| All | Failed | Skipped |
|---|---|---|
| 45 | 6 | 1 |
| Severity | Control Name | Failed Resources | All Resources | Risk Score, % |
|---|---|---|---|---|
| Critical | CVE-2022-39328-grafana-auth-bypass | 0 | 0 | 0 |
| High | Anonymous access enabled | 0 | 0 | 0 |
| High | Applications credentials in configuration files | 3 | 14 | 21 |
| High | CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability | 0 | 0 | 0 |
| High | CVE-2022-47633-kyverno-signature-bypass | 0 | 0 | 0 |
| High | Ensure CPU limits are set | 0 | 14 | 0 |
| High | Ensure memory limits are set | 0 | 14 | 0 |
| High | Host PID/IPC privileges | 0 | 14 | 0 |
| High | HostNetwork access | 0 | 14 | 0 |
| High | HostPath mount | 0 | 14 | 0 |
| High | Insecure capabilities | 0 | 14 | 0 |
| High | List Kubernetes secrets | 0 | 0 | 0 |
| High | Privileged container | 0 | 14 | 0 |
| High | Writable hostPath mount | 0 | 14 | 0 |
| Medium | Access container service account | 0 | 0 | 0 |
| Medium | Administrative Roles | 0 | 0 | 0 |
| Medium | Allow privilege escalation | 0 | 14 | 0 |
| Medium | Automatic mapping of service account | 0 | 22 | 0 |
| Medium | CVE-2022-24348-argocddirtraversal | 0 | 0 | 0 |
| Medium | Cluster internal networking | 0 | 0 | 0 |
| Medium | Configured liveness probe | 0 | 14 | 0 |
| Medium | Container hostPort | 0 | 14 | 0 |
| Medium | Container runtime socket mounted | 0 | 14 | 0 |
| Medium | Delete Kubernetes events | 0 | 0 | 0 |
| Medium | Images from allowed registry | 0 | 14 | 0 |
| Medium | Ingress and Egress blocked | 11 | 17 | 65 |
| Medium | Linux hardening | 0 | 14 | 0 |
| Medium | Mount service principal | 0 | 14 | 0 |
| Medium | No impersonation | 0 | 0 | 0 |
| Medium | Non-root containers | 0 | 14 | 0 |
| Medium | Portforwarding privileges | 0 | 0 | 0 |
| Medium | Prevent containers from allowing command execution | 0 | 0 | 0 |
| Medium | Roles with delete capabilities | 0 | 0 | 0 |
| Medium | Sudo in container entrypoint | 0 | 14 | 0 |
| Low | Access Kubernetes dashboard | 0 | 14 | 0 |
| Low | Configured readiness probe | 0 | 14 | 0 |
| Low | Image pull policy on latest tag | 0 | 14 | 0 |
| Low | Immutable container filesystem | 1 | 14 | 7 |
| Low | K8s common labels usage | 0 | 14 | 0 |
| Low | Label usage for resources | 14 | 14 | 100 |
| Low | Naked pods | 5 | 5 | 100 |
| Low | Network mapping | 0 | 0 | 0 |
| Low | PSP enabled | 0 | 0 | 0 |
| Low | Pods in default namespace | 11 | 14 | 79 |
| Low | SSH server running inside container | 0 | 0 | 0 |
ApiVersion: v1
Kind: Pod
Name: -magnifhir-test
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Naked pods | C-0073 | |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -fhir-server
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -ohdsi-webapi
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -minio
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| High | Applications credentials in configuration files | C-0012 | spec.template.spec.containers[0].env[3].name spec.template.spec.containers[0].env[3].value spec.template.spec.containers[0].env[5].name spec.template.spec.containers[0].env[5].value |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: v1
Kind: Pod
Name: -ohdsi-test-connection
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Naked pods | C-0073 | |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE |
ApiVersion: v1
Kind: Pod
Name: -fhir-server-test-connection
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Naked pods | C-0073 | |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -ohdsi-atlas
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Low | Immutable container filesystem | C-0017 | spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true |
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -fhir-server-exporter
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: StatefulSet
Name: -postgresql
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| High | Applications credentials in configuration files | C-0012 | spec.template.spec.containers[0].env[4].name spec.template.spec.containers[0].env[4].value |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: v1
Kind: Pod
Name: -pathling-server-test-connection
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Naked pods | C-0073 | |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -minio-console
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -magnifhir
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: apps/v1
Kind: Deployment
Name: -pathling-server
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| High | Applications credentials in configuration files | C-0012 | spec.template.spec.containers[0].env[3].name spec.template.spec.containers[0].env[3].value |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE spec.template.metadata.labels[app]=YOUR_VALUE |
ApiVersion: v1
Kind: Pod
Name: -fhir-server-exporter-test-metrics-endpoint
Namespace:
| Severity | Name | Docs | Assisted Remediation |
|---|---|---|---|
| Medium | Ingress and Egress blocked | C-0030 | |
| Low | Pods in default namespace | C-0061 | metadata.namespace=YOUR_NAMESPACE |
| Low | Naked pods | C-0073 | |
| Low | Label usage for resources | C-0076 | metadata.labels[app]=YOUR_VALUE |