yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container

rules:
  - id: writable-filesystem-container
    patterns:
      - pattern-inside: |
          containers:
            ...
      - pattern-inside: |
          - name: $CONTAINER
            ...
      - pattern: |
          image: ...
          ...
      - pattern-not: |
          image: ...
          ...
          securityContext:
            ...
            readOnlyRootFilesystem: true
      - focus-metavariable: $CONTAINER
    message: "Container $CONTAINER is running with a writable root filesystem. This
      may allow malicious applications to download and run additional payloads,
      or modify container files. If an application inside a container has to
      save something temporarily consider using a tmpfs. Add
      'readOnlyRootFilesystem: true' to this container to prevent this."
    metadata:
      cwe:
        - "CWE-732: Incorrect Permission Assignment for Critical Resource"
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
        - https://blog.atomist.com/security-of-docker-kubernetes/
        - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only
      category: security
      technology:
        - kubernetes
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING