| 0 |
CKV_AWS_21 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
| 1 |
CKV_AWS_52 |
resource |
aws_s3_bucket |
Ensure S3 bucket has MFA delete enabled |
Terraform |
| 2 |
CKV_AWS_19 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
| 3 |
CKV_AWS_20 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
| 4 |
CKV_AWS_18 |
resource |
aws_s3_bucket |
Ensure the S3 bucket has access logging enabled |
Terraform |
| 5 |
CKV_AWS_57 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
| 6 |
CKV_AWS_58 |
resource |
aws_eks_cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Terraform |
| 7 |
CKV_AWS_38 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
Terraform |
| 8 |
CKV_AWS_37 |
resource |
aws_eks_cluster |
Ensure Amazon EKS control plane logging enabled for all log types |
Terraform |
| 9 |
CKV_AWS_39 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint disabled |
Terraform |
| 10 |
CKV_AWS_15 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one uppercase letter |
Terraform |
| 11 |
CKV_AWS_12 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one number |
Terraform |
| 12 |
CKV_AWS_13 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy prevents password reuse |
Terraform |
| 13 |
CKV_AWS_9 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy expires passwords within 90 days or less |
Terraform |
| 14 |
CKV_AWS_10 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires minimum length of 14 or greater |
Terraform |
| 15 |
CKV_AWS_14 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one symbol |
Terraform |
| 16 |
CKV_AWS_11 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one lowercase letter |
Terraform |
| 17 |
CKV_AWS_25 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
| 18 |
CKV_AWS_23 |
resource |
aws_security_group |
Ensure every security groups rule has a description |
Terraform |
| 19 |
CKV_AWS_24 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
| 20 |
CKV_AWS_51 |
resource |
aws_ecr_repository |
Ensure ECR Image Tags are immutable |
Terraform |
| 21 |
CKV_AWS_33 |
resource |
aws_ecr_repository |
Ensure ECR image scanning on push is enabled |
Terraform |
| 22 |
CKV_AWS_50 |
resource |
aws_lambda_function |
X-ray tracing is enabled for Lambda |
Terraform |
| 23 |
CKV_AWS_45 |
resource |
aws_lambda_function |
Ensure no hard coded AWS access key and and secret key exists in lambda environment |
Terraform |
| 24 |
CKV_AWS_47 |
resource |
aws_dax_cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Terraform |
| 25 |
CKV_AWS_46 |
resource |
aws_instance |
Ensure no hard coded AWS access key and and secret key exists in EC2 user data |
Terraform |
| 26 |
CKV_AWS_8 |
resource |
aws_instance |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
| 27 |
CKV_AWS_22 |
resource |
aws_sagemaker_notebook_instance |
Ensure all data stored in the Sagemaker is securely encrypted at rest |
Terraform |
| 28 |
CKV_AWS_36 |
resource |
aws_cloudtrail |
Ensure CloudTrail log file validation is enabled |
Terraform |
| 29 |
CKV_AWS_35 |
resource |
aws_cloudtrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Terraform |
| 30 |
CKV_AWS_16 |
resource |
aws_db_instance |
Ensure all data stored in the RDS is securely encrypted at rest |
Terraform |
| 31 |
CKV_AWS_17 |
resource |
aws_db_instance |
Ensure all data stored in the RDS bucket is not public accessible |
Terraform |
| 32 |
CKV_AWS_28 |
resource |
aws_dynamodb_table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Terraform |
| 33 |
CKV_AWS_55 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ignore public ACLs enabled |
Terraform |
| 34 |
CKV_AWS_56 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Terraform |
| 35 |
CKV_AWS_53 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public ACLS enabled |
Terraform |
| 36 |
CKV_AWS_54 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public policy enabled |
Terraform |
| 37 |
CKV_AWS_29 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Terraform |
| 38 |
CKV_AWS_31 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Terraform |
| 39 |
CKV_AWS_30 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Terraform |
| 40 |
CKV_AWS_3 |
resource |
