|
|
2412
|
+
severity: WARNING
|
|
2413
|
+
- id: runsec.infra-k8s-helm.cld-009
|
|
2414
|
+
metadata:
|
|
2415
|
+
runsec_version: v1.0
|
|
2416
|
+
confidence: |-
|
|
2417
|
+
0.9
|
|
2418
|
+
exploit_scenario: |-
|
|
2419
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2420
|
+
fix_template: |-
|
|
2421
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2422
|
+
pattern-either:
|
|
2423
|
+
- pattern: |-
|
|
2424
|
+
allow_blob_public_access = true
|
|
2425
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-009\\b'
|
|
2426
|
+
message: |-
|
|
2427
|
+
RunSec Detection [CLD-009]: CWE-200
|
|
2428
|
+
languages:
|
|
2429
|
+
- generic
|
|
2430
|
+
severity: WARNING
|
|
2431
|
+
- id: runsec.infra-k8s-helm.cld-010
|
|
2432
|
+
metadata:
|
|
2433
|
+
runsec_version: v1.0
|
|
2434
|
+
confidence: |-
|
|
2435
|
+
0.9
|
|
2436
|
+
exploit_scenario: |-
|
|
2437
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2438
|
+
fix_template: |-
|
|
2439
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2440
|
+
pattern-either:
|
|
2441
|
+
- pattern: |-
|
|
2442
|
+
source_ranges = ['0.0.0.0/0']
|
|
2443
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-010\\b'
|
|
2444
|
+
message: |-
|
|
2445
|
+
RunSec Detection [CLD-010]: CWE-732
|
|
2446
|
+
languages:
|
|
2447
|
+
- generic
|
|
2448
|
+
severity: WARNING
|
|
2449
|
+
- id: runsec.infra-k8s-helm.cld-011
|
|
2450
|
+
metadata:
|
|
2451
|
+
runsec_version: v1.0
|
|
2452
|
+
confidence: |-
|
|
2453
|
+
0.9
|
|
2454
|
+
exploit_scenario: |-
|
|
2455
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2456
|
+
fix_template: |-
|
|
2457
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2458
|
+
pattern-either:
|
|
2459
|
+
- pattern: |-
|
|
2460
|
+
Action: '*'
|
|
2461
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-011\\b'
|
|
2462
|
+
message: |-
|
|
2463
|
+
RunSec Detection [CLD-011]: CWE-250
|
|
2464
|
+
languages:
|
|
2465
|
+
- generic
|
|
2466
|
+
severity: WARNING
|
|
2467
|
+
- id: runsec.infra-k8s-helm.cld-012
|
|
2468
|
+
metadata:
|
|
2469
|
+
runsec_version: v1.0
|
|
2470
|
+
confidence: |-
|
|
2471
|
+
0.9
|
|
2472
|
+
exploit_scenario: |-
|
|
2473
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2474
|
+
fix_template: |-
|
|
2475
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2476
|
+
pattern-either:
|
|
2477
|
+
- pattern: |-
|
|
2478
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2479
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-012\\b'
|
|
2480
|
+
message: |-
|
|
2481
|
+
RunSec Detection [CLD-012]: CWE-668
|
|
2482
|
+
languages:
|
|
2483
|
+
- generic
|
|
2484
|
+
severity: WARNING
|
|
2485
|
+
- id: runsec.infra-k8s-helm.cld-013
|
|
2486
|
+
metadata:
|
|
2487
|
+
runsec_version: v1.0
|
|
2488
|
+
confidence: |-
|
|
2489
|
+
0.9
|
|
2490
|
+
exploit_scenario: |-
|
|
2491
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2492
|
+
fix_template: |-
|
|
2493
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2494
|
+
pattern-either:
|
|
2495
|
+
- pattern: |-
|
|
2496
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2497
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-013\\b'
|
|
2498
|
+
message: |-
|
|
2499
|
+
RunSec Detection [CLD-013]: CWE-284
|
|
2500
|
+
languages:
|
|
2501
|
+
- generic
|
|
2502
|
+
severity: WARNING
|
|
2503
|
+
- id: runsec.infra-k8s-helm.cld-014
|
|
2504
|
+
metadata:
|
|
2505
|
+
runsec_version: v1.0
|
|
2506
|
+
confidence: |-
|
|
2507
|
+
0.9
|
|
2508
|
+
exploit_scenario: |-
|
|
2509
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2510
|
+
fix_template: |-
|
|
2511
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2512
|
+
pattern-either:
|
|
2513
|
+
- pattern: |-
|
|
2514
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2515
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-014\\b'
|
|
2516
|
+
message: |-
|
|
2517
|
+
RunSec Detection [CLD-014]: CWE-311
|
|
2518
|
+
languages:
|
|
2519
|
+
- generic
|
|
2520
|
+
severity: WARNING
|
|
2521
|
+
- id: runsec.infra-k8s-helm.cld-015
|
|
2522
|
+
metadata:
|
|
2523
|
+
runsec_version: v1.0
|
|
2524
|
+
confidence: |-
|
|
2525
|
+
0.9
|
|
2526
|
+
exploit_scenario: |-
|
|
2527
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2528
|
+
fix_template: |-
|
|
2529
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2530
|
+
pattern-either:
|
|
2531
|
+
- pattern: |-
|
|
2532
|
+
allow_blob_public_access = true
|
|
2533
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-015\\b'
|
|
2534
|
+
message: |-
|
|
2535
|
+
RunSec Detection [CLD-015]: CWE-200
|
|
2536
|
+
languages:
|
|
2537
|
+
- generic
|
|
2538
|
+
severity: WARNING
|
|
2539
|
+
- id: runsec.infra-k8s-helm.cld-016
|
|
2540
|
+
metadata:
|
|
2541
|
+
runsec_version: v1.0
|
|
2542
|
+
confidence: |-
|
|
2543
|
+
0.9
|
|
2544
|
+
exploit_scenario: |-
|
|
2545
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2546
|
+
fix_template: |-
|
|
2547
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2548
|
+
pattern-either:
|
|
2549
|
+
- pattern: |-
|
|
2550
|
+
source_ranges = ['0.0.0.0/0']
|
|
2551
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-016\\b'
|
|
2552
|
+
message: |-
|
|
2553
|
+
RunSec Detection [CLD-016]: CWE-732
|
|
2554
|
+
languages:
|
|
2555
|
+
- generic
|
|
2556
|
+
severity: WARNING
|
|
2557
|
+
- id: runsec.infra-k8s-helm.cld-017
|
|
2558
|
+
metadata:
|
|
2559
|
+
runsec_version: v1.0
|
|
2560
|
+
confidence: |-
|
|
2561
|
+
0.9
|
|
2562
|
+
exploit_scenario: |-
|
|
2563
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2564
|
+
fix_template: |-
|
|
2565
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2566
|
+
pattern-either:
|
|
2567
|
+
- pattern: |-
|
|
2568
|
+
Action: '*'
|
|
2569
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-017\\b'
|
|
2570
|
+
message: |-
|
|
2571
|
+
RunSec Detection [CLD-017]: CWE-250
|
|
2572
|
+
languages:
|
|
2573
|
+
- generic
|
|
2574
|
+
severity: WARNING
|
|
2575
|
+
- id: runsec.infra-k8s-helm.cld-018
|
|
2576
|
+
metadata:
|
|
2577
|
+
runsec_version: v1.0
|
|
2578
|
+
confidence: |-
|
|
2579
|
+
0.9
|
|
2580
|
+
exploit_scenario: |-
|
|
2581
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2582
|
+
fix_template: |-
|
|
2583
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2584
|
+
pattern-either:
|
|
2585
|
+
- pattern: |-
|
|
2586
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2587
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-018\\b'
|
|
2588
|
+
message: |-
|
|
2589
|
+
RunSec Detection [CLD-018]: CWE-668
|
|
2590
|
+
languages:
|
|
2591
|
+
- generic
|
|
2592
|
+
severity: WARNING
|
|
2593
|
+
- id: runsec.infra-k8s-helm.cld-019
|
|
2594
|
+
metadata:
|
|
2595
|
+
runsec_version: v1.0
|
|
2596
|
+
confidence: |-
|
|
2597
|
+
0.9
|
|
2598
|
+
exploit_scenario: |-
|
|
2599
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2600
|
+
fix_template: |-
|
|
2601
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2602
|
+
pattern-either:
|
|
2603
|
+
- pattern: |-
|
|
2604
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2605
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-019\\b'
|
|
2606
|
+
message: |-
|
|
2607
|
+
RunSec Detection [CLD-019]: CWE-284
|
|
2608
|
+
languages:
|
|
2609
|
+
- generic
|
|
2610
|
+
severity: WARNING
|
|
2611
|
+
- id: runsec.infra-k8s-helm.cld-020
|
|
2612
|
+
metadata:
|
|
2613
|
+
runsec_version: v1.0
|
|
2614
|
+
confidence: |-
|
|
2615
|
+
0.9
|
|
2616
|
+
exploit_scenario: |-
|
|
2617
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2618
|
+
fix_template: |-
|
|
2619
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2620
|
+
pattern-either:
|
|
2621
|
+
- pattern: |-
|
|
2622
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2623
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-020\\b'
|
|
2624
|
+
message: |-
|
|
2625
|
+
RunSec Detection [CLD-020]: CWE-311
|
|
2626
|
+
languages:
|
|
2627
|
+
- generic
|
|
2628
|
+
severity: WARNING
|
|
2629
|
+
- id: runsec.infra-k8s-helm.cld-021
|
|
2630
|
+
metadata:
|
|
2631
|
+
runsec_version: v1.0
|
|
2632
|
+
confidence: |-
|
|
2633
|
+
0.9
|
|
2634
|
+
exploit_scenario: |-
|
|
2635
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2636
|
+
fix_template: |-
|
|
2637
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2638
|
+
pattern-either:
|
|
2639
|
+
- pattern: |-
|
|
2640
|
+
allow_blob_public_access = true
|
|
2641
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-021\\b'
|
|
2642
|
+
message: |-
|
|
2643
|
+
RunSec Detection [CLD-021]: CWE-200
|
|
2644
|
+
languages:
|
|
2645
|
+
- generic
|
|
2646
|
+
severity: WARNING
|
|
2647
|
+
- id: runsec.infra-k8s-helm.cld-022
|
|
2648
|
+
metadata:
|
|
2649
|
+
runsec_version: v1.0
|
|
2650
|
+
confidence: |-
|
|
2651
|
+
0.9
|
|
2652
|
+
exploit_scenario: |-
|
|
2653
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2654
|
+
fix_template: |-
|
|
2655
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2656
|
+
pattern-either:
|
|
2657
|
+
- pattern: |-
|
|
2658
|
+
source_ranges = ['0.0.0.0/0']
|
|
2659
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-022\\b'
|
|
2660
|
+
message: |-
|
|
2661
|
+
RunSec Detection [CLD-022]: CWE-732
|
|
2662
|
+
languages:
|
|
2663
|
+
- generic
|
|
2664
|
+
severity: WARNING
|
|
2665
|
+
- id: runsec.infra-k8s-helm.cld-023
|
|
2666
|
+
metadata:
|
|
2667
|
+
runsec_version: v1.0
|
|
2668
|
+
confidence: |-
|
|
2669
|
+
0.9
|
|
2670
|
+
exploit_scenario: |-
|
|
2671
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2672
|
+
fix_template: |-
|
|
2673
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2674
|
+
pattern-either:
|
|
2675
|
+
- pattern: |-
|
|
2676
|
+
Action: '*'
|
|
2677
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-023\\b'
|
|
2678
|
+
message: |-
|
|
2679
|
+
RunSec Detection [CLD-023]: CWE-250
|
|
2680
|
+
languages:
|
|
2681
|
+
- generic
|
|
2682
|
+
severity: WARNING
|
|
2683
|
+
- id: runsec.infra-k8s-helm.cld-024
|
|
2684
|
+
metadata:
|
|
2685
|
+
runsec_version: v1.0
|
|
2686
|
+
confidence: |-
|
|
2687
|
+
