Seccomp example - Example in Templates Folder

[confusedcrib]

Example of deploying a seccomp profile with least privilege, policies generated with ARMO. Templates folder has examples

[dryrunsecurity]

DryRun Security Summary

This pull request updates the version numbers for an "intentionally insecure" Helm chart, introduces a Seccomp profile for the "insecure-app" container, and includes changes to sensitive environment variables and the mounting of the Docker socket, which require careful review to ensure no new vulnerabilities or insecure configurations have been introduced.

Expand for full summary

Summary:

This pull request updates the version numbers for an "intentionally insecure" Helm chart, which is likely used for testing and evaluation purposes rather than production deployments. While version updates are common, it's crucial to review the changes carefully in the context of an intentionally insecure application to ensure that no new vulnerabilities or insecure configurations have been introduced.

Additionally, the pull request includes changes to the Seccomp (Secure Computing) profile for the "insecure-app" container. While the use of a Seccomp profile is a security improvement over running the container in privileged mode, the current profile appears to be quite permissive and lacks the level of security hardening that would be expected for a production-ready application. The pull request also introduces sensitive environment variables and mounts the Docker socket, which could potentially lead to security risks if not properly managed.

Files Changed:

1. insecure-chart/Chart.yaml: This file updates the version numbers for the "insecure-apps" Helm chart, specifically the version and appVersion fields. As this is an intentionally insecure chart, any changes should be reviewed carefully to ensure that no new vulnerabilities or insecure configurations have been introduced.

2. insecure-chart/templates/insecure-app-seccomp.yaml: This file introduces a Seccomp profile for the "insecure-app" container. The profile allows a broad set of system calls, including many that could potentially be used for malicious purposes. The lack of rationale and additional hardening measures suggests that the security of this application may not be a high priority.

3. insecure-chart/templates/insecure-app.yaml: This file replaces the privileged container configuration with a Seccomp profile, which is a security improvement. However, the file still contains sensitive environment variables and mounts the Docker socket, which could lead to security risks if not properly managed.

As an application security engineer, I would recommend thoroughly reviewing the changes, ensuring that the Seccomp profile is properly configured to restrict the container's access to only the necessary system calls, securing the sensitive environment variables, and carefully evaluating the necessity of mounting the Docker socket. Regular security audits and implementing the principle of least privilege are also crucial to maintain the application's security posture.

Code Analysis

We ran 9 analyzers against 7 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/@aikidosec/[email protected], npm/@babel/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[confusedcrib]

Checkmarx One – Scan Summary & Details – e06de5c3-a514-480c-8091-fd09dca504ad

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2022-22885	Maven-cn.hutool:hutool-all-5.8.10	Vulnerable Package
	CVE-2021-0341	Maven-com.squareup.okhttp:okhttp-2.5.0	Vulnerable Package
	CVE-2024-38809	Maven-org.springframework:spring-web-6.1.5	Vulnerable Package
	CVE-2024-38809	Maven-org.springframework:spring-web-4.3.6.RELEASE	Vulnerable Package
	CVE-2024-38816	Maven-org.springframework:spring-webmvc-4.3.6.RELEASE	Vulnerable Package
	CVE-2024-38816	Maven-org.springframework:spring-webmvc-6.1.5	Vulnerable Package
	Privilege Escalation Allowed	/insecure-app-seccomp.yaml: 9	Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
	Container Running As Root	/insecure-app-seccomp.yaml: 9	Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities...
	Container Running With Low UID	/insecure-app-seccomp.yaml: 9	Check if containers are running with low UID, which might cause conflicts with the host's user table.
	Memory Limits Not Defined	/insecure-app-seccomp.yaml: 9	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
	Memory Requests Not Defined	/insecure-app-seccomp.yaml: 9	Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over...
	NET_RAW Capabilities Not Being Dropped	/insecure-app-seccomp.yaml: 9	Containers should drop 'ALL' or at least 'NET_RAW' capabilities
	Readiness Probe Is Not Configured	/insecure-app-seccomp.yaml: 9	Check if Readiness Probe is not configured.
	Seccomp Profile Is Not Configured	/insecure-app-seccomp.yaml: 9	Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
	CPU Limits Not Set	/insecure-app-seccomp.yaml: 9	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
	CPU Requests Not Set	/insecure-app-seccomp.yaml: 9	CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
	Missing AppArmor Profile	/insecure-app-seccomp.yaml: 4	Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources
	No Drop Capabilities for Containers	/insecure-app-seccomp.yaml: 9	Sees if Kubernetes Drop Capabilities exists to ensure containers security context
	Pod or Container Without Security Context	/insecure-app-seccomp.yaml: 9	A security context defines privilege and access control settings for a Pod or Container
	Root Container Not Mounted Read-only	/insecure-app-seccomp.yaml: 9	Check if the root container filesystem is not being mounted read-only.

Fixed Issues

Severity	Issue	Source File / Package
	CVE-2019-10744	Npm-lodash-4.16.1
	CVE-2020-8203	Npm-lodash-4.16.1
	CVE-2021-23337	Npm-lodash-4.16.1
	CVE-2022-25883	Npm-semver-5.4.1
	CVE-2022-46175	Npm-json5-0.5.1
	CVE-2023-45133	Npm-@babel/traverse-7.0.0-rc.1
	Container Is Privileged	/insecure-app.yaml: 39
	Cx0b414307-5d4b	Npm-lodash-4.16.1
	Cx89601373-08db	Npm-debug-3.2.7
	Cx8bc4df28-fcf5	Npm-debug-3.2.7
	Cxc7705965-e0f0	Npm-@babel/core-7.0.0-rc.1
	Missing User Instruction	/Dockerfile: 1
	Add Instead of Copy	/Dockerfile: 9
	Add Instead of Copy	/Dockerfile: 8
	CVE-2018-16487	Npm-lodash-4.16.1
	CVE-2018-3721	Npm-lodash-4.16.1
	CVE-2019-1010266	Npm-lodash-4.16.1
	CVE-2020-28500	Npm-lodash-4.16.1
	Missing_HSTS_Header	/insecure-js/server.js: 72
	Seccomp Profile Is Not Configured	/insecure-app.yaml: 39
	Healthcheck Instruction Missing	/Dockerfile: 1
	Missing_CSP_Header	/insecure-js/server.js: 72
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 8