aws_ebs_volume |
Ensure all data stored in the EBS is securely encrypted |
Terraform |
| 41 |
CKV_AWS_2 |
resource |
aws_alb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
| 42 |
CKV_AWS_2 |
resource |
aws_lb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
| 43 |
CKV_AWS_64 |
resource |
aws_redshift_cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Terraform |
| 44 |
CKV_AWS_23 |
resource |
aws_security_group_rule |
Ensure every security groups rule has a description |
Terraform |
| 45 |
CKV_AWS_23 |
resource |
aws_db_security_group |
Ensure every security groups rule has a description |
Terraform |
| 46 |
CKV_AWS_23 |
resource |
aws_elasticache_security_group |
Ensure every security groups rule has a description |
Terraform |
| 47 |
CKV_AWS_23 |
resource |
aws_redshift_security_group |
Ensure every security groups rule has a description |
Terraform |
| 48 |
CKV_AWS_42 |
resource |
aws_efs_file_system |
Ensure EFS is securely encrypted |
Terraform |
| 49 |
CKV_AWS_48 |
resource |
aws_mq_broker |
Ensure MQ Broker logging is enabled |
Terraform |
| 50 |
CKV_AWS_7 |
resource |
aws_kms_key |
Ensure rotation for customer created CMKs is enabled |
Terraform |
| 51 |
CKV_AWS_59 |
resource |
aws_api_gateway_method |
Ensure there is no open access to back-end resources through API |
Terraform |
| 52 |
CKV_AWS_5 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
| 53 |
CKV_AWS_6 |
resource |
aws_elasticsearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
| 54 |
CKV_AWS_65 |
resource |
aws_ecs_cluster |
Ensure container insights are enabled on ECS cluster |
Terraform |
| 55 |
CKV_AWS_34 |
resource |
aws_cloudfront_distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Terraform |
| 56 |
CKV_AWS_61 |
resource |
aws_iam_role |
Ensure IAM role allows only specific principals in account to assume it |
Terraform |
| 57 |
CKV_AWS_60 |
resource |
aws_iam_role |
Ensure IAM role allows only specific services or principals to assume it |
Terraform |
| 58 |
CKV_AWS_4 |
resource |
aws_ebs_snapshot |
Ensure all data stored in the EBS Snapshot is securely encrypted |
Terraform |
| 59 |
CKV_AWS_63 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 60 |
CKV_AWS_62 |
resource |
aws_iam_role_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 61 |
CKV_AWS_63 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 62 |
CKV_AWS_62 |
resource |
aws_iam_user_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 63 |
CKV_AWS_40 |
resource |
aws_iam_user_policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 64 |
CKV_AWS_63 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 65 |
CKV_AWS_62 |
resource |
aws_iam_group_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 66 |
CKV_AWS_63 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 67 |
CKV_AWS_62 |
resource |
aws_iam_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 68 |
CKV_AWS_32 |
resource |
aws_ecr_repository_policy |
Ensure ECR policy is not set to public |
Terraform |
| 69 |
CKV_AWS_17 |
resource |
aws_rds_cluster_instance |
Ensure all data stored in the RDS bucket is not public accessible |
Terraform |
| 70 |
CKV_AWS_43 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is securely encrypted |
Terraform |
| 71 |
CKV_AWS_8 |
resource |
aws_launch_configuration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
| 72 |
CKV_AWS_26 |
resource |
aws_sns_topic |
Ensure all data stored in the SNS topic is encrypted |
Terraform |
| 73 |
CKV_AWS_27 |
resource |
aws_sqs_queue |
Ensure all data stored in the SQS queue is encrypted |
Terraform |
| 74 |
CKV_AWS_44 |
resource |
aws_neptune_cluster |
Ensure Neptune storage is securely encrypted |
Terraform |
| 75 |
CKV_AWS_40 |
resource |
aws_iam_user_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 76 |
CKV_AWS_40 |
resource |
aws_iam_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 77 |
CKV_GCP_24 |
resource |
google_container_cluster |
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
Terraform |
| 78 |
CKV_GCP_13 |
resource |
google_container_cluster |
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters |
Terraform |
| 79 |
CKV_GCP_21 |
resource |