0.9
|
|
2688
|
+
exploit_scenario: |-
|
|
2689
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2690
|
+
fix_template: |-
|
|
2691
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2692
|
+
pattern-either:
|
|
2693
|
+
- pattern: |-
|
|
2694
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2695
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-024\\b'
|
|
2696
|
+
message: |-
|
|
2697
|
+
RunSec Detection [CLD-024]: CWE-668
|
|
2698
|
+
languages:
|
|
2699
|
+
- generic
|
|
2700
|
+
severity: WARNING
|
|
2701
|
+
- id: runsec.infra-k8s-helm.cld-025
|
|
2702
|
+
metadata:
|
|
2703
|
+
runsec_version: v1.0
|
|
2704
|
+
confidence: |-
|
|
2705
|
+
0.9
|
|
2706
|
+
exploit_scenario: |-
|
|
2707
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2708
|
+
fix_template: |-
|
|
2709
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2710
|
+
pattern-either:
|
|
2711
|
+
- pattern: |-
|
|
2712
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2713
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-025\\b'
|
|
2714
|
+
message: |-
|
|
2715
|
+
RunSec Detection [CLD-025]: CWE-284
|
|
2716
|
+
languages:
|
|
2717
|
+
- generic
|
|
2718
|
+
severity: WARNING
|
|
2719
|
+
- id: runsec.infra-k8s-helm.cld-026
|
|
2720
|
+
metadata:
|
|
2721
|
+
runsec_version: v1.0
|
|
2722
|
+
confidence: |-
|
|
2723
|
+
0.9
|
|
2724
|
+
exploit_scenario: |-
|
|
2725
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2726
|
+
fix_template: |-
|
|
2727
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2728
|
+
pattern-either:
|
|
2729
|
+
- pattern: |-
|
|
2730
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2731
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-026\\b'
|
|
2732
|
+
message: |-
|
|
2733
|
+
RunSec Detection [CLD-026]: CWE-311
|
|
2734
|
+
languages:
|
|
2735
|
+
- generic
|
|
2736
|
+
severity: WARNING
|
|
2737
|
+
- id: runsec.infra-k8s-helm.cld-027
|
|
2738
|
+
metadata:
|
|
2739
|
+
runsec_version: v1.0
|
|
2740
|
+
confidence: |-
|
|
2741
|
+
0.9
|
|
2742
|
+
exploit_scenario: |-
|
|
2743
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2744
|
+
fix_template: |-
|
|
2745
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2746
|
+
pattern-either:
|
|
2747
|
+
- pattern: |-
|
|
2748
|
+
allow_blob_public_access = true
|
|
2749
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-027\\b'
|
|
2750
|
+
message: |-
|
|
2751
|
+
RunSec Detection [CLD-027]: CWE-200
|
|
2752
|
+
languages:
|
|
2753
|
+
- generic
|
|
2754
|
+
severity: WARNING
|
|
2755
|
+
- id: runsec.infra-k8s-helm.cld-028
|
|
2756
|
+
metadata:
|
|
2757
|
+
runsec_version: v1.0
|
|
2758
|
+
confidence: |-
|
|
2759
|
+
0.9
|
|
2760
|
+
exploit_scenario: |-
|
|
2761
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2762
|
+
fix_template: |-
|
|
2763
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2764
|
+
pattern-either:
|
|
2765
|
+
- pattern: |-
|
|
2766
|
+
source_ranges = ['0.0.0.0/0']
|
|
2767
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-028\\b'
|
|
2768
|
+
message: |-
|
|
2769
|
+
RunSec Detection [CLD-028]: CWE-732
|
|
2770
|
+
languages:
|
|
2771
|
+
- generic
|
|
2772
|
+
severity: WARNING
|
|
2773
|
+
- id: runsec.infra-k8s-helm.cld-029
|
|
2774
|
+
metadata:
|
|
2775
|
+
runsec_version: v1.0
|
|
2776
|
+
confidence: |-
|
|
2777
|
+
0.9
|
|
2778
|
+
exploit_scenario: |-
|
|
2779
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2780
|
+
fix_template: |-
|
|
2781
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2782
|
+
pattern-either:
|
|
2783
|
+
- pattern: |-
|
|
2784
|
+
Action: '*'
|
|
2785
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-029\\b'
|
|
2786
|
+
message: |-
|
|
2787
|
+
RunSec Detection [CLD-029]: CWE-250
|
|
2788
|
+
languages:
|
|
2789
|
+
- generic
|
|
2790
|
+
severity: WARNING
|
|
2791
|
+
- id: runsec.infra-k8s-helm.cld-030
|
|
2792
|
+
metadata:
|
|
2793
|
+
runsec_version: v1.0
|
|
2794
|
+
confidence: |-
|
|
2795
|
+
0.9
|
|
2796
|
+
exploit_scenario: |-
|
|
2797
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2798
|
+
fix_template: |-
|
|
2799
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2800
|
+
pattern-either:
|
|
2801
|
+
- pattern: |-
|
|
2802
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2803
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-030\\b'
|
|
2804
|
+
message: |-
|
|
2805
|
+
RunSec Detection [CLD-030]: CWE-668
|
|
2806
|
+
languages:
|
|
2807
|
+
- generic
|
|
2808
|
+
severity: WARNING
|
|
2809
|
+
- id: runsec.infra-k8s-helm.cld-031
|
|
2810
|
+
metadata:
|
|
2811
|
+
runsec_version: v1.0
|
|
2812
|
+
confidence: |-
|
|
2813
|
+
0.9
|
|
2814
|
+
exploit_scenario: |-
|
|
2815
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2816
|
+
fix_template: |-
|
|
2817
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2818
|
+
pattern-either:
|
|
2819
|
+
- pattern: |-
|
|
2820
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2821
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-031\\b'
|
|
2822
|
+
message: |-
|
|
2823
|
+
RunSec Detection [CLD-031]: CWE-284
|
|
2824
|
+
languages:
|
|
2825
|
+
- generic
|
|
2826
|
+
severity: WARNING
|
|
2827
|
+
- id: runsec.infra-k8s-helm.cld-032
|
|
2828
|
+
metadata:
|
|
2829
|
+
runsec_version: v1.0
|
|
2830
|
+
confidence: |-
|
|
2831
|
+
0.9
|
|
2832
|
+
exploit_scenario: |-
|
|
2833
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2834
|
+
fix_template: |-
|
|
2835
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2836
|
+
pattern-either:
|
|
2837
|
+
- pattern: |-
|
|
2838
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2839
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-032\\b'
|
|
2840
|
+
message: |-
|
|
2841
|
+
RunSec Detection [CLD-032]: CWE-311
|
|
2842
|
+
languages:
|
|
2843
|
+
- generic
|
|
2844
|
+
severity: WARNING
|
|
2845
|
+
- id: runsec.infra-k8s-helm.cld-033
|
|
2846
|
+
metadata:
|
|
2847
|
+
runsec_version: v1.0
|
|
2848
|
+
confidence: |-
|
|
2849
|
+
0.9
|
|
2850
|
+
exploit_scenario: |-
|
|
2851
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2852
|
+
fix_template: |-
|
|
2853
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2854
|
+
pattern-either:
|
|
2855
|
+
- pattern: |-
|
|
2856
|
+
allow_blob_public_access = true
|
|
2857
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-033\\b'
|
|
2858
|
+
message: |-
|
|
2859
|
+
RunSec Detection [CLD-033]: CWE-200
|
|
2860
|
+
languages:
|
|
2861
|
+
- generic
|
|
2862
|
+
severity: WARNING
|
|
2863
|
+
- id: runsec.infra-k8s-helm.cld-034
|
|
2864
|
+
metadata:
|
|
2865
|
+
runsec_version: v1.0
|
|
2866
|
+
confidence: |-
|
|
2867
|
+
0.9
|
|
2868
|
+
exploit_scenario: |-
|
|
2869
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2870
|
+
fix_template: |-
|
|
2871
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2872
|
+
pattern-either:
|
|
2873
|
+
- pattern: |-
|
|
2874
|
+
source_ranges = ['0.0.0.0/0']
|
|
2875
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-034\\b'
|
|
2876
|
+
message: |-
|
|
2877
|
+
RunSec Detection [CLD-034]: CWE-732
|
|
2878
|
+
languages:
|
|
2879
|
+
- generic
|
|
2880
|
+
severity: WARNING
|
|
2881
|
+
- id: runsec.infra-k8s-helm.cld-035
|
|
2882
|
+
metadata:
|
|
2883
|
+
runsec_version: v1.0
|
|
2884
|
+
confidence: |-
|
|
2885
|
+
0.9
|
|
2886
|
+
exploit_scenario: |-
|
|
2887
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2888
|
+
fix_template: |-
|
|
2889
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2890
|
+
pattern-either:
|
|
2891
|
+
- pattern: |-
|
|
2892
|
+
Action: '*'
|
|
2893
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-035\\b'
|
|
2894
|
+
message: |-
|
|
2895
|
+
RunSec Detection [CLD-035]: CWE-250
|
|
2896
|
+
languages:
|
|
2897
|
+
- generic
|
|
2898
|
+
severity: WARNING
|
|
2899
|
+
- id: runsec.infra-k8s-helm.cld-036
|
|
2900
|
+
metadata:
|
|
2901
|
+
runsec_version: v1.0
|
|
2902
|
+
confidence: |-
|
|
2903
|
+
0.9
|
|
2904
|
+
exploit_scenario: |-
|
|
2905
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
2906
|
+
fix_template: |-
|
|
2907
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2908
|
+
pattern-either:
|
|
2909
|
+
- pattern: |-
|
|
2910
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
2911
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-036\\b'
|
|
2912
|
+
message: |-
|
|
2913
|
+
RunSec Detection [CLD-036]: CWE-668
|
|
2914
|
+
languages:
|
|
2915
|
+
- generic
|
|
2916
|
+
severity: WARNING
|
|
2917
|
+
- id: runsec.infra-k8s-helm.cld-037
|
|
2918
|
+
metadata:
|
|
2919
|
+
runsec_version: v1.0
|
|
2920
|
+
confidence: |-
|
|
2921
|
+
0.9
|
|
2922
|
+
exploit_scenario: |-
|
|
2923
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
2924
|
+
fix_template: |-
|
|
2925
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2926
|
+
pattern-either:
|
|
2927
|
+
- pattern: |-
|
|
2928
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
2929
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-037\\b'
|
|
2930
|
+
message: |-
|
|
2931
|
+
RunSec Detection [CLD-037]: CWE-284
|
|
2932
|
+
languages:
|
|
2933
|
+
- generic
|
|
2934
|
+
severity: WARNING
|
|
2935
|
+
- id: runsec.infra-k8s-helm.cld-038
|
|
2936
|
+
metadata:
|
|
2937
|
+
runsec_version: v1.0
|
|
2938
|
+
confidence: |-
|
|
2939
|
+
0.9
|
|
2940
|
+
exploit_scenario: |-
|
|
2941
|
+
Unencrypted object storage exposes data at rest risks.
|
|
2942
|
+
fix_template: |-
|
|
2943
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2944
|
+
pattern-either:
|
|
2945
|
+
- pattern: |-
|
|
2946
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
2947
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-038\\b'
|
|
2948
|
+
message: |-
|
|
2949
|
+
RunSec Detection [CLD-038]: CWE-311
|
|
2950
|
+
languages:
|
|
2951
|
+
- generic
|
|
2952
|
+
severity: WARNING
|
|
2953
|
+
- id: runsec.infra-k8s-helm.cld-039
|
|
2954
|
+
metadata:
|
|
2955
|
+
runsec_version: v1.0
|
|
2956
|
+
confidence: |-
|
|
2957
|
+
0.9
|
|
2958
|
+
exploit_scenario: |-
|
|
2959
|
+
Public blob exposure can leak sensitive tenant data.
