yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled
semgrepAuthor
418
Download Count*
License
Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.
Run Locally
Run in CI
Defintion
rules:
- id: seccomp-confinement-disabled
patterns:
- pattern-inside: |
containers:
...
- pattern: |
image: ...
...
securityContext:
...
seccompProfile: unconfined
message: "Container is explicitly disabling seccomp confinement. This runs the
service in an unrestricted state. Remove 'seccompProfile: unconfined' to
prevent this."
metadata:
cwe:
- "CWE-284: Improper Access Control"
references:
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
category: security
technology:
- kubernetes
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: WARNING
Examples
seccomp-confinement-disabled.test.yaml
apiVersion: v1
kind: Pod
spec:
containers:
# ok: seccomp-confinement-disabled
- name: nginx
image: nginx
# ok: seccomp-confinement-disabled
- name: postgres
image: postgres
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
# ruleid: seccomp-confinement-disabled
- name: redis
image: redis
securityContext:
seccompProfile: unconfined
Short Link: https://sg.run/6rgY