google_container_cluster |
Ensure Kubernetes Clusters are configured with Labels |
Terraform |
| 80 |
CKV_GCP_22 |
resource |
google_container_cluster |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Terraform |
| 81 |
CKV_GCP_12 |
resource |
google_container_cluster |
Ensure Network Policy is enabled on Kubernetes Engine Clusters |
Terraform |
| 82 |
CKV_GCP_18 |
resource |
google_container_cluster |
Ensure GKE Control Plane is not public |
Terraform |
| 83 |
CKV_GCP_19 |
resource |
google_container_cluster |
Ensure GKE basic auth is disabled |
Terraform |
| 84 |
CKV_GCP_20 |
resource |
google_container_cluster |
Ensure master authorized networks is set to enabled in GKE clusters |
Terraform |
| 85 |
CKV_GCP_25 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Private cluster enabled |
Terraform |
| 86 |
CKV_GCP_23 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
Terraform |
| 87 |
CKV_GCP_8 |
resource |
google_container_cluster |
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Terraform |
| 88 |
CKV_GCP_7 |
resource |
google_container_cluster |
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
Terraform |
| 89 |
CKV_GCP_1 |
resource |
google_container_cluster |
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Terraform |
| 90 |
CKV_GCP_27 |
resource |
google_project |
Ensure that the default network does not exist in a project |
Terraform |
| 91 |
CKV_GCP_26 |
resource |
google_compute_subnetwork |
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network |
Terraform |
| 92 |
CKV_GCP_3 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted rdp access |
Terraform |
| 93 |
CKV_GCP_2 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted ssh access |
Terraform |
| 94 |
CKV_GCP_4 |
resource |
google_compute_ssl_policy |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
Terraform |
| 95 |
CKV_GCP_9 |
resource |
google_container_node_pool |
Ensure ‘Automatic node repair’ is enabled for Kubernetes Clusters |
Terraform |
| 96 |
CKV_GCP_10 |
resource |
google_container_node_pool |
Ensure ‘Automatic node upgrade’ is enabled for Kubernetes Clusters |
Terraform |
| 97 |
CKV_GCP_6 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance requires all incoming connections to use SSL |
Terraform |
| 98 |
CKV_GCP_14 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance have backup configuration enabled |
Terraform |
| 99 |
CKV_GCP_11 |
resource |
google_sql_database_instance |
Ensure that Cloud SQL database Instances are not open to the world |
Terraform |
| 100 |
CKV_GCP_15 |
resource |
google_bigquery_dataset |
Ensure that BigQuery datasets are not anonymously or publicly accessible |
Terraform |
| 101 |
CKV_GCP_5 |
resource |
google_storage_bucket |
Ensure Google storage bucket have encryption enabled |
Terraform |
| 102 |
CKV_GCP_17 |
resource |
google_dns_managed_zone |
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC |
Terraform |
| 103 |
CKV_GCP_16 |
resource |
google_dns_managed_zone |
Ensure that DNSSEC is enabled for Cloud DNS |
Terraform |
| 104 |
CKV_AZURE_3 |
resource |
azurerm_storage_account |
Ensure that ‘Secure transfer required’ is set to ‘Enabled’ |
Terraform |
| 105 |
CKV_AZURE_8 |
resource |
azurerm_kubernetes_cluster |
Ensure Kube Dashboard is disabled |
Terraform |
| 106 |
CKV_AZURE_4 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS logging to Azure Monitoring is Configured |
Terraform |
| 107 |
CKV_AZURE_7 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Network Policy configured |
Terraform |
| 108 |
CKV_AZURE_6 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Terraform |
| 109 |
CKV_AZURE_5 |
resource |
azurerm_kubernetes_cluster |
Ensure RBAC is enabled on AKS clusters |
Terraform |
| 110 |
CKV_AZURE_2 |
resource |
azurerm_managed_disk |
Ensure Azure managed disk have encryption enabled |
Terraform |
| 111 |
CKV_AZURE_1 |
resource |
azurerm_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
| 112 |
CKV_AWS_1 |
data |
aws_iam_policy_document |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 113 |
CKV_AWS_49 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 114 |
CKV_AWS_41 |
provider |
aws |