|
|
2960
|
+
fix_template: |-
|
|
2961
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2962
|
+
pattern-either:
|
|
2963
|
+
- pattern: |-
|
|
2964
|
+
allow_blob_public_access = true
|
|
2965
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-039\\b'
|
|
2966
|
+
message: |-
|
|
2967
|
+
RunSec Detection [CLD-039]: CWE-200
|
|
2968
|
+
languages:
|
|
2969
|
+
- generic
|
|
2970
|
+
severity: WARNING
|
|
2971
|
+
- id: runsec.infra-k8s-helm.cld-040
|
|
2972
|
+
metadata:
|
|
2973
|
+
runsec_version: v1.0
|
|
2974
|
+
confidence: |-
|
|
2975
|
+
0.9
|
|
2976
|
+
exploit_scenario: |-
|
|
2977
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
2978
|
+
fix_template: |-
|
|
2979
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2980
|
+
pattern-either:
|
|
2981
|
+
- pattern: |-
|
|
2982
|
+
source_ranges = ['0.0.0.0/0']
|
|
2983
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-040\\b'
|
|
2984
|
+
message: |-
|
|
2985
|
+
RunSec Detection [CLD-040]: CWE-732
|
|
2986
|
+
languages:
|
|
2987
|
+
- generic
|
|
2988
|
+
severity: WARNING
|
|
2989
|
+
- id: runsec.infra-k8s-helm.cld-041
|
|
2990
|
+
metadata:
|
|
2991
|
+
runsec_version: v1.0
|
|
2992
|
+
confidence: |-
|
|
2993
|
+
0.9
|
|
2994
|
+
exploit_scenario: |-
|
|
2995
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
2996
|
+
fix_template: |-
|
|
2997
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
2998
|
+
pattern-either:
|
|
2999
|
+
- pattern: |-
|
|
3000
|
+
Action: '*'
|
|
3001
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-041\\b'
|
|
3002
|
+
message: |-
|
|
3003
|
+
RunSec Detection [CLD-041]: CWE-250
|
|
3004
|
+
languages:
|
|
3005
|
+
- generic
|
|
3006
|
+
severity: WARNING
|
|
3007
|
+
- id: runsec.infra-k8s-helm.cld-042
|
|
3008
|
+
metadata:
|
|
3009
|
+
runsec_version: v1.0
|
|
3010
|
+
confidence: |-
|
|
3011
|
+
0.9
|
|
3012
|
+
exploit_scenario: |-
|
|
3013
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3014
|
+
fix_template: |-
|
|
3015
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3016
|
+
pattern-either:
|
|
3017
|
+
- pattern: |-
|
|
3018
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3019
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-042\\b'
|
|
3020
|
+
message: |-
|
|
3021
|
+
RunSec Detection [CLD-042]: CWE-668
|
|
3022
|
+
languages:
|
|
3023
|
+
- generic
|
|
3024
|
+
severity: WARNING
|
|
3025
|
+
- id: runsec.infra-k8s-helm.cld-043
|
|
3026
|
+
metadata:
|
|
3027
|
+
runsec_version: v1.0
|
|
3028
|
+
confidence: |-
|
|
3029
|
+
0.9
|
|
3030
|
+
exploit_scenario: |-
|
|
3031
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3032
|
+
fix_template: |-
|
|
3033
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3034
|
+
pattern-either:
|
|
3035
|
+
- pattern: |-
|
|
3036
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3037
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-043\\b'
|
|
3038
|
+
message: |-
|
|
3039
|
+
RunSec Detection [CLD-043]: CWE-284
|
|
3040
|
+
languages:
|
|
3041
|
+
- generic
|
|
3042
|
+
severity: WARNING
|
|
3043
|
+
- id: runsec.infra-k8s-helm.cld-044
|
|
3044
|
+
metadata:
|
|
3045
|
+
runsec_version: v1.0
|
|
3046
|
+
confidence: |-
|
|
3047
|
+
0.9
|
|
3048
|
+
exploit_scenario: |-
|
|
3049
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3050
|
+
fix_template: |-
|
|
3051
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3052
|
+
pattern-either:
|
|
3053
|
+
- pattern: |-
|
|
3054
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3055
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-044\\b'
|
|
3056
|
+
message: |-
|
|
3057
|
+
RunSec Detection [CLD-044]: CWE-311
|
|
3058
|
+
languages:
|
|
3059
|
+
- generic
|
|
3060
|
+
severity: WARNING
|
|
3061
|
+
- id: runsec.infra-k8s-helm.cld-045
|
|
3062
|
+
metadata:
|
|
3063
|
+
runsec_version: v1.0
|
|
3064
|
+
confidence: |-
|
|
3065
|
+
0.9
|
|
3066
|
+
exploit_scenario: |-
|
|
3067
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3068
|
+
fix_template: |-
|
|
3069
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3070
|
+
pattern-either:
|
|
3071
|
+
- pattern: |-
|
|
3072
|
+
allow_blob_public_access = true
|
|
3073
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-045\\b'
|
|
3074
|
+
message: |-
|
|
3075
|
+
RunSec Detection [CLD-045]: CWE-200
|
|
3076
|
+
languages:
|
|
3077
|
+
- generic
|
|
3078
|
+
severity: WARNING
|
|
3079
|
+
- id: runsec.infra-k8s-helm.cld-046
|
|
3080
|
+
metadata:
|
|
3081
|
+
runsec_version: v1.0
|
|
3082
|
+
confidence: |-
|
|
3083
|
+
0.9
|
|
3084
|
+
exploit_scenario: |-
|
|
3085
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3086
|
+
fix_template: |-
|
|
3087
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3088
|
+
pattern-either:
|
|
3089
|
+
- pattern: |-
|
|
3090
|
+
source_ranges = ['0.0.0.0/0']
|
|
3091
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-046\\b'
|
|
3092
|
+
message: |-
|
|
3093
|
+
RunSec Detection [CLD-046]: CWE-732
|
|
3094
|
+
languages:
|
|
3095
|
+
- generic
|
|
3096
|
+
severity: WARNING
|
|
3097
|
+
- id: runsec.infra-k8s-helm.cld-047
|
|
3098
|
+
metadata:
|
|
3099
|
+
runsec_version: v1.0
|
|
3100
|
+
confidence: |-
|
|
3101
|
+
0.9
|
|
3102
|
+
exploit_scenario: |-
|
|
3103
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3104
|
+
fix_template: |-
|
|
3105
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3106
|
+
pattern-either:
|
|
3107
|
+
- pattern: |-
|
|
3108
|
+
Action: '*'
|
|
3109
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-047\\b'
|
|
3110
|
+
message: |-
|
|
3111
|
+
RunSec Detection [CLD-047]: CWE-250
|
|
3112
|
+
languages:
|
|
3113
|
+
- generic
|
|
3114
|
+
severity: WARNING
|
|
3115
|
+
- id: runsec.infra-k8s-helm.cld-048
|
|
3116
|
+
metadata:
|
|
3117
|
+
runsec_version: v1.0
|
|
3118
|
+
confidence: |-
|
|
3119
|
+
0.9
|
|
3120
|
+
exploit_scenario: |-
|
|
3121
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3122
|
+
fix_template: |-
|
|
3123
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3124
|
+
pattern-either:
|
|
3125
|
+
- pattern: |-
|
|
3126
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3127
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-048\\b'
|
|
3128
|
+
message: |-
|
|
3129
|
+
RunSec Detection [CLD-048]: CWE-668
|
|
3130
|
+
languages:
|
|
3131
|
+
- generic
|
|
3132
|
+
severity: WARNING
|
|
3133
|
+
- id: runsec.infra-k8s-helm.cld-049
|
|
3134
|
+
metadata:
|
|
3135
|
+
runsec_version: v1.0
|
|
3136
|
+
confidence: |-
|
|
3137
|
+
0.9
|
|
3138
|
+
exploit_scenario: |-
|
|
3139
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3140
|
+
fix_template: |-
|
|
3141
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3142
|
+
pattern-either:
|
|
3143
|
+
- pattern: |-
|
|
3144
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3145
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-049\\b'
|
|
3146
|
+
message: |-
|
|
3147
|
+
RunSec Detection [CLD-049]: CWE-284
|
|
3148
|
+
languages:
|
|
3149
|
+
- generic
|
|
3150
|
+
severity: WARNING
|
|
3151
|
+
- id: runsec.infra-k8s-helm.cld-050
|
|
3152
|
+
metadata:
|
|
3153
|
+
runsec_version: v1.0
|
|
3154
|
+
confidence: |-
|
|
3155
|
+
0.9
|
|
3156
|
+
exploit_scenario: |-
|
|
3157
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3158
|
+
fix_template: |-
|
|
3159
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3160
|
+
pattern-either:
|
|
3161
|
+
- pattern: |-
|
|
3162
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3163
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-050\\b'
|
|
3164
|
+
message: |-
|
|
3165
|
+
RunSec Detection [CLD-050]: CWE-311
|
|
3166
|
+
languages:
|
|
3167
|
+
- generic
|
|
3168
|
+
severity: WARNING
|
|
3169
|
+
- id: runsec.infra-k8s-helm.cld-051
|
|
3170
|
+
metadata:
|
|
3171
|
+
runsec_version: v1.0
|
|
3172
|
+
confidence: |-
|
|
3173
|
+
0.9
|
|
3174
|
+
exploit_scenario: |-
|
|
3175
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3176
|
+
fix_template: |-
|
|
3177
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3178
|
+
pattern-either:
|
|
3179
|
+
- pattern: |-
|
|
3180
|
+
allow_blob_public_access = true
|
|
3181
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-051\\b'
|
|
3182
|
+
message: |-
|
|
3183
|
+
RunSec Detection [CLD-051]: CWE-200
|
|
3184
|
+
languages:
|
|
3185
|
+
- generic
|
|
3186
|
+
severity: WARNING
|
|
3187
|
+
- id: runsec.infra-k8s-helm.cld-052
|
|
3188
|
+
metadata:
|
|
3189
|
+
runsec_version: v1.0
|
|
3190
|
+
confidence: |-
|
|
3191
|
+
0.9
|
|
3192
|
+
exploit_scenario: |-
|
|
3193
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3194
|
+
fix_template: |-
|
|
3195
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3196
|
+
pattern-either:
|
|
3197
|
+
- pattern: |-
|
|
3198
|
+
source_ranges = ['0.0.0.0/0']
|
|
3199
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-052\\b'
|
|
3200
|
+
message: |-
|
|
3201
|
+
RunSec Detection [CLD-052]: CWE-732
|
|
3202
|
+
languages:
|
|
3203
|
+
- generic
|
|
3204
|
+
severity: WARNING
|
|
3205
|
+
- id: runsec.infra-k8s-helm.cld-053
|
|
3206
|
+
metadata:
|
|
3207
|
+
runsec_version: v1.0
|
|
3208
|
+
confidence: |-
|
|
3209
|
+
0.9
|
|
3210
|
+
exploit_scenario: |-
|
|
3211
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3212
|
+
fix_template: |-
|
|
3213
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3214
|
+
pattern-either:
|
|
3215
|
+
- pattern: |-
|
|
3216
|
+
Action: '*'
|
|
3217
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-053\\b'
|
|
3218
|
+
message: |-
|
|
3219
|
+
RunSec Detection [CLD-053]: CWE-250
|
|
3220
|
+
languages:
|
|
3221
|
+
- generic
|
|
3222
|
+
severity: WARNING
|
|
3223
|
+
- id: runsec.infra-k8s-helm.cld-054
|
|
3224
|
+
metadata:
|
|
3225
|
+
runsec_version: v1.0
|
|
3226
|
+
confidence: |-
|
|
3227
|
+
0.9
|
|
3228
|
+
exploit_scenario: |-
|
|
3229
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3230
|
+
fix_template: |-
|
|
3231
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3232
|
+
pattern-either:
|
|
3233
|
+
- pattern: |-
|
|
3234
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3235
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-054\\b'
|
|
3236
|
+
message: |-
|
|
3237
|
+
RunSec Detection [CLD-054]: CWE-668
|
|
3238
|
+
languages:
|
|
3239
|
+
- generic
|
|
3240
|
+
severity: WARNING
|
|
3241
|
+
- id: runsec.infra-k8s-helm.cld-055
|
|
3242
|
+
metadata:
|
|
3243
|
+
runsec_version: v1.0
|
|
3244
|
+
confidence: |-
|
|
3245
|
+
0.9
|
|
3246
|
+
exploit_scenario: |-
|
|
3247
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3248
|
+
fix_template: |-
|
|
3249
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3250
|
+
pattern-either:
|
|
3251
|
+
- pattern: |-
|
|
3252
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3253
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-055\\b'
|
|
3254
|
+
message: |-
|
|
3255
|
+
RunSec Detection [CLD-055]: CWE-284
|
|
3256
|
+
languages:
|
|
3257
|
+
- generic
|
|
3258
|
+
severity: WARNING
|
|
3259
|
+
- id: runsec.infra-k8s-helm.cld-056
|
|
3260
|
+
metadata:
|
|
3261
|
+
runsec_version: v1.0
|
|
3262
|
+
confidence: |-
|
|
3263
|
+
0.9
|
|
3264
|
+
exploit_scenario: |-
|
|
3265
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3266
|
+
fix_template: |-
|
|
3267
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3268
|
+
pattern-either:
|
|
3269
|
+
- pattern: |-
|
|
3270
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3271
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-056\\b'
|
|
3272
|
+
message: |-
|
|
3273
|
+
RunSec Detection [CLD-056]: CWE-311
|
|
3274
|
+
languages:
|
|
3275
|
+
- generic
|
|
3276
|
+
severity: WARNING
|
|
3277
|
+
- id: runsec.infra-k8s-helm.cld-057
|
|
3278
|
+
metadata:
|
|
3279
|
+
runsec_version: v1.0
|
|
3280
|
+
confidence: |-
|
|
3281
|
+
0.9
|
|
3282
|
+
exploit_scenario: |-
|
|
3283
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3284
