yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service

profile photo of semgrepsemgrep
Author
418
Download Count*
LGPL Commons Clause
License

Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: skip-tls-verify-service
    pattern: |
      spec:
        ...
        insecureSkipTLSVerify: true
    message: "Service is disabling TLS certificate verification when communicating
      with the server. This makes your HTTPS connections insecure. Remove the
      'insecureSkipTLSVerify: true' key to secure communication."
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io
      category: security
      technology:
        - kubernetes
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - yaml
    severity: WARNING

Examples

skip-tls-verify-service.test.yaml

apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
  name: v1beta1.metrics.k8s.io
# ruleid: skip-tls-verify-service
spec:
  service:
    name: metrics-server
    namespace: kube-system
  group: metrics.k8s.io
  version: v1beta1
  insecureSkipTLSVerify: true
  groupPriorityMinimum: 100
  versionPriority: 100