Ensure no hard coded AWS access key and and secret key exists in provider |
Terraform |
| 115 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
| 116 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
| 117 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
| 118 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
| 119 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
| 120 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
| 121 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
| 122 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
| 123 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
| 124 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS bucket is not public accessible |
Cloudformation |
| 125 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Cloudformation |
| 126 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Cloudformation |
| 127 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
| 128 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Cloudformation |
| 129 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
| 130 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
| 131 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
| 132 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
| 133 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
| 134 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
| 135 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
| 136 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
| 137 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
| 138 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
| 139 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
| 140 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
| 141 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
| 142 |
CKV_K8S_38 |
PodSecurityPolicy |
Pod |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 143 |
CKV_K8S_29 |
PodSecurityPolicy |
Pod |
Apply security context to your pods and containers |
Kubernetes |
| 144 |
CKV_K8S_23 |
PodSecurityPolicy |
Pod |
Minimize the admission of root containers |
Kubernetes |
| 145 |
CKV_K8S_18 |
PodSecurityPolicy |
Pod |
Containers should not share the host IPC namespace |
Kubernetes |
| 146 |
CKV_K8S_27 |
PodSecurityPolicy |
Pod |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 147 |
CKV_K8S_21 |
PodSecurityPolicy |
Pod |
The default namespace should not be used |
Kubernetes |
| 148 |
CKV_K8S_31 |
PodSecurityPolicy |
Pod |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 149 |
CKV_K8S_17 |
PodSecurityPolicy |
Pod |
Containers should not share the host process ID namespace |
Kubernetes |
| 150 |
CKV_K8S_19 |
PodSecurityPolicy |
Pod |
Containers should not share the host network namespace |
Kubernetes |
| 151 |
CKV_K8S_40 |
PodSecurityPolicy |
Pod |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 152 |
CKV_K8S_38 |
PodSecurityPolicy |
Deployment |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 153 |
CKV_K8S_29 |
PodSecurityPolicy |
Deployment |
Apply security context to your pods and containers |
Kubernetes |
| 154 |
CKV_K8S_23 |
PodSecurityPolicy |
Deployment |
Minimize the admission of root containers |
Kubernetes |
| 155 |
CKV_K8S_18 |
PodSecurityPolicy |
Deployment |
Containers should not share the host IPC namespace |
Kubernetes |
| 156 |
CKV_K8S_27 |
PodSecurityPolicy |
Deployment |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 157 |
CKV_K8S_21 |
PodSecurityPolicy |
Deployment |
The default namespace should not be used |
Kubernetes |
| 158 |
CKV_K8S_31 |
PodSecurityPolicy |
Deployment |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 159 |
CKV_K8S_17 |
PodSecurityPolicy |
Deployment |
Containers should not share the host process ID namespace |
Kubernetes |
| 160 |
CKV_K8S_19 |
PodSecurityPolicy |
Deployment |
Containers should not share the host network namespace |
Kubernetes |
| 161 |
CKV_K8S_40 |
PodSecurityPolicy |
Deployment |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 162 |
CKV_K8S_38 |
PodSecurityPolicy |
DaemonSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 163 |
CKV_K8S_29 |
PodSecurityPolicy |
DaemonSet |
Apply security context to your pods and containers |