|
+
fix_template: |-
|
|
3285
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3286
|
+
pattern-either:
|
|
3287
|
+
- pattern: |-
|
|
3288
|
+
allow_blob_public_access = true
|
|
3289
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-057\\b'
|
|
3290
|
+
message: |-
|
|
3291
|
+
RunSec Detection [CLD-057]: CWE-200
|
|
3292
|
+
languages:
|
|
3293
|
+
- generic
|
|
3294
|
+
severity: WARNING
|
|
3295
|
+
- id: runsec.infra-k8s-helm.cld-058
|
|
3296
|
+
metadata:
|
|
3297
|
+
runsec_version: v1.0
|
|
3298
|
+
confidence: |-
|
|
3299
|
+
0.9
|
|
3300
|
+
exploit_scenario: |-
|
|
3301
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3302
|
+
fix_template: |-
|
|
3303
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3304
|
+
pattern-either:
|
|
3305
|
+
- pattern: |-
|
|
3306
|
+
source_ranges = ['0.0.0.0/0']
|
|
3307
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-058\\b'
|
|
3308
|
+
message: |-
|
|
3309
|
+
RunSec Detection [CLD-058]: CWE-732
|
|
3310
|
+
languages:
|
|
3311
|
+
- generic
|
|
3312
|
+
severity: WARNING
|
|
3313
|
+
- id: runsec.infra-k8s-helm.cld-059
|
|
3314
|
+
metadata:
|
|
3315
|
+
runsec_version: v1.0
|
|
3316
|
+
confidence: |-
|
|
3317
|
+
0.9
|
|
3318
|
+
exploit_scenario: |-
|
|
3319
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3320
|
+
fix_template: |-
|
|
3321
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3322
|
+
pattern-either:
|
|
3323
|
+
- pattern: |-
|
|
3324
|
+
Action: '*'
|
|
3325
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-059\\b'
|
|
3326
|
+
message: |-
|
|
3327
|
+
RunSec Detection [CLD-059]: CWE-250
|
|
3328
|
+
languages:
|
|
3329
|
+
- generic
|
|
3330
|
+
severity: WARNING
|
|
3331
|
+
- id: runsec.infra-k8s-helm.cld-060
|
|
3332
|
+
metadata:
|
|
3333
|
+
runsec_version: v1.0
|
|
3334
|
+
confidence: |-
|
|
3335
|
+
0.9
|
|
3336
|
+
exploit_scenario: |-
|
|
3337
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3338
|
+
fix_template: |-
|
|
3339
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3340
|
+
pattern-either:
|
|
3341
|
+
- pattern: |-
|
|
3342
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3343
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-060\\b'
|
|
3344
|
+
message: |-
|
|
3345
|
+
RunSec Detection [CLD-060]: CWE-668
|
|
3346
|
+
languages:
|
|
3347
|
+
- generic
|
|
3348
|
+
severity: WARNING
|
|
3349
|
+
- id: runsec.infra-k8s-helm.cld-061
|
|
3350
|
+
metadata:
|
|
3351
|
+
runsec_version: v1.0
|
|
3352
|
+
confidence: |-
|
|
3353
|
+
0.9
|
|
3354
|
+
exploit_scenario: |-
|
|
3355
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3356
|
+
fix_template: |-
|
|
3357
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3358
|
+
pattern-either:
|
|
3359
|
+
- pattern: |-
|
|
3360
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3361
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-061\\b'
|
|
3362
|
+
message: |-
|
|
3363
|
+
RunSec Detection [CLD-061]: CWE-284
|
|
3364
|
+
languages:
|
|
3365
|
+
- generic
|
|
3366
|
+
severity: WARNING
|
|
3367
|
+
- id: runsec.infra-k8s-helm.cld-062
|
|
3368
|
+
metadata:
|
|
3369
|
+
runsec_version: v1.0
|
|
3370
|
+
confidence: |-
|
|
3371
|
+
0.9
|
|
3372
|
+
exploit_scenario: |-
|
|
3373
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3374
|
+
fix_template: |-
|
|
3375
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3376
|
+
pattern-either:
|
|
3377
|
+
- pattern: |-
|
|
3378
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3379
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-062\\b'
|
|
3380
|
+
message: |-
|
|
3381
|
+
RunSec Detection [CLD-062]: CWE-311
|
|
3382
|
+
languages:
|
|
3383
|
+
- generic
|
|
3384
|
+
severity: WARNING
|
|
3385
|
+
- id: runsec.infra-k8s-helm.cld-063
|
|
3386
|
+
metadata:
|
|
3387
|
+
runsec_version: v1.0
|
|
3388
|
+
confidence: |-
|
|
3389
|
+
0.9
|
|
3390
|
+
exploit_scenario: |-
|
|
3391
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3392
|
+
fix_template: |-
|
|
3393
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3394
|
+
pattern-either:
|
|
3395
|
+
- pattern: |-
|
|
3396
|
+
allow_blob_public_access = true
|
|
3397
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-063\\b'
|
|
3398
|
+
message: |-
|
|
3399
|
+
RunSec Detection [CLD-063]: CWE-200
|
|
3400
|
+
languages:
|
|
3401
|
+
- generic
|
|
3402
|
+
severity: WARNING
|
|
3403
|
+
- id: runsec.infra-k8s-helm.cld-064
|
|
3404
|
+
metadata:
|
|
3405
|
+
runsec_version: v1.0
|
|
3406
|
+
confidence: |-
|
|
3407
|
+
0.9
|
|
3408
|
+
exploit_scenario: |-
|
|
3409
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3410
|
+
fix_template: |-
|
|
3411
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3412
|
+
pattern-either:
|
|
3413
|
+
- pattern: |-
|
|
3414
|
+
source_ranges = ['0.0.0.0/0']
|
|
3415
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-064\\b'
|
|
3416
|
+
message: |-
|
|
3417
|
+
RunSec Detection [CLD-064]: CWE-732
|
|
3418
|
+
languages:
|
|
3419
|
+
- generic
|
|
3420
|
+
severity: WARNING
|
|
3421
|
+
- id: runsec.infra-k8s-helm.cld-065
|
|
3422
|
+
metadata:
|
|
3423
|
+
runsec_version: v1.0
|
|
3424
|
+
confidence: |-
|
|
3425
|
+
0.9
|
|
3426
|
+
exploit_scenario: |-
|
|
3427
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3428
|
+
fix_template: |-
|
|
3429
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3430
|
+
pattern-either:
|
|
3431
|
+
- pattern: |-
|
|
3432
|
+
Action: '*'
|
|
3433
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-065\\b'
|
|
3434
|
+
message: |-
|
|
3435
|
+
RunSec Detection [CLD-065]: CWE-250
|
|
3436
|
+
languages:
|
|
3437
|
+
- generic
|
|
3438
|
+
severity: WARNING
|
|
3439
|
+
- id: runsec.infra-k8s-helm.cld-066
|
|
3440
|
+
metadata:
|
|
3441
|
+
runsec_version: v1.0
|
|
3442
|
+
confidence: |-
|
|
3443
|
+
0.9
|
|
3444
|
+
exploit_scenario: |-
|
|
3445
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3446
|
+
fix_template: |-
|
|
3447
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3448
|
+
pattern-either:
|
|
3449
|
+
- pattern: |-
|
|
3450
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3451
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-066\\b'
|
|
3452
|
+
message: |-
|
|
3453
|
+
RunSec Detection [CLD-066]: CWE-668
|
|
3454
|
+
languages:
|
|
3455
|
+
- generic
|
|
3456
|
+
severity: WARNING
|
|
3457
|
+
- id: runsec.infra-k8s-helm.cld-067
|
|
3458
|
+
metadata:
|
|
3459
|
+
runsec_version: v1.0
|
|
3460
|
+
confidence: |-
|
|
3461
|
+
0.9
|
|
3462
|
+
exploit_scenario: |-
|
|
3463
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3464
|
+
fix_template: |-
|
|
3465
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3466
|
+
pattern-either:
|
|
3467
|
+
- pattern: |-
|
|
3468
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3469
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-067\\b'
|
|
3470
|
+
message: |-
|
|
3471
|
+
RunSec Detection [CLD-067]: CWE-284
|
|
3472
|
+
languages:
|
|
3473
|
+
- generic
|
|
3474
|
+
severity: WARNING
|
|
3475
|
+
- id: runsec.infra-k8s-helm.cld-068
|
|
3476
|
+
metadata:
|
|
3477
|
+
runsec_version: v1.0
|
|
3478
|
+
confidence: |-
|
|
3479
|
+
0.9
|
|
3480
|
+
exploit_scenario: |-
|
|
3481
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3482
|
+
fix_template: |-
|
|
3483
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3484
|
+
pattern-either:
|
|
3485
|
+
- pattern: |-
|
|
3486
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3487
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-068\\b'
|
|
3488
|
+
message: |-
|
|
3489
|
+
RunSec Detection [CLD-068]: CWE-311
|
|
3490
|
+
languages:
|
|
3491
|
+
- generic
|
|
3492
|
+
severity: WARNING
|
|
3493
|
+
- id: runsec.infra-k8s-helm.cld-069
|
|
3494
|
+
metadata:
|
|
3495
|
+
runsec_version: v1.0
|
|
3496
|
+
confidence: |-
|
|
3497
|
+
0.9
|
|
3498
|
+
exploit_scenario: |-
|
|
3499
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3500
|
+
fix_template: |-
|
|
3501
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3502
|
+
pattern-either:
|
|
3503
|
+
- pattern: |-
|
|
3504
|
+
allow_blob_public_access = true
|
|
3505
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-069\\b'
|
|
3506
|
+
message: |-
|
|
3507
|
+
RunSec Detection [CLD-069]: CWE-200
|
|
3508
|
+
languages:
|
|
3509
|
+
- generic
|
|
3510
|
+
severity: WARNING
|
|
3511
|
+
- id: runsec.infra-k8s-helm.cld-070
|
|
3512
|
+
metadata:
|
|
3513
|
+
runsec_version: v1.0
|
|
3514
|
+
confidence: |-
|
|
3515
|
+
0.9
|
|
3516
|
+
exploit_scenario: |-
|
|
3517
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3518
|
+
fix_template: |-
|
|
3519
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3520
|
+
pattern-either:
|
|
3521
|
+
- pattern: |-
|
|
3522
|
+
source_ranges = ['0.0.0.0/0']
|
|
3523
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-070\\b'
|
|
3524
|
+
message: |-
|
|
3525
|
+
RunSec Detection [CLD-070]: CWE-732
|
|
3526
|
+
languages:
|
|
3527
|
+
- generic
|
|
3528
|
+
severity: WARNING
|
|
3529
|
+
- id: runsec.infra-k8s-helm.cld-071
|
|
3530
|
+
metadata:
|
|
3531
|
+
runsec_version: v1.0
|
|
3532
|
+
confidence: |-
|
|
3533
|
+
0.9
|
|
3534
|
+
exploit_scenario: |-
|
|
3535
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3536
|
+
fix_template: |-
|
|
3537
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3538
|
+
pattern-either:
|
|
3539
|
+
- pattern: |-
|
|
3540
|
+
Action: '*'
|
|
3541
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-071\\b'
|
|
3542
|
+
message: |-
|
|
3543
|
+
RunSec Detection [CLD-071]: CWE-250
|
|
3544
|
+
languages:
|
|
3545
|
+
- generic
|
|
3546
|
+
severity: WARNING
|
|
3547
|
+
- id: runsec.infra-k8s-helm.cld-072
|
|
3548
|
+
metadata:
|
|
3549
|
+
runsec_version: v1.0
|
|
3550
|
+
confidence: |-
|
|
3551
|
+
0.9
|
|
3552
|
+
exploit_scenario: |-
|
|
3553
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3554
|
+
fix_template: |-
|
|
3555
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3556
|
+
pattern-either:
|
|
3557
|
+
- pattern: |-
|
|
3558
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3559
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-072\\b'
|
|
3560
|
+
message: |-
|
|
3561
|
+
RunSec Detection [CLD-072]: CWE-668
|
|
3562
|
+
languages:
|
|
3563
|
+
- generic
|
|
3564
|
+
severity: WARNING
|
|
3565
|
+
- id: runsec.infra-k8s-helm.cld-073
|
|
3566
|
+
metadata:
|
|
3567
|
+
runsec_version: v1.0
|
|
3568
|
+
confidence: |-
|
|
3569
|
+
0.9
|
|
3570
|
+
exploit_scenario: |-
|
|
3571
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3572
|
+
fix_template: |-
|
|
3573
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3574
|
+
pattern-either:
|
|
3575
|
+
- pattern: |-
|
|
3576
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3577
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-073\\b'
|
|
3578
|
+
message: |-
|
|
3579
|
+
RunSec Detection [CLD-073]: CWE-284
|
|
3580
|
+
languages:
|
|
3581
|
+
- generic
|
|
3582
|
+
severity: WARNING
|
|
3583
|
+
- id: runsec.infra-k8s-helm.cld-074
|
|
3584
|
+
metadata:
|
|
3585
|
+
runsec_version: v1.0
|
|
3586
|
+
confidence: |-
|
|
3587
|
+
0.9
|
|
3588
|
+
exploit_scenario: |-
|
|
3589
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3590
|
+
fix_template: |-
|
|
3591
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3592
|
+
pattern-either:
|
|
3593
|
+
- pattern: |-
|
|
3594
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3595
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-074\\b'
|
|
3596
|
+
message: |-
|
|
3597
|
+
RunSec Detection [CLD-074]: CWE-311
|
|
3598
|
+
languages:
|
|
3599
|
+
- generic
|
|
3600
|
+
severity: WARNING
|
|
3601
|
+
- id: runsec.infra-k8s-helm.cld-075
|
|
3602
|
+
metadata:
|
|
3603
|
+
runsec_version: v1.0
|
|
3604
|
+
confidence: |-
|
|
3605
|
+
0.9
|
|
3606
|
+
exploit_scenario: |-
|
|
3607
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3608
|
+
