yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled

returntocorp

Author

418

Download Count*

License

Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: seccomp-confinement-disabled
    patterns:
      - pattern-inside: |
          containers:
            ...
      - pattern: |
          image: ...
          ...
          securityContext:
            ...
            seccompProfile: unconfined
    message: "Container is explicitly disabling seccomp confinement. This runs the
      service in an unrestricted state. Remove 'seccompProfile: unconfined' to
      prevent this."
    metadata:
      cwe:
        - "CWE-284: Improper Access Control"
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
      category: security
      technology:
        - kubernetes
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING

Examples

seccomp-confinement-disabled.test.yaml

apiVersion: v1
kind: Pod
spec:
  containers:
    # ok: seccomp-confinement-disabled
    - name: nginx
      image: nginx
    # ok: seccomp-confinement-disabled
    - name: postgres
      image: postgres
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
    # ruleid: seccomp-confinement-disabled
    - name: redis
      image: redis
      securityContext:
        seccompProfile: unconfined

Short Link: https://sg.run/6rgY