Kubernetes |
| 164 |
CKV_K8S_23 |
PodSecurityPolicy |
DaemonSet |
Minimize the admission of root containers |
Kubernetes |
| 165 |
CKV_K8S_18 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 166 |
CKV_K8S_27 |
PodSecurityPolicy |
DaemonSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 167 |
CKV_K8S_21 |
PodSecurityPolicy |
DaemonSet |
The default namespace should not be used |
Kubernetes |
| 168 |
CKV_K8S_31 |
PodSecurityPolicy |
DaemonSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 169 |
CKV_K8S_17 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 170 |
CKV_K8S_19 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host network namespace |
Kubernetes |
| 171 |
CKV_K8S_40 |
PodSecurityPolicy |
DaemonSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 172 |
CKV_K8S_38 |
PodSecurityPolicy |
StatefulSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 173 |
CKV_K8S_29 |
PodSecurityPolicy |
StatefulSet |
Apply security context to your pods and containers |
Kubernetes |
| 174 |
CKV_K8S_23 |
PodSecurityPolicy |
StatefulSet |
Minimize the admission of root containers |
Kubernetes |
| 175 |
CKV_K8S_18 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 176 |
CKV_K8S_27 |
PodSecurityPolicy |
StatefulSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 177 |
CKV_K8S_21 |
PodSecurityPolicy |
StatefulSet |
The default namespace should not be used |
Kubernetes |
| 178 |
CKV_K8S_31 |
PodSecurityPolicy |
StatefulSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 179 |
CKV_K8S_17 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 180 |
CKV_K8S_19 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host network namespace |
Kubernetes |
| 181 |
CKV_K8S_40 |
PodSecurityPolicy |
StatefulSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 182 |
CKV_K8S_38 |
PodSecurityPolicy |
ReplicaSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 183 |
CKV_K8S_29 |
PodSecurityPolicy |
ReplicaSet |
Apply security context to your pods and containers |
Kubernetes |
| 184 |
CKV_K8S_23 |
PodSecurityPolicy |
ReplicaSet |
Minimize the admission of root containers |
Kubernetes |
| 185 |
CKV_K8S_18 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 186 |
CKV_K8S_27 |
PodSecurityPolicy |
ReplicaSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 187 |
CKV_K8S_21 |
PodSecurityPolicy |
ReplicaSet |
The default namespace should not be used |
Kubernetes |
| 188 |
CKV_K8S_31 |
PodSecurityPolicy |
ReplicaSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 189 |
CKV_K8S_17 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 190 |
CKV_K8S_19 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host network namespace |
Kubernetes |
| 191 |
CKV_K8S_40 |
PodSecurityPolicy |
ReplicaSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 192 |
CKV_K8S_38 |
PodSecurityPolicy |
ReplicationController |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 193 |
CKV_K8S_29 |
PodSecurityPolicy |
ReplicationController |
Apply security context to your pods and containers |
Kubernetes |
| 194 |
CKV_K8S_23 |
PodSecurityPolicy |
ReplicationController |
Minimize the admission of root containers |
Kubernetes |
| 195 |
CKV_K8S_18 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host IPC namespace |
Kubernetes |
| 196 |
CKV_K8S_27 |
PodSecurityPolicy |
ReplicationController |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 197 |
CKV_K8S_21 |
PodSecurityPolicy |
ReplicationController |
The default namespace should not be used |
Kubernetes |
| 198 |
CKV_K8S_31 |
PodSecurityPolicy |
ReplicationController |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 199 |
CKV_K8S_17 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host process ID namespace |
Kubernetes |
| 200 |
CKV_K8S_19 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host network namespace |
Kubernetes |
| 201 |
CKV_K8S_40 |
PodSecurityPolicy |
ReplicationController |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 202 |
CKV_K8S_38 |
PodSecurityPolicy |
Job |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 203 |
CKV_K8S_29 |
PodSecurityPolicy |
Job |
Apply security context to your pods and containers |