fix_template: |-
|
|
3609
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3610
|
+
pattern-either:
|
|
3611
|
+
- pattern: |-
|
|
3612
|
+
allow_blob_public_access = true
|
|
3613
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-075\\b'
|
|
3614
|
+
message: |-
|
|
3615
|
+
RunSec Detection [CLD-075]: CWE-200
|
|
3616
|
+
languages:
|
|
3617
|
+
- generic
|
|
3618
|
+
severity: WARNING
|
|
3619
|
+
- id: runsec.infra-k8s-helm.cld-076
|
|
3620
|
+
metadata:
|
|
3621
|
+
runsec_version: v1.0
|
|
3622
|
+
confidence: |-
|
|
3623
|
+
0.9
|
|
3624
|
+
exploit_scenario: |-
|
|
3625
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3626
|
+
fix_template: |-
|
|
3627
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3628
|
+
pattern-either:
|
|
3629
|
+
- pattern: |-
|
|
3630
|
+
source_ranges = ['0.0.0.0/0']
|
|
3631
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-076\\b'
|
|
3632
|
+
message: |-
|
|
3633
|
+
RunSec Detection [CLD-076]: CWE-732
|
|
3634
|
+
languages:
|
|
3635
|
+
- generic
|
|
3636
|
+
severity: WARNING
|
|
3637
|
+
- id: runsec.infra-k8s-helm.cld-077
|
|
3638
|
+
metadata:
|
|
3639
|
+
runsec_version: v1.0
|
|
3640
|
+
confidence: |-
|
|
3641
|
+
0.9
|
|
3642
|
+
exploit_scenario: |-
|
|
3643
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3644
|
+
fix_template: |-
|
|
3645
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3646
|
+
pattern-either:
|
|
3647
|
+
- pattern: |-
|
|
3648
|
+
Action: '*'
|
|
3649
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-077\\b'
|
|
3650
|
+
message: |-
|
|
3651
|
+
RunSec Detection [CLD-077]: CWE-250
|
|
3652
|
+
languages:
|
|
3653
|
+
- generic
|
|
3654
|
+
severity: WARNING
|
|
3655
|
+
- id: runsec.infra-k8s-helm.cld-078
|
|
3656
|
+
metadata:
|
|
3657
|
+
runsec_version: v1.0
|
|
3658
|
+
confidence: |-
|
|
3659
|
+
0.9
|
|
3660
|
+
exploit_scenario: |-
|
|
3661
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3662
|
+
fix_template: |-
|
|
3663
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3664
|
+
pattern-either:
|
|
3665
|
+
- pattern: |-
|
|
3666
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3667
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-078\\b'
|
|
3668
|
+
message: |-
|
|
3669
|
+
RunSec Detection [CLD-078]: CWE-668
|
|
3670
|
+
languages:
|
|
3671
|
+
- generic
|
|
3672
|
+
severity: WARNING
|
|
3673
|
+
- id: runsec.infra-k8s-helm.cld-079
|
|
3674
|
+
metadata:
|
|
3675
|
+
runsec_version: v1.0
|
|
3676
|
+
confidence: |-
|
|
3677
|
+
0.9
|
|
3678
|
+
exploit_scenario: |-
|
|
3679
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3680
|
+
fix_template: |-
|
|
3681
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3682
|
+
pattern-either:
|
|
3683
|
+
- pattern: |-
|
|
3684
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3685
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-079\\b'
|
|
3686
|
+
message: |-
|
|
3687
|
+
RunSec Detection [CLD-079]: CWE-284
|
|
3688
|
+
languages:
|
|
3689
|
+
- generic
|
|
3690
|
+
severity: WARNING
|
|
3691
|
+
- id: runsec.infra-k8s-helm.cld-080
|
|
3692
|
+
metadata:
|
|
3693
|
+
runsec_version: v1.0
|
|
3694
|
+
confidence: |-
|
|
3695
|
+
0.9
|
|
3696
|
+
exploit_scenario: |-
|
|
3697
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3698
|
+
fix_template: |-
|
|
3699
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3700
|
+
pattern-either:
|
|
3701
|
+
- pattern: |-
|
|
3702
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3703
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-080\\b'
|
|
3704
|
+
message: |-
|
|
3705
|
+
RunSec Detection [CLD-080]: CWE-311
|
|
3706
|
+
languages:
|
|
3707
|
+
- generic
|
|
3708
|
+
severity: WARNING
|
|
3709
|
+
- id: runsec.infra-k8s-helm.cld-081
|
|
3710
|
+
metadata:
|
|
3711
|
+
runsec_version: v1.0
|
|
3712
|
+
confidence: |-
|
|
3713
|
+
0.9
|
|
3714
|
+
exploit_scenario: |-
|
|
3715
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3716
|
+
fix_template: |-
|
|
3717
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3718
|
+
pattern-either:
|
|
3719
|
+
- pattern: |-
|
|
3720
|
+
allow_blob_public_access = true
|
|
3721
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-081\\b'
|
|
3722
|
+
message: |-
|
|
3723
|
+
RunSec Detection [CLD-081]: CWE-200
|
|
3724
|
+
languages:
|
|
3725
|
+
- generic
|
|
3726
|
+
severity: WARNING
|
|
3727
|
+
- id: runsec.infra-k8s-helm.cld-082
|
|
3728
|
+
metadata:
|
|
3729
|
+
runsec_version: v1.0
|
|
3730
|
+
confidence: |-
|
|
3731
|
+
0.9
|
|
3732
|
+
exploit_scenario: |-
|
|
3733
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3734
|
+
fix_template: |-
|
|
3735
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3736
|
+
pattern-either:
|
|
3737
|
+
- pattern: |-
|
|
3738
|
+
source_ranges = ['0.0.0.0/0']
|
|
3739
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-082\\b'
|
|
3740
|
+
message: |-
|
|
3741
|
+
RunSec Detection [CLD-082]: CWE-732
|
|
3742
|
+
languages:
|
|
3743
|
+
- generic
|
|
3744
|
+
severity: WARNING
|
|
3745
|
+
- id: runsec.infra-k8s-helm.cld-083
|
|
3746
|
+
metadata:
|
|
3747
|
+
runsec_version: v1.0
|
|
3748
|
+
confidence: |-
|
|
3749
|
+
0.9
|
|
3750
|
+
exploit_scenario: |-
|
|
3751
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3752
|
+
fix_template: |-
|
|
3753
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3754
|
+
pattern-either:
|
|
3755
|
+
- pattern: |-
|
|
3756
|
+
Action: '*'
|
|
3757
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-083\\b'
|
|
3758
|
+
message: |-
|
|
3759
|
+
RunSec Detection [CLD-083]: CWE-250
|
|
3760
|
+
languages:
|
|
3761
|
+
- generic
|
|
3762
|
+
severity: WARNING
|
|
3763
|
+
- id: runsec.infra-k8s-helm.cld-084
|
|
3764
|
+
metadata:
|
|
3765
|
+
runsec_version: v1.0
|
|
3766
|
+
confidence: |-
|
|
3767
|
+
0.9
|
|
3768
|
+
exploit_scenario: |-
|
|
3769
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3770
|
+
fix_template: |-
|
|
3771
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3772
|
+
pattern-either:
|
|
3773
|
+
- pattern: |-
|
|
3774
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3775
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-084\\b'
|
|
3776
|
+
message: |-
|
|
3777
|
+
RunSec Detection [CLD-084]: CWE-668
|
|
3778
|
+
languages:
|
|
3779
|
+
- generic
|
|
3780
|
+
severity: WARNING
|
|
3781
|
+
- id: runsec.infra-k8s-helm.cld-085
|
|
3782
|
+
metadata:
|
|
3783
|
+
runsec_version: v1.0
|
|
3784
|
+
confidence: |-
|
|
3785
|
+
0.9
|
|
3786
|
+
exploit_scenario: |-
|
|
3787
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3788
|
+
fix_template: |-
|
|
3789
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3790
|
+
pattern-either:
|
|
3791
|
+
- pattern: |-
|
|
3792
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3793
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-085\\b'
|
|
3794
|
+
message: |-
|
|
3795
|
+
RunSec Detection [CLD-085]: CWE-284
|
|
3796
|
+
languages:
|
|
3797
|
+
- generic
|
|
3798
|
+
severity: WARNING
|
|
3799
|
+
- id: runsec.infra-k8s-helm.cld-086
|
|
3800
|
+
metadata:
|
|
3801
|
+
runsec_version: v1.0
|
|
3802
|
+
confidence: |-
|
|
3803
|
+
0.9
|
|
3804
|
+
exploit_scenario: |-
|
|
3805
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3806
|
+
fix_template: |-
|
|
3807
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3808
|
+
pattern-either:
|
|
3809
|
+
- pattern: |-
|
|
3810
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3811
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-086\\b'
|
|
3812
|
+
message: |-
|
|
3813
|
+
RunSec Detection [CLD-086]: CWE-311
|
|
3814
|
+
languages:
|
|
3815
|
+
- generic
|
|
3816
|
+
severity: WARNING
|
|
3817
|
+
- id: runsec.infra-k8s-helm.cld-087
|
|
3818
|
+
metadata:
|
|
3819
|
+
runsec_version: v1.0
|
|
3820
|
+
confidence: |-
|
|
3821
|
+
0.9
|
|
3822
|
+
exploit_scenario: |-
|
|
3823
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3824
|
+
fix_template: |-
|
|
3825
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3826
|
+
pattern-either:
|
|
3827
|
+
- pattern: |-
|
|
3828
|
+
allow_blob_public_access = true
|
|
3829
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-087\\b'
|
|
3830
|
+
message: |-
|
|
3831
|
+
RunSec Detection [CLD-087]: CWE-200
|
|
3832
|
+
languages:
|
|
3833
|
+
- generic
|
|
3834
|
+
severity: WARNING
|
|
3835
|
+
- id: runsec.infra-k8s-helm.cld-088
|
|
3836
|
+
metadata:
|
|
3837
|
+
runsec_version: v1.0
|
|
3838
|
+
confidence: |-
|
|
3839
|
+
0.9
|
|
3840
|
+
exploit_scenario: |-
|
|
3841
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3842
|
+
fix_template: |-
|
|
3843
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3844
|
+
pattern-either:
|
|
3845
|
+
- pattern: |-
|
|
3846
|
+
source_ranges = ['0.0.0.0/0']
|
|
3847
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-088\\b'
|
|
3848
|
+
message: |-
|
|
3849
|
+
RunSec Detection [CLD-088]: CWE-732
|
|
3850
|
+
languages:
|
|
3851
|
+
- generic
|
|
3852
|
+
severity: WARNING
|
|
3853
|
+
- id: runsec.infra-k8s-helm.cld-089
|
|
3854
|
+
metadata:
|
|
3855
|
+
runsec_version: v1.0
|
|
3856
|
+
confidence: |-
|
|
3857
|
+
0.9
|
|
3858
|
+
exploit_scenario: |-
|
|
3859
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3860
|
+
fix_template: |-
|
|
3861
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3862
|
+
pattern-either:
|
|
3863
|
+
- pattern: |-
|
|
3864
|
+
Action: '*'
|
|
3865
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-089\\b'
|
|
3866
|
+
message: |-
|
|
3867
|
+
RunSec Detection [CLD-089]: CWE-250
|
|
3868
|
+
languages:
|
|
3869
|
+
- generic
|
|
3870
|
+
severity: WARNING
|
|
3871
|
+
- id: runsec.infra-k8s-helm.cld-090
|
|
3872
|
+
metadata:
|
|
3873
|
+
runsec_version: v1.0
|
|
3874
|
+
confidence: |-
|
|
3875
|
+
0.9
|
|
3876
|
+
exploit_scenario: |-
|
|
3877
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3878
|
+
fix_template: |-
|
|
3879
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3880
|
+
pattern-either:
|
|
3881
|
+
- pattern: |-
|
|
3882
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3883
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-090\\b'
|
|
3884
|
+
message: |-
|
|
3885
|
+
RunSec Detection [CLD-090]: CWE-668
|
|
3886
|
+
languages:
|
|
3887
|
+
- generic
|
|
3888
|
+
severity: WARNING
|
|
3889
|
+
- id: runsec.infra-k8s-helm.cld-091
|
|
3890
|
+
metadata:
|
|
3891
|
+
runsec_version: v1.0
|
|
3892
|
+
confidence: |-
|
|
3893
|
+
0.9
|
|
3894
|
+
exploit_scenario: |-
|
|
3895
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
3896
|
+
fix_template: |-
|
|
3897
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3898
|
+
pattern-either:
|
|
3899
|
+
- pattern: |-
|
|
3900
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
3901
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-091\\b'
|
|
3902
|
+
message: |-
|
|
3903
|
+
RunSec Detection [CLD-091]: CWE-284
|
|
3904
|
+
languages:
|
|
3905
|
+
- generic
|
|
3906
|
+
severity: WARNING
|
|
3907
|
+
- id: runsec.infra-k8s-helm.cld-092
|
|
3908
|
+
metadata:
|
|
3909
|
+
runsec_version: v1.0
|
|
3910
|
+
confidence: |-
|
|
3911
|
+
0.9
|
|
3912
|
+
exploit_scenario: |-
|
|
3913
|
+
Unencrypted object storage exposes data at rest risks.
|
|
3914
|
+
fix_template: |-
|
|
3915
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3916
|
+
pattern-either:
|
|
3917
|
+
- pattern: |-
|
|
3918
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
3919
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-092\\b'
|
|
3920
|
+
message: |-
|
|
3921
|
+
RunSec Detection [CLD-092]: CWE-311
|
|
3922
|
+
languages:
|
|
3923
|
+
- generic
|
|
3924
|
+
severity: WARNING
|
|
3925
|
+
- id: runsec.infra-k8s-helm.cld-093
|
|
3926
|
+
metadata:
|
|
3927
|
+
runsec_version: v1.0
|
|
3928
|
+
confidence: |-
|
|
3929
|
+
0.9
|
|
3930
|
+
exploit_scenario: |-
|
|
3931
|
+
Public blob exposure can leak sensitive tenant data.
|
|
3932
|
+
fix_template: |-
|
|
3933
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3934
|
+
pattern-either:
|
|
3935
|
+
- pattern: |-
|
|
3936
|
+
allow_blob_public_access = true
|
|
3937
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-093\\b'
|
|
3938
|
+
message: |-
|
|
3939
|
+
RunSec Detection [CLD-093]: CWE-200
|
|
3940
|
+
languages:
|
|
3941
|
+
- generic
|
|
3942
|
+
severity: WARNING
|
|
3943
|
+
- id: runsec.infra-k8s-helm.cld-094
|
|
3944
|
+
metadata:
|
|
3945
|
+
runsec_version: v1.0
|
|
3946
|
+
confidence: |-
|
|
3947
|
+
0.9
|
|
3948
|
+
exploit_scenario: |-
|
|
3949
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
3950
|
+
fix_template: |-
|
|
3951
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3952
|
+
pattern-either:
|
|
3953
|
+
- pattern: |-
|
|
3954
|
+
source_ranges = ['0.0.0.0/0']
|
|
3955
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-094\\b'
|
|
3956
|
+
message: |-
|
|
3957
|
+
RunSec Detection [CLD-094]: CWE-732
|
|
3958
|
+
languages:
|
|
3959
|
+
- generic
|
|
3960
|
+
severity: WARNING
|
|
3961
|
+
- id: runsec.infra-k8s-helm.cld-095
|
|
3962
|
+
metadata:
|
|
3963
|
+
runsec_version: v1.0
|
|
3964
|
+
confidence: |-
|
|
3965
|
+
0.9
|
|
3966
|
+
exploit_scenario: |-
|
|
3967
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
3968
|
+
fix_template: |-
|
|
3969
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3970
|
+
pattern-either:
|
|
3971
|
+
- pattern: |-
|
|
3972
|
+
Action: '*'
|
|
3973
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-095\\b'
|
|
3974
|
+
message: |-
|
|
3975
|
+
RunSec Detection [CLD-095]: CWE-250
|
|
3976
|
+
languages:
|
|
3977
|
+
- generic
|
|
3978
|
+
severity: WARNING
|
|
3979
|
+
- id: runsec.infra-k8s-helm.cld-096
|
|
3980
|
+
metadata:
|
|
3981
|
+
runsec_version: v1.0
|
|
3982
|
+
confidence: |-
|
|
3983
|
+
0.9
|
|
3984
|
+
exploit_scenario: |-
|
|
3985
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
3986
|
+
fix_template: |-
|
|
3987
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
3988
|
+
pattern-either:
|
|
3989
|
+
- pattern: |-
|
|
3990
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
3991
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-096\\b'
|
|
3992
|
+
message: |-
|
|
3993
|
+
RunSec Detection [CLD-096]: CWE-668
|
|
3994
|
+
languages:
|
|
3995
|
+
- generic
|
|
3996
|
+
severity: WARNING
|
|
3997
|
+
- id: runsec.infra-k8s-helm.cld-097
|
|
3998
|
+
metadata:
|
|
3999
|
+
runsec_version: v1.0
|
|
4000
|
+
confidence: |-
|
|
4001
|
+
0.9
|
|
4002
|
+
exploit_scenario: |-
|
|
4003
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4004
|
+
fix_template: |-
|
|
4005
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4006
|
+
pattern-either:
|
|
4007
|
+
- pattern: |-
|
|
4008
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4009
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-097\\b'
|
|
4010
|
+
message: |-
|
|
4011
|
+
RunSec Detection [CLD-097]: CWE-284
|
|
4012
|
+
languages:
|
|
4013
|
+
- generic
|
|
4014
|
+
severity: WARNING
|
|
4015
|
+
- id: runsec.infra-k8s-helm.cld-098
|
|
4016
|
+
metadata:
|
|
4017
|
+
runsec_version: v1.0
|
|
4018
|
+
confidence: |-
|
|
4019
|
+
0.9
|
|
4020
|
+
exploit_scenario: |-
|
|
4021
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4022
|
+
fix_template: |-
|
|
4023
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4024
|
+
pattern-either:
|
|
4025
|
+
- pattern: |-
|
|
4026
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4027
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-098\\b'
|
|
4028
|
+
message: |-
|
|
4029
|
+
RunSec Detection [CLD-098]: CWE-311
|
|
4030
|
+
languages:
|
|
4031
|
+
- generic
|
|
4032
|
+
severity: WARNING
|
|
4033
|
+
- id: runsec.infra-k8s-helm.cld-099
|
|
4034
|
+
metadata:
|
|
4035
|
+
runsec_version: v1.0
|
|
4036
|
+
confidence: |-
|
|
4037
|
+
0.9
|
|
4038
|
+
exploit_scenario: |-
|
|
4039
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4040
|
+
fix_template: |-
|
|
4041
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4042
|
+
pattern-either:
|
|
4043
|
+
- pattern: |-
|
|
4044
|
+
allow_blob_public_access = true
|
|
4045
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-099\\b'
|
|
4046
|
+
message: |-
|
|
4047
|
+
RunSec Detection [CLD-099]: CWE-200
|
|
4048
|
+
languages:
|
|
4049
|
+
- generic
|
|
4050
|
+
severity: WARNING
|
|
4051
|
+
- id: runsec.infra-k8s-helm.cld-100
|
|
4052
|
+
metadata:
|
|
4053
|
+
runsec_version: v1.0
|
|
4054
|
+
confidence: |-
|
|
4055
|
+
0.9
|
|
4056
|
+
exploit_scenario: |-
|
|
4057
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4058
|
+
fix_template: |-
|
|
4059
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4060
|
+
pattern-either:
|
|
4061
|
+
- pattern: |-
|
|
4062
|
+
source_ranges = ['0.0.0.0/0']
|
|
4063
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-100\\b'
|
|
4064
|
+
message: |-
|
|
4065
|
+
RunSec Detection [CLD-100]: CWE-732
|
|
4066
|
+
languages:
|
|
4067
|
+
- generic
|
|
4068
|
+
severity: WARNING
|
|
4069
|
+
- id: runsec.infra-k8s-helm.cld-101
|
|
4070
|
+
metadata:
|
|
4071
|
+
runsec_version: v1.0
|
|
4072
|
+
confidence: |-
|
|
4073
|
+
0.9
|
|
4074
|
+
exploit_scenario: |-
|
|
4075
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4076
|
+
fix_template: |-
|
|
4077
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4078
|
+
pattern-either:
|
|
4079
|
+
- pattern: |-
|
|
4080
|
+
Action: '*'
|
|
4081
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-101\\b'
|
|
4082
|
+
message: |-
|
|
4083
|
+
RunSec Detection [CLD-101]: CWE-250
|
|
4084
|
+
languages:
|
|
4085
|
+
- generic
|
|
4086
|
+
severity: WARNING
|
|
4087
|
+
- id: runsec.infra-k8s-helm.cld-102
|
|
4088
|
+
metadata:
|
|
4089
|
+
runsec_version: v1.0
|
|
4090
|
+
confidence: |-
|
|
4091
|
+
0.9
|
|
4092
|
+
exploit_scenario: |-
|
|
4093
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4094
|
+
fix_template: |-
|
|
4095
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4096
|
+
pattern-either:
|
|
4097
|
+
- pattern: |-
|
|
4098
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4099
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-102\\b'
|
|
4100
|
+
message: |-
|
|
4101
|
+
RunSec Detection [CLD-102]: CWE-668
|
|
4102
|
+
languages:
|
|
4103
|
+
- generic
|
|
4104
|
+
severity: WARNING
|
|
4105
|
+
- id: runsec.infra-k8s-helm.cld-103
|
|
4106
|
+
metadata:
|
|
4107
|
+
runsec_version: v1.0
|
|
4108
|
+
confidence: |-
|
|
4109
|
+
0.9
|
|
4110
|
+
exploit_scenario: |-
|
|
4111
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4112
|
+
fix_template: |-
|
|
4113
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4114
|
+
pattern-either:
|
|
4115
|
+
- pattern: |-
|
|
4116
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4117
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-103\\b'
|
|
4118
|
+
message: |-
|
|
4119
|
+
RunSec Detection [CLD-103]: CWE-284
|
|
4120
|
+
languages:
|
|
4121
|
+
- generic
|
|
4122
|
+
severity: WARNING
|
|
4123
|
+
- id: runsec.infra-k8s-helm.cld-104
|
|
4124
|
+
metadata:
|
|
4125
|
+
runsec_version: v1.0
|
|
4126
|
+
confidence: |-
|
|
4127
|
+
0.9
|
|
4128
|
+
exploit_scenario: |-
|
|
4129
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4130
|
+
fix_template: |-
|
|
4131
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4132
|
+
pattern-either:
|
|
4133
|
+
- pattern: |-
|
|
4134
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4135
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-104\\b'
|
|
4136
|
+
message: |-
|
|
4137
|
+
RunSec Detection [CLD-104]: CWE-311
|
|
4138
|
+
languages:
|
|
4139
|
+
- generic
|
|
4140
|
+
severity: WARNING
|
|
4141
|
+
- id: runsec.infra-k8s-helm.cld-105
|
|
4142
|
+
metadata:
|
|
4143
|
+
runsec_version: v1.0
|
|
4144
|
+
confidence: |-
|
|
4145
|
+
0.9
|
|
4146
|
+
exploit_scenario: |-
|
|
4147
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4148
|
+
fix_template: |-
|
|
4149
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4150
|
+
pattern-either:
|
|
4151
|
+
- pattern: |-
|
|
4152
|
+
allow_blob_public_access = true
|
|
4153
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-105\\b'
|
|
4154
|
+
message: |-
|
|
4155
|
+
RunSec Detection [CLD-105]: CWE-200
|
|
4156
|
+
languages:
|
|
4157
|
+
- generic
|
|
4158
|
+
severity: WARNING
|
|
4159
|
+
- id: runsec.infra-k8s-helm.cld-106
|
|
4160
|
+
metadata:
|
|
4161
|
+
runsec_version: v1.0
|
|
4162
|
+
confidence: |-
|
|
4163
|
+
0.9
|
|
4164
|
+
exploit_scenario: |-
|
|
4165
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4166
|
+
fix_template: |-
|
|
4167
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4168
|
+
pattern-either:
|
|
4169
|
+
- pattern: |-
|
|
4170
|
+
source_ranges = ['0.0.0.0/0']
|
|
4171
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-106\\b'
|
|
4172
|
+
message: |-
|
|
4173
|
+
RunSec Detection [CLD-106]: CWE-732
|
|
4174
|
+
languages:
|
|
4175
|
+
- generic
|
|
4176
|
+
severity: WARNING
|
|
4177
|
+
- id: runsec.infra-k8s-helm.cld-107
|
|
4178
|
+
metadata:
|
|
4179
|
+
runsec_version: v1.0
|
|
4180
|
+
confidence: |-
|
|
4181
|
+
0.9
|
|
4182
|
+
exploit_scenario: |-
|
|
4183
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4184
|
+
fix_template: |-
|
|
4185
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4186
|
+
pattern-either:
|
|
4187
|
+
- pattern: |-
|
|
4188
|
+
Action: '*'
|
|
4189
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-107\\b'
|
|
4190
|
+
message: |-
|
|
4191
|
+
RunSec Detection [CLD-107]: CWE-250
|
|
4192
|
+
languages:
|
|
4193
|
+
- generic
|
|
4194
|
+
severity: WARNING
|
|
4195
|
+
- id: runsec.infra-k8s-helm.cld-108
|
|
4196
|
+
metadata:
|
|
4197
|
+
runsec_version: v1.0
|
|
4198
|
+
confidence: |-
|
|
4199
|
+
0.9
|
|
4200
|
+
exploit_scenario: |-
|
|
4201
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4202
|
+
fix_template: |-
|
|
4203
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4204
|
+
pattern-either:
|
|
4205
|
+
- pattern: |-
|
|
4206
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4207
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-108\\b'
|
|
4208
|
+
message: |-
|
|
4209
|
+
RunSec Detection [CLD-108]: CWE-668
|
|
4210
|
+
languages:
|
|
4211
|
+
- generic
|
|
4212
|
+
severity: WARNING
|
|
4213
|
+
- id: runsec.infra-k8s-helm.cld-109
|
|
4214
|
+
metadata:
|
|
4215
|
+
runsec_version: v1.0
|
|
4216
|
+
confidence: |-
|
|
4217
|
+
0.9
|
|
4218
|
+
exploit_scenario: |-
|
|
4219
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4220
|
+
fix_template: |-
|
|
4221
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4222
|
+
pattern-either:
|
|
4223
|
+
- pattern: |-
|
|
4224
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4225
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-109\\b'
|
|
4226
|
+
message: |-
|
|
4227
|
+
RunSec Detection [CLD-109]: CWE-284
|
|
4228
|
+
languages:
|
|
4229
|
+
- generic
|
|
4230
|
+
severity: WARNING
|
|
4231
|
+
- id: runsec.infra-k8s-helm.cld-110
|
|
4232
|
+
metadata:
|
|
4233
|
+
runsec_version: v1.0
|
|
4234
|
+
confidence: |-
|
|
4235
|
+
0.9
|
|
4236
|
+
exploit_scenario: |-
|
|
4237
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4238
|
+
fix_template: |-
|
|
4239
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4240
|
+
pattern-either:
|
|
4241
|
+
- pattern: |-
|
|
4242
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4243
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-110\\b'
|
|
4244
|
+
message: |-
|
|
4245
|
+
RunSec Detection [CLD-110]: CWE-311
|
|
4246
|
+
languages:
|
|
4247
|
+
- generic
|
|
4248
|
+
severity: WARNING
|
|
4249
|
+
- id: runsec.infra-k8s-helm.cld-111
|
|
4250
|
+
metadata:
|
|
4251
|
+
runsec_version: v1.0
|
|
4252
|
+
confidence: |-
|
|
4253
|
+
0.9
|
|
4254
|
+
exploit_scenario: |-
|
|
4255
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4256
|
+
fix_template: |-
|
|
4257
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4258
|
+
pattern-either:
|
|
4259
|
+
- pattern: |-
|
|
4260
|
+
allow_blob_public_access = true
|
|
4261
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-111\\b'
|
|
4262
|
+
message: |-
|
|
4263
|
+
RunSec Detection [CLD-111]: CWE-200
|
|
4264
|
+
languages:
|
|
4265
|
+
- generic
|
|
4266
|
+
severity: WARNING
|
|
4267
|
+
- id: runsec.infra-k8s-helm.cld-112
|
|
4268
|
+
metadata:
|
|
4269
|
+
runsec_version: v1.0
|
|
4270
|
+
confidence: |-
|
|
4271
|
+
0.9
|
|
4272
|
+
exploit_scenario: |-
|
|
4273
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4274
|
+
fix_template: |-
|
|
4275
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4276
|
+
pattern-either:
|
|
4277
|
+
- pattern: |-
|
|
4278
|
+
source_ranges = ['0.0.0.0/0']