Kubernetes |
| 204 |
CKV_K8S_23 |
PodSecurityPolicy |
Job |
Minimize the admission of root containers |
Kubernetes |
| 205 |
CKV_K8S_18 |
PodSecurityPolicy |
Job |
Containers should not share the host IPC namespace |
Kubernetes |
| 206 |
CKV_K8S_27 |
PodSecurityPolicy |
Job |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 207 |
CKV_K8S_21 |
PodSecurityPolicy |
Job |
The default namespace should not be used |
Kubernetes |
| 208 |
CKV_K8S_31 |
PodSecurityPolicy |
Job |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 209 |
CKV_K8S_17 |
PodSecurityPolicy |
Job |
Containers should not share the host process ID namespace |
Kubernetes |
| 210 |
CKV_K8S_19 |
PodSecurityPolicy |
Job |
Containers should not share the host network namespace |
Kubernetes |
| 211 |
CKV_K8S_40 |
PodSecurityPolicy |
Job |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 212 |
CKV_K8S_38 |
PodSecurityPolicy |
CronJob |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 213 |
CKV_K8S_29 |
PodSecurityPolicy |
CronJob |
Apply security context to your pods and containers |
Kubernetes |
| 214 |
CKV_K8S_23 |
PodSecurityPolicy |
CronJob |
Minimize the admission of root containers |
Kubernetes |
| 215 |
CKV_K8S_18 |
PodSecurityPolicy |
CronJob |
Containers should not share the host IPC namespace |
Kubernetes |
| 216 |
CKV_K8S_27 |
PodSecurityPolicy |
CronJob |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 217 |
CKV_K8S_21 |
PodSecurityPolicy |
CronJob |
The default namespace should not be used |
Kubernetes |
| 218 |
CKV_K8S_31 |
PodSecurityPolicy |
CronJob |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 219 |
CKV_K8S_17 |
PodSecurityPolicy |
CronJob |
Containers should not share the host process ID namespace |
Kubernetes |
| 220 |
CKV_K8S_19 |
PodSecurityPolicy |
CronJob |
Containers should not share the host network namespace |
Kubernetes |
| 221 |
CKV_K8S_40 |
PodSecurityPolicy |
CronJob |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 222 |
CKV_K8S_7 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers with the NET_RAW capability |
Kubernetes |
| 223 |
CKV_K8S_3 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host IPC namespace |
Kubernetes |
| 224 |
CKV_K8S_36 |
PodSecurityPolicy |
PodSecurityPolicy |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 225 |
CKV_K8S_24 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not allow containers with added capability |
Kubernetes |
| 226 |
CKV_K8S_5 |
PodSecurityPolicy |
PodSecurityPolicy |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 227 |
CKV_K8S_1 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host process ID namespace |
Kubernetes |
| 228 |
CKV_K8S_4 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host network namespace |
Kubernetes |
| 229 |
CKV_K8S_32 |
PodSecurityPolicy |
PodSecurityPolicy |
Ensure default seccomp profile set to docker/default or runtime/default |
Kubernetes |
| 230 |
CKV_K8S_2 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit privileged containers |
Kubernetes |
| 231 |
CKV_K8S_6 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit root containers |
Kubernetes |
| 232 |
CKV_K8S_41 |
PodSecurityPolicy |
ServiceAccount |
Ensure that default service accounts are not actively used |
Kubernetes |
| 233 |
CKV_K8S_21 |
PodSecurityPolicy |
ServiceAccount |
The default namespace should not be used |
Kubernetes |
| 234 |
CKV_K8S_22 |
PodSecurityPolicy |
containers |
Use read-only filesystem for containers where possible |
Kubernetes |
| 235 |
CKV_K8S_15 |
PodSecurityPolicy |
containers |
Image Pull Policy should be Always |
Kubernetes |
| 236 |
CKV_K8S_39 |
PodSecurityPolicy |
containers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
| 237 |
CKV_K8S_33 |
PodSecurityPolicy |
containers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
| 238 |
CKV_K8S_26 |
PodSecurityPolicy |
containers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
| 239 |
CKV_K8S_9 |
PodSecurityPolicy |
containers |
Readiness Probe Should be Configured |
Kubernetes |
| 240 |
CKV_K8S_13 |
PodSecurityPolicy |
containers |
Memory limits should be set |
Kubernetes |
| 241 |
CKV_K8S_10 |
PodSecurityPolicy |