|
|
4279
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-112\\b'
|
|
4280
|
+
message: |-
|
|
4281
|
+
RunSec Detection [CLD-112]: CWE-732
|
|
4282
|
+
languages:
|
|
4283
|
+
- generic
|
|
4284
|
+
severity: WARNING
|
|
4285
|
+
- id: runsec.infra-k8s-helm.cld-113
|
|
4286
|
+
metadata:
|
|
4287
|
+
runsec_version: v1.0
|
|
4288
|
+
confidence: |-
|
|
4289
|
+
0.9
|
|
4290
|
+
exploit_scenario: |-
|
|
4291
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4292
|
+
fix_template: |-
|
|
4293
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4294
|
+
pattern-either:
|
|
4295
|
+
- pattern: |-
|
|
4296
|
+
Action: '*'
|
|
4297
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-113\\b'
|
|
4298
|
+
message: |-
|
|
4299
|
+
RunSec Detection [CLD-113]: CWE-250
|
|
4300
|
+
languages:
|
|
4301
|
+
- generic
|
|
4302
|
+
severity: WARNING
|
|
4303
|
+
- id: runsec.infra-k8s-helm.cld-114
|
|
4304
|
+
metadata:
|
|
4305
|
+
runsec_version: v1.0
|
|
4306
|
+
confidence: |-
|
|
4307
|
+
0.9
|
|
4308
|
+
exploit_scenario: |-
|
|
4309
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4310
|
+
fix_template: |-
|
|
4311
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4312
|
+
pattern-either:
|
|
4313
|
+
- pattern: |-
|
|
4314
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4315
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-114\\b'
|
|
4316
|
+
message: |-
|
|
4317
|
+
RunSec Detection [CLD-114]: CWE-668
|
|
4318
|
+
languages:
|
|
4319
|
+
- generic
|
|
4320
|
+
severity: WARNING
|
|
4321
|
+
- id: runsec.infra-k8s-helm.cld-115
|
|
4322
|
+
metadata:
|
|
4323
|
+
runsec_version: v1.0
|
|
4324
|
+
confidence: |-
|
|
4325
|
+
0.9
|
|
4326
|
+
exploit_scenario: |-
|
|
4327
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4328
|
+
fix_template: |-
|
|
4329
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4330
|
+
pattern-either:
|
|
4331
|
+
- pattern: |-
|
|
4332
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4333
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-115\\b'
|
|
4334
|
+
message: |-
|
|
4335
|
+
RunSec Detection [CLD-115]: CWE-284
|
|
4336
|
+
languages:
|
|
4337
|
+
- generic
|
|
4338
|
+
severity: WARNING
|
|
4339
|
+
- id: runsec.infra-k8s-helm.cld-116
|
|
4340
|
+
metadata:
|
|
4341
|
+
runsec_version: v1.0
|
|
4342
|
+
confidence: |-
|
|
4343
|
+
0.9
|
|
4344
|
+
exploit_scenario: |-
|
|
4345
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4346
|
+
fix_template: |-
|
|
4347
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4348
|
+
pattern-either:
|
|
4349
|
+
- pattern: |-
|
|
4350
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4351
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-116\\b'
|
|
4352
|
+
message: |-
|
|
4353
|
+
RunSec Detection [CLD-116]: CWE-311
|
|
4354
|
+
languages:
|
|
4355
|
+
- generic
|
|
4356
|
+
severity: WARNING
|
|
4357
|
+
- id: runsec.infra-k8s-helm.cld-117
|
|
4358
|
+
metadata:
|
|
4359
|
+
runsec_version: v1.0
|
|
4360
|
+
confidence: |-
|
|
4361
|
+
0.9
|
|
4362
|
+
exploit_scenario: |-
|
|
4363
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4364
|
+
fix_template: |-
|
|
4365
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4366
|
+
pattern-either:
|
|
4367
|
+
- pattern: |-
|
|
4368
|
+
allow_blob_public_access = true
|
|
4369
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-117\\b'
|
|
4370
|
+
message: |-
|
|
4371
|
+
RunSec Detection [CLD-117]: CWE-200
|
|
4372
|
+
languages:
|
|
4373
|
+
- generic
|
|
4374
|
+
severity: WARNING
|
|
4375
|
+
- id: runsec.infra-k8s-helm.cld-118
|
|
4376
|
+
metadata:
|
|
4377
|
+
runsec_version: v1.0
|
|
4378
|
+
confidence: |-
|
|
4379
|
+
0.9
|
|
4380
|
+
exploit_scenario: |-
|
|
4381
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4382
|
+
fix_template: |-
|
|
4383
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4384
|
+
pattern-either:
|
|
4385
|
+
- pattern: |-
|
|
4386
|
+
source_ranges = ['0.0.0.0/0']
|
|
4387
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-118\\b'
|
|
4388
|
+
message: |-
|
|
4389
|
+
RunSec Detection [CLD-118]: CWE-732
|
|
4390
|
+
languages:
|
|
4391
|
+
- generic
|
|
4392
|
+
severity: WARNING
|
|
4393
|
+
- id: runsec.infra-k8s-helm.cld-119
|
|
4394
|
+
metadata:
|
|
4395
|
+
runsec_version: v1.0
|
|
4396
|
+
confidence: |-
|
|
4397
|
+
0.9
|
|
4398
|
+
exploit_scenario: |-
|
|
4399
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4400
|
+
fix_template: |-
|
|
4401
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4402
|
+
pattern-either:
|
|
4403
|
+
- pattern: |-
|
|
4404
|
+
Action: '*'
|
|
4405
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-119\\b'
|
|
4406
|
+
message: |-
|
|
4407
|
+
RunSec Detection [CLD-119]: CWE-250
|
|
4408
|
+
languages:
|
|
4409
|
+
- generic
|
|
4410
|
+
severity: WARNING
|
|
4411
|
+
- id: runsec.infra-k8s-helm.cld-120
|
|
4412
|
+
metadata:
|
|
4413
|
+
runsec_version: v1.0
|
|
4414
|
+
confidence: |-
|
|
4415
|
+
0.9
|
|
4416
|
+
exploit_scenario: |-
|
|
4417
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4418
|
+
fix_template: |-
|
|
4419
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4420
|
+
pattern-either:
|
|
4421
|
+
- pattern: |-
|
|
4422
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4423
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-120\\b'
|
|
4424
|
+
message: |-
|
|
4425
|
+
RunSec Detection [CLD-120]: CWE-668
|
|
4426
|
+
languages:
|
|
4427
|
+
- generic
|
|
4428
|
+
severity: WARNING
|
|
4429
|
+
- id: runsec.infra-k8s-helm.cld-121
|
|
4430
|
+
metadata:
|
|
4431
|
+
runsec_version: v1.0
|
|
4432
|
+
confidence: |-
|
|
4433
|
+
0.9
|
|
4434
|
+
exploit_scenario: |-
|
|
4435
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4436
|
+
fix_template: |-
|
|
4437
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4438
|
+
pattern-either:
|
|
4439
|
+
- pattern: |-
|
|
4440
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4441
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-121\\b'
|
|
4442
|
+
message: |-
|
|
4443
|
+
RunSec Detection [CLD-121]: CWE-284
|
|
4444
|
+
languages:
|
|
4445
|
+
- generic
|
|
4446
|
+
severity: WARNING
|
|
4447
|
+
- id: runsec.infra-k8s-helm.cld-122
|
|
4448
|
+
metadata:
|
|
4449
|
+
runsec_version: v1.0
|
|
4450
|
+
confidence: |-
|
|
4451
|
+
0.9
|
|
4452
|
+
exploit_scenario: |-
|
|
4453
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4454
|
+
fix_template: |-
|
|
4455
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4456
|
+
pattern-either:
|
|
4457
|
+
- pattern: |-
|
|
4458
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4459
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-122\\b'
|
|
4460
|
+
message: |-
|
|
4461
|
+
RunSec Detection [CLD-122]: CWE-311
|
|
4462
|
+
languages:
|
|
4463
|
+
- generic
|
|
4464
|
+
severity: WARNING
|
|
4465
|
+
- id: runsec.infra-k8s-helm.cld-123
|
|
4466
|
+
metadata:
|
|
4467
|
+
runsec_version: v1.0
|
|
4468
|
+
confidence: |-
|
|
4469
|
+
0.9
|
|
4470
|
+
exploit_scenario: |-
|
|
4471
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4472
|
+
fix_template: |-
|
|
4473
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4474
|
+
pattern-either:
|
|
4475
|
+
- pattern: |-
|
|
4476
|
+
allow_blob_public_access = true
|
|
4477
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-123\\b'
|
|
4478
|
+
message: |-
|
|
4479
|
+
RunSec Detection [CLD-123]: CWE-200
|
|
4480
|
+
languages:
|
|
4481
|
+
- generic
|
|
4482
|
+
severity: WARNING
|
|
4483
|
+
- id: runsec.infra-k8s-helm.cld-124
|
|
4484
|
+
metadata:
|
|
4485
|
+
runsec_version: v1.0
|
|
4486
|
+
confidence: |-
|
|
4487
|
+
0.9
|
|
4488
|
+
exploit_scenario: |-
|
|
4489
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4490
|
+
fix_template: |-
|
|
4491
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4492
|
+
pattern-either:
|
|
4493
|
+
- pattern: |-
|
|
4494
|
+
source_ranges = ['0.0.0.0/0']
|
|
4495
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-124\\b'
|
|
4496
|
+
message: |-
|
|
4497
|
+
RunSec Detection [CLD-124]: CWE-732
|
|
4498
|
+
languages:
|
|
4499
|
+
- generic
|
|
4500
|
+
severity: WARNING
|
|
4501
|
+
- id: runsec.infra-k8s-helm.cld-125
|
|
4502
|
+
metadata:
|
|
4503
|
+
runsec_version: v1.0
|
|
4504
|
+
confidence: |-
|
|
4505
|
+
0.9
|
|
4506
|
+
exploit_scenario: |-
|
|
4507
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4508
|
+
fix_template: |-
|
|
4509
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4510
|
+
pattern-either:
|
|
4511
|
+
- pattern: |-
|
|
4512
|
+
Action: '*'
|
|
4513
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-125\\b'
|
|
4514
|
+
message: |-
|
|
4515
|
+
RunSec Detection [CLD-125]: CWE-250
|
|
4516
|
+
languages:
|
|
4517
|
+
- generic
|
|
4518
|
+
severity: WARNING
|
|
4519
|
+
- id: runsec.infra-k8s-helm.cld-126
|
|
4520
|
+
metadata:
|
|
4521
|
+
runsec_version: v1.0
|
|
4522
|
+
confidence: |-
|
|
4523
|
+
0.9
|
|
4524
|
+
exploit_scenario: |-
|
|
4525
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4526
|
+
fix_template: |-
|
|
4527
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4528
|
+
pattern-either:
|
|
4529
|
+
- pattern: |-
|
|
4530
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4531
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-126\\b'
|
|
4532
|
+
message: |-
|
|
4533
|
+
RunSec Detection [CLD-126]: CWE-668
|
|
4534
|
+
languages:
|
|
4535
|
+
- generic
|
|
4536
|
+
severity: WARNING
|
|
4537
|
+
- id: runsec.infra-k8s-helm.cld-127
|
|
4538
|
+
metadata:
|
|
4539
|
+
runsec_version: v1.0
|
|
4540
|
+
confidence: |-
|
|
4541
|
+
0.9
|
|
4542
|
+
exploit_scenario: |-
|
|
4543
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4544
|
+
fix_template: |-
|
|
4545
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4546
|
+
pattern-either:
|
|
4547
|
+
- pattern: |-
|
|
4548
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4549
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-127\\b'
|
|
4550
|
+
message: |-
|
|
4551
|
+
RunSec Detection [CLD-127]: CWE-284
|
|
4552
|
+
languages:
|
|
4553
|
+
- generic
|
|
4554
|
+
severity: WARNING
|
|
4555
|
+
- id: runsec.infra-k8s-helm.cld-128
|
|
4556
|
+
metadata:
|
|
4557
|
+
runsec_version: v1.0
|
|
4558
|
+
confidence: |-
|
|
4559
|
+
0.9
|
|
4560
|
+
exploit_scenario: |-
|
|
4561
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4562
|
+
fix_template: |-
|
|
4563
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4564
|
+
pattern-either:
|
|
4565
|
+
- pattern: |-
|
|
4566
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4567
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-128\\b'
|
|
4568
|
+
message: |-
|
|
4569
|
+
RunSec Detection [CLD-128]: CWE-311
|
|
4570
|
+
languages:
|
|
4571
|
+
- generic
|
|
4572
|
+
severity: WARNING
|
|
4573
|
+
- id: runsec.infra-k8s-helm.cld-129
|
|
4574
|
+
metadata:
|
|
4575
|
+
runsec_version: v1.0
|
|
4576
|
+
confidence: |-
|
|
4577
|
+
0.9
|
|
4578
|
+
exploit_scenario: |-
|
|
4579
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4580
|
+
fix_template: |-
|
|
4581
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4582
|
+
pattern-either:
|
|
4583
|
+
- pattern: |-
|
|
4584
|
+
allow_blob_public_access = true
|
|
4585
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-129\\b'
|
|
4586
|
+
message: |-
|
|
4587
|
+
RunSec Detection [CLD-129]: CWE-200
|
|
4588
|
+
languages:
|
|
4589
|
+
- generic
|
|
4590
|
+
severity: WARNING
|
|
4591
|
+
- id: runsec.infra-k8s-helm.cld-130
|
|
4592
|
+
metadata:
|
|
4593
|
+
runsec_version: v1.0
|
|
4594
|
+
confidence: |-
|
|
4595
|
+
0.9
|
|
4596
|
+
exploit_scenario: |-
|
|
4597
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4598
|
+
fix_template: |-
|
|
4599
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4600
|
+
pattern-either:
|
|
4601
|
+
- pattern: |-
|
|
4602
|
+
source_ranges = ['0.0.0.0/0']
|
|
4603
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-130\\b'
|
|
4604
|
+
message: |-
|
|
4605
|
+
RunSec Detection [CLD-130]: CWE-732
|
|
4606
|
+
languages:
|
|
4607
|
+
- generic
|
|
4608
|
+
severity: WARNING
|
|
4609
|
+
- id: runsec.infra-k8s-helm.cld-131
|
|
4610
|
+
metadata:
|
|
4611
|
+
runsec_version: v1.0
|
|
4612
|
+
confidence: |-
|
|
4613
|
+
0.9
|
|
4614
|
+
exploit_scenario: |-
|
|
4615
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4616
|
+
fix_template: |-
|
|
4617
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4618
|
+
pattern-either:
|
|
4619
|
+
- pattern: |-
|
|
4620
|
+
Action: '*'
|
|
4621
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-131\\b'
|
|
4622
|
+
message: |-
|
|
4623
|
+
RunSec Detection [CLD-131]: CWE-250
|
|
4624
|
+
languages:
|
|
4625
|
+
- generic
|
|
4626
|
+
severity: WARNING
|
|
4627
|
+
- id: runsec.infra-k8s-helm.cld-132
|
|
4628
|
+
metadata:
|
|
4629
|
+
runsec_version: v1.0
|
|
4630
|
+
confidence: |-
|
|
4631
|
+
0.9
|
|
4632
|
+
exploit_scenario: |-
|
|
4633
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4634
|
+
fix_template: |-
|
|
4635
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4636
|
+
pattern-either:
|
|
4637
|
+
- pattern: |-
|
|
4638
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4639
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-132\\b'
|
|
4640
|
+
message: |-
|
|
4641
|
+
RunSec Detection [CLD-132]: CWE-668
|
|
4642
|
+
languages:
|
|
4643
|
+
- generic
|
|
4644
|
+
severity: WARNING
|
|
4645
|
+
- id: runsec.infra-k8s-helm.cld-133
|
|
4646
|
+
metadata:
|
|
4647
|
+
runsec_version: v1.0
|
|
4648
|
+
confidence: |-
|
|
4649
|
+
0.9
|
|
4650
|
+
exploit_scenario: |-
|
|
4651
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4652
|
+
fix_template: |-
|
|
4653
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4654
|
+
pattern-either:
|
|
4655
|
+
- pattern: |-
|
|
4656
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4657
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-133\\b'
|
|
4658
|
+
message: |-
|
|
4659
|
+
RunSec Detection [CLD-133]: CWE-284
|
|
4660
|
+
languages:
|
|
4661
|
+
- generic
|
|
4662
|
+
severity: WARNING
|
|
4663
|
+
- id: runsec.infra-k8s-helm.cld-134
|
|
4664
|
+
metadata:
|
|
4665
|
+
runsec_version: v1.0
|
|
4666
|
+
confidence: |-
|
|
4667
|
+
0.9
|
|
4668
|
+
exploit_scenario: |-
|
|
4669
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4670
|
+
fix_template: |-
|
|
4671
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4672
|
+
pattern-either:
|
|
4673
|
+
- pattern: |-
|
|
4674
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4675
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-134\\b'
|
|
4676
|
+
message: |-
|
|
4677
|
+
RunSec Detection [CLD-134]: CWE-311
|
|
4678
|
+
languages:
|
|
4679
|
+
- generic
|
|
4680
|
+
severity: WARNING
|
|
4681
|
+
- id: runsec.infra-k8s-helm.cld-135
|
|
4682
|
+
metadata:
|
|
4683
|
+
runsec_version: v1.0
|
|
4684
|
+
confidence: |-
|
|
4685
|
+
0.9
|
|
4686
|
+
exploit_scenario: |-
|
|
4687
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4688
|
+
fix_template: |-
|
|
4689
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4690
|
+
pattern-either:
|
|
4691
|
+
- pattern: |-
|
|
4692
|
+
allow_blob_public_access = true
|
|
4693
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-135\\b'
|
|
4694
|
+
message: |-
|
|
4695
|
+
RunSec Detection [CLD-135]: CWE-200
|
|
4696
|
+
languages:
|
|
4697
|
+
- generic
|
|
4698
|
+
severity: WARNING
|
|
4699
|
+
- id: runsec.infra-k8s-helm.cld-136
|
|
4700
|
+
metadata:
|
|
4701
|
+
runsec_version: v1.0
|
|
4702
|
+
confidence: |-
|
|
4703
|
+
0.9
|
|
4704
|
+
exploit_scenario: |-
|
|
4705
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4706
|
+
fix_template: |-
|
|
4707
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4708
|
+
pattern-either:
|
|
4709
|
+
- pattern: |-
|
|
4710
|
+
source_ranges = ['0.0.0.0/0']
|
|
4711
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-136\\b'
|
|
4712
|
+
message: |-
|
|
4713
|
+
RunSec Detection [CLD-136]: CWE-732
|
|
4714
|
+
languages:
|
|
4715
|
+
- generic
|
|
4716
|
+
severity: WARNING
|
|
4717
|
+
- id: runsec.infra-k8s-helm.cld-137
|
|
4718
|
+
metadata:
|
|
4719
|
+
runsec_version: v1.0
|
|
4720
|
+
confidence: |-
|
|
4721
|
+
0.9
|
|
4722
|
+
exploit_scenario: |-
|
|
4723
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4724
|
+
fix_template: |-
|
|
4725
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4726
|
+
pattern-either:
|
|
4727
|
+
- pattern: |-
|
|
4728
|
+
Action: '*'
|
|
4729
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-137\\b'
|
|
4730
|
+
message: |-
|
|
4731
|
+
RunSec Detection [CLD-137]: CWE-250
|
|
4732
|
+
languages:
|
|
4733
|
+
- generic
|
|
4734
|
+
severity: WARNING
|
|
4735
|
+
- id: runsec.infra-k8s-helm.cld-138
|
|
4736
|
+
metadata:
|
|
4737
|
+
runsec_version: v1.0
|
|
4738
|
+
confidence: |-
|
|
4739
|
+
0.9
|
|
4740
|
+
exploit_scenario: |-
|
|
4741
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4742
|
+
fix_template: |-
|
|
4743
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4744
|
+
pattern-either:
|
|
4745
|
+
- pattern: |-
|
|
4746
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4747
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-138\\b'
|
|
4748
|
+
message: |-
|
|
4749
|
+
RunSec Detection [CLD-138]: CWE-668
|
|
4750
|
+
languages:
|
|
4751
|
+
- generic
|
|
4752
|
+
severity: WARNING
|
|
4753
|
+
- id: runsec.infra-k8s-helm.cld-139
|
|
4754
|
+
metadata:
|
|
4755
|
+
runsec_version: v1.0
|
|
4756
|
+
confidence: |-
|
|
4757
|
+
0.9
|
|
4758
|
+
exploit_scenario: |-
|
|
4759
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4760
|
+
fix_template: |-
|
|
4761
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4762
|
+
pattern-either:
|
|
4763
|
+
- pattern: |-
|
|
4764
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4765
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-139\\b'
|
|
4766
|
+
message: |-
|
|
4767
|
+
RunSec Detection [CLD-139]: CWE-284
|
|
4768
|
+
languages:
|
|
4769
|
+
- generic
|
|
4770
|
+
severity: WARNING
|
|
4771
|
+
- id: runsec.infra-k8s-helm.cld-140
|
|
4772
|
+
metadata:
|
|
4773
|
+
runsec_version: v1.0
|
|
4774
|
+
confidence: |-
|
|
4775
|
+
0.9
|
|
4776
|
+
exploit_scenario: |-
|
|
4777
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4778
|
+
fix_template: |-
|
|
4779
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4780
|
+
pattern-either:
|
|
4781
|
+
- pattern: |-
|
|
4782
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4783
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-140\\b'
|
|
4784
|
+
message: |-
|
|
4785
|
+
RunSec Detection [CLD-140]: CWE-311
|
|
4786
|
+
languages:
|
|
4787
|
+
- generic
|
|
4788
|
+
severity: WARNING
|
|
4789
|
+
- id: runsec.infra-k8s-helm.cld-141
|
|
4790
|
+
metadata:
|
|
4791
|
+
runsec_version: v1.0
|
|
4792
|
+
confidence: |-
|
|
4793
|
+
0.9
|
|
4794
|
+
exploit_scenario: |-
|
|
4795
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4796
|
+
fix_template: |-
|
|
4797
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4798
|
+
pattern-either:
|
|
4799
|
+
- pattern: |-
|
|
4800
|
+
allow_blob_public_access = true
|
|
4801
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-141\\b'
|
|
4802
|
+
message: |-
|
|
4803
|
+
RunSec Detection [CLD-141]: CWE-200
|
|
4804
|
+
languages:
|
|
4805
|
+
- generic
|
|
4806
|
+
severity: WARNING
|
|
4807
|
+
- id: runsec.infra-k8s-helm.cld-142
|
|
4808
|
+
metadata:
|
|
4809
|
+
runsec_version: v1.0
|
|
4810
|
+
confidence: |-
|
|
4811
|
+
0.9
|
|
4812
|
+
exploit_scenario: |-
|
|
4813
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4814
|
+
fix_template: |-
|
|
4815
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4816
|
+
pattern-either:
|
|
4817
|
+
- pattern: |-
|
|
4818
|
+
source_ranges = ['0.0.0.0/0']
|
|
4819
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-142\\b'
|
|
4820
|
+
message: |-
|
|
4821
|
+
RunSec Detection [CLD-142]: CWE-732
|
|
4822
|
+
languages:
|
|
4823
|
+
- generic
|
|
4824
|
+
severity: WARNING
|
|
4825
|
+
- id: runsec.infra-k8s-helm.cld-143
|
|
4826
|
+
metadata:
|
|
4827
|
+
runsec_version: v1.0
|
|
4828
|
+
confidence: |-
|
|
4829
|
+
0.9
|
|
4830
|
+
exploit_scenario: |-
|
|
4831
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4832
|
+
fix_template: |-
|
|
4833
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4834
|
+
pattern-either:
|
|
4835
|
+
- pattern: |-
|
|
4836
|
+
Action: '*'
|
|
4837
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-143\\b'
|
|
4838
|
+
message: |-
|
|
4839
|
+
RunSec Detection [CLD-143]: CWE-250
|
|
4840
|
+
languages:
|
|
4841
|
+
- generic
|
|
4842
|
+
severity: WARNING
|
|
4843
|
+
- id: runsec.infra-k8s-helm.cld-144
|
|
4844
|
+
metadata:
|
|
4845
|
+
runsec_version: v1.0
|
|
4846
|
+
confidence: |-
|
|
4847
|
+
0.9
|
|
4848
|
+
exploit_scenario: |-
|
|
4849
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4850
|
+
fix_template: |-
|
|
4851
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4852
|
+
pattern-either:
|
|
4853
|
+
- pattern: |-
|
|
4854
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4855
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-144\\b'
|
|
4856
|
+
message: |-
|
|
4857
|
+
RunSec Detection [CLD-144]: CWE-668
|
|
4858
|
+
languages:
|
|
4859
|
+
- generic
|
|
4860
|
+
severity: WARNING
|
|
4861
|
+
- id: runsec.infra-k8s-helm.cld-145
|
|
4862
|
+
metadata:
|
|
4863
|
+
runsec_version: v1.0
|
|
4864
|
+
confidence: |-
|
|
4865
|
+
0.9
|
|
4866
|
+
exploit_scenario: |-
|
|
4867
|
+
Wildcard trust policy allows untrusted principal role assumption.
|
|
4868
|
+
fix_template: |-
|
|
4869
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4870
|
+
pattern-either:
|
|
4871
|
+
- pattern: |-
|
|
4872
|
+
assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })
|
|
4873
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-145\\b'
|
|
4874
|
+
message: |-
|
|
4875
|
+
RunSec Detection [CLD-145]: CWE-284
|
|
4876
|
+
languages:
|
|
4877
|
+
- generic
|
|
4878
|
+
severity: WARNING
|
|
4879
|
+
- id: runsec.infra-k8s-helm.cld-146
|
|
4880
|
+
metadata:
|
|
4881
|
+
runsec_version: v1.0
|
|
4882
|
+
confidence: |-
|
|
4883
|
+
0.9
|
|
4884
|
+
exploit_scenario: |-
|
|
4885
|
+
Unencrypted object storage exposes data at rest risks.
|
|
4886
|
+
fix_template: |-
|
|
4887
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4888
|
+
pattern-either:
|
|
4889
|
+
- pattern: |-
|
|
4890
|
+
resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}
|
|
4891
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-146\\b'
|
|
4892
|
+
message: |-
|
|
4893
|
+
RunSec Detection [CLD-146]: CWE-311
|
|
4894
|
+
languages:
|
|
4895
|
+
- generic
|
|
4896
|
+
severity: WARNING
|
|
4897
|
+
- id: runsec.infra-k8s-helm.cld-147
|
|
4898
|
+
metadata:
|
|
4899
|
+
runsec_version: v1.0
|
|
4900
|
+
confidence: |-
|
|
4901
|
+
0.9
|
|
4902
|
+
exploit_scenario: |-
|
|
4903
|
+
Public blob exposure can leak sensitive tenant data.
|
|
4904
|
+
fix_template: |-
|
|
4905
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4906
|
+
pattern-either:
|
|
4907
|
+
- pattern: |-
|
|
4908
|
+
allow_blob_public_access = true
|
|
4909
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-147\\b'
|
|
4910
|
+
message: |-
|
|
4911
|
+
RunSec Detection [CLD-147]: CWE-200
|
|
4912
|
+
languages:
|
|
4913
|
+
- generic
|
|
4914
|
+
severity: WARNING
|
|
4915
|
+
- id: runsec.infra-k8s-helm.cld-148
|
|
4916
|
+
metadata:
|
|
4917
|
+
runsec_version: v1.0
|
|
4918
|
+
confidence: |-
|
|
4919
|
+
0.9
|
|
4920
|
+
exploit_scenario: |-
|
|
4921
|
+
Open ingress on admin surfaces increases remote attackability.
|
|
4922
|
+
fix_template: |-
|
|
4923
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4924
|
+
pattern-either:
|
|
4925
|
+
- pattern: |-
|
|
4926
|
+
source_ranges = ['0.0.0.0/0']
|
|
4927
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-148\\b'
|
|
4928
|
+
message: |-
|
|
4929
|
+
RunSec Detection [CLD-148]: CWE-732
|
|
4930
|
+
languages:
|
|
4931
|
+
- generic
|
|
4932
|
+
severity: WARNING
|
|
4933
|
+
- id: runsec.infra-k8s-helm.cld-149
|
|
4934
|
+
metadata:
|
|
4935
|
+
runsec_version: v1.0
|
|
4936
|
+
confidence: |-
|
|
4937
|
+
0.9
|
|
4938
|
+
exploit_scenario: |-
|
|
4939
|
+
Over-privileged wildcard policy enables privilege abuse.
|
|
4940
|
+
fix_template: |-
|
|
4941
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4942
|
+
pattern-either:
|
|
4943
|
+
- pattern: |-
|
|
4944
|
+
Action: '*'
|
|
4945
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-149\\b'
|
|
4946
|
+
message: |-
|
|
4947
|
+
RunSec Detection [CLD-149]: CWE-250
|
|
4948
|
+
languages:
|
|
4949
|
+
- generic
|
|
4950
|
+
severity: WARNING
|
|
4951
|
+
- id: runsec.infra-k8s-helm.cld-150
|
|
4952
|
+
metadata:
|
|
4953
|
+
runsec_version: v1.0
|
|
4954
|
+
confidence: |-
|
|
4955
|
+
0.9
|
|
4956
|
+
exploit_scenario: |-
|
|
4957
|
+
Lack of subnet isolation allows lateral movement to data tiers.
|
|
4958
|
+
fix_template: |-
|
|
4959
|
+
Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC.
|
|
4960
|
+
pattern-either:
|
|
4961
|
+
- pattern: |-
|
|
4962
|
+
network_acl { ingress { cidr_block = '0.0.0.0/0' } }
|
|
4963
|
+
- pattern-regex: 'Vulnerable:\\s*CLD\\-150\\b'
|
|
4964
|
+
message: |-
|
|
4965
|
+
RunSec Detection [CLD-150]: CWE-668
|
|
4966
|
+
languages:
|
|
4967
|
+
- generic
|
|
4968
|
+
severity: WARNING
|