containers |
CPU requests should be set |
Kubernetes |
| 242 |
CKV_K8S_20 |
PodSecurityPolicy |
containers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 243 |
CKV_K8S_37 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 244 |
CKV_K8S_25 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with added capability |
Kubernetes |
| 245 |
CKV_K8S_30 |
PodSecurityPolicy |
containers |
Apply security context to your pods and containers |
Kubernetes |
| 246 |
CKV_K8S_16 |
PodSecurityPolicy |
containers |
Container should not be privileged |
Kubernetes |
| 247 |
CKV_K8S_11 |
PodSecurityPolicy |
containers |
CPU limits should be set |
Kubernetes |
| 248 |
CKV_K8S_43 |
PodSecurityPolicy |
containers |
Image should use digest |
Kubernetes |
| 249 |
CKV_K8S_12 |
PodSecurityPolicy |
containers |
Memory requests should be set |
Kubernetes |
| 250 |
CKV_K8S_8 |
PodSecurityPolicy |
containers |
Liveness Probe Should be Configured |
Kubernetes |
| 251 |
CKV_K8S_35 |
PodSecurityPolicy |
containers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
| 252 |
CKV_K8S_34 |
PodSecurityPolicy |
containers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
| 253 |
CKV_K8S_28 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
| 254 |
CKV_K8S_14 |
PodSecurityPolicy |
containers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
| 255 |
CKV_K8S_22 |
PodSecurityPolicy |
initContainers |
Use read-only filesystem for containers where possible |
Kubernetes |
| 256 |
CKV_K8S_15 |
PodSecurityPolicy |
initContainers |
Image Pull Policy should be Always |
Kubernetes |
| 257 |
CKV_K8S_39 |
PodSecurityPolicy |
initContainers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
| 258 |
CKV_K8S_33 |
PodSecurityPolicy |
initContainers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
| 259 |
CKV_K8S_26 |
PodSecurityPolicy |
initContainers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
| 260 |
CKV_K8S_13 |
PodSecurityPolicy |
initContainers |
Memory limits should be set |
Kubernetes |
| 261 |
CKV_K8S_10 |
PodSecurityPolicy |
initContainers |
CPU requests should be set |
Kubernetes |
| 262 |
CKV_K8S_20 |
PodSecurityPolicy |
initContainers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 263 |
CKV_K8S_37 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 264 |
CKV_K8S_25 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with added capability |
Kubernetes |
| 265 |
CKV_K8S_30 |
PodSecurityPolicy |
initContainers |
Apply security context to your pods and containers |
Kubernetes |
| 266 |
CKV_K8S_16 |
PodSecurityPolicy |
initContainers |
Container should not be privileged |
Kubernetes |
| 267 |
CKV_K8S_11 |
PodSecurityPolicy |
initContainers |
CPU limits should be set |
Kubernetes |
| 268 |
CKV_K8S_43 |
PodSecurityPolicy |
initContainers |
Image should use digest |
Kubernetes |
| 269 |
CKV_K8S_12 |
PodSecurityPolicy |
initContainers |
Memory requests should be set |
Kubernetes |
| 270 |
CKV_K8S_35 |
PodSecurityPolicy |
initContainers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
| 271 |
CKV_K8S_34 |
PodSecurityPolicy |
initContainers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
| 272 |
CKV_K8S_28 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
| 273 |
CKV_K8S_14 |
PodSecurityPolicy |
initContainers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
| 274 |
CKV_K8S_42 |
PodSecurityPolicy |
RoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
| 275 |
CKV_K8S_21 |
PodSecurityPolicy |
RoleBinding |
The default namespace should not be used |
Kubernetes |
| 276 |
CKV_K8S_42 |
PodSecurityPolicy |
ClusterRoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
| 277 |
CKV_K8S_21 |
PodSecurityPolicy |
Service |
The default namespace should not be used |
Kubernetes |
| 278 |
CKV_K8S_21 |
PodSecurityPolicy |
Secret |
The default namespace should not be used |
Kubernetes |
| 279 |
CKV_K8S_21 |
PodSecurityPolicy |
Role |
The default namespace should not be used |
Kubernetes |
| 280 |
CKV_K8S_21 |
PodSecurityPolicy |
ConfigMap |
The default namespace should not be used |
Kubernetes |
| 281 |
CKV_K8S_21 |
PodSecurityPolicy |
Ingress |
The default namespace should not be used |
Kubernetes |