update

[khulnasoft-bot]

Notes for Reviewers

This PR fixes #

Signed commits

• Yes, I signed my commits.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[sourcery-ai]

The pull request #2 has too many files changed.

We can only review pull requests with up to 300 changed files, and this pull request has 353.

[coderabbitai]

Important

Review skipped

More than 25% of the files skipped due to max files limit. The review is being skipped to prevent a low-quality review.

218 files out of 300 files are above the max files limit of 75. Please upgrade to Pro plan to get higher limits.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codiumai-pr-agent-free]

CI Failure Feedback 🧐

(Checks updated until commit 1628b65)

Action: Kics / Kics Scan

Failed stage: Kics Scan [❌]

Failed test name: KICS security scan

Failure summary: The action failed due to multiple security and best practice violations detected by KICS (Keeping Infrastructure as Code Secure) scanner: Multiple containers found without liveness probes defined Package versions not pinned in multiple package installations (apt-get, pip, apk) Service account tokens shared between workloads Containers sharing host network namespace Secrets exposed as environment variables in containers Serverless functions missing Dead Letter Queue configuration Use of default/system Kubernetes namespaces CodeQL Action using deprecated v1/v2 versions instead of v3

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 773: comments_with_queries: false 774: excluded_column_for_comments_with_queries: description_id,similarity_id,search_line,search_value 775: env: 776: CONFIG: 777: CONFIG_FILE: 778: DEBUG: 779: SCAN_PATH: . 780: ##[endgroup] 781: ##[command]/usr/bin/docker run --name c12ba0d93f4534bae94cec613bda3dc67_03e7b7 --label 86640c --workdir /github/workspace --rm -e "CONFIG" -e "CONFIG_FILE" -e "DEBUG" -e "SCAN_PATH" -e "INPUT_PATH" -e "INPUT_FAIL_ON" -e "INPUT_IGNORE_ON_EXIT" -e "INPUT_OUTPUT_PATH" -e "INPUT_OUTPUT_FORMATS" -e "INPUT_QUERIES" -e "INPUT_TOKEN" -e "INPUT_ENABLE_ANNOTATIONS" -e "INPUT_ENABLE_COMMENTS" -e "INPUT_ENABLE_JOBS_SUMMARY" -e "INPUT_COMMENTS_WITH_QUERIES" -e "INPUT_EXCLUDED_COLUMN_FOR_COMMENTS_WITH_QUERIES" -e "INPUT_TIMEOUT" -e "INPUT_PROFILING" -e "INPUT_CONFIG_PATH" -e "INPUT_PLATFORM_TYPE" -e "INPUT_EXCLUDE_PATHS" -e "INPUT_EXCLUDE_QUERIES" -e "INPUT_EXCLUDE_CATEGORIES" -e "INPUT_EXCLUDE_RESULTS" -e "INPUT_EXCLUDE_SEVERITIES" -e "INPUT_EXCLUDE_GITIGNORE" -e "INPUT_PAYLOAD_PATH" -e "INPUT_SECRETS_REGEXES_PATH" -e "INPUT_LIBRARIES_PATH" -e "INPUT_DISABLE_FULL_DESCRIPTIONS" -e "INPUT_DISABLE_SECRETS" -e "INPUT_TYPE" -e "INPUT_VERBOSE" -e "INPUT_INCLUDE_QUERIES" -e "INPUT_BOM" -e "INPUT_CLOUD_PROVIDER" -e "INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES" -e "WORKSPACE_PATH" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/DevX/DevX":"/github/workspace" 86640c:12ba0d93f4534bae94cec613bda3dc67 "." "" "" "" "" "" "" "" "" "" "" "" "" "json,sarif" "results" "" "" "" "" "" "" "" "" "" "" ... 911: 052: - name: Download Prometheus 912: 053: get_url: 913: 054: url: "https://github.com/prometheus/prometheus/releases/download/{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz" 914: [2]: bash-tools/ansible/prometheus_node_exporter/playbook.yml:47 915: 046: - name: Download Prometheus Node Exporter 916: 047: get_url: 917: 048: url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" 918: Liveness Probe Is Not Defined, Severity: INFO, Results: 25 919: Description: In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it ... 1514: Platform: ServerlessFW 1515: CWE: 800 1516: Learn more about this vulnerability: https://docs.kics.io/latest/queries/serverlessfw-queries/f99d3482-fa8c-4f79-bad9-35212dded164 1517: [1]: tools/python/gcp_cloud_function_sql_export/serverless.yml:119 1518: 118: # before deploying this service through Serverless 1519: 119: main: 1520: 120: handler: main 1521: Serverless Function Without Dead Letter Queue, Severity: LOW, Results: 1 1522: Description: Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter ... 1797: 091: # there is no lts tag at this time 1798: [46]: bash-tools/kubernetes-configs/traefik/base/old.yaml:56 1799: 055: - image: traefik:1.7.13 1800: 056: name: traefik-ingress-lb 1801: 057: ports: 1802: [47]: bash-tools/kubernetes-configs/docker-in-docker/base/statefulset.yaml:111 1803: 110: # mkdir: can't create directory '/certs/ca': Read-only file system 1804: 111: readOnlyRootFilesystem: false 1805: 112: # [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 65 [0 1000 1 1 100000 65536] failed: : fork/exec /usr/bin/newuidmap: operation not permitted ... 1849: 271: image: returntocorp/semgrep-agent:v1 1850: [59]: bash-tools/kubernetes-configs/deployment.yaml:226 1851: 225: mountPath: /data 1852: 226: - name: init-mysql-service 1853: 227: image: busybox:latest 1854: [60]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 1855: 080: containers: 1856: 081: - name: jenkins 1857: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 1951: 209: image: hashicorp/terraform:1.1.2 # XXX: set this to match the Terraform version you need 1952: [12]: bash-tools/kubernetes-configs/argocd/base/repo-server.kustomize.patch.yaml:55 1953: 054: containers: 1954: 055: - name: argocd-repo-server 1955: 056: volumeMounts: 1956: [13]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 1957: 080: containers: 1958: 081: - name: jenkins 1959: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 2880: 227: image: busybox:latest 2881: [61]: docker-images/teamcity/kubernetes-teamcity-agent.yaml:46 2882: 045: containers: 2883: 046: - name: teamcity-agent 2884: 047: image: jetbrains/teamcity-agent:2020.2 2885: [62]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 2886: 080: containers: 2887: 081: - name: jenkins 2888: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 3760: 065: image: selenium/session-queue:4.1.2 3761: [9]: bash-tools/kubernetes-configs/echoserver.yaml:78 3762: 077: - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2 3763: 078: name: echo 3764: 079: ports: 3765: [10]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 3766: 080: containers: 3767: 081: - name: jenkins 3768: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 5222: 3456: # upgraded to use calico-ipam. 5223: 3457: - name: upgrade-ipam 5224: 3458: image: calico/cni:v3.15.1 5225: [18]: bash-tools/kubernetes-configs/deployment.yaml:226 5226: 225: mountPath: /data 5227: 226: - name: init-mysql-service 5228: 227: image: busybox:latest 5229: Yum install Without Version, Severity: MEDIUM, Results: 93 5230: Description: Not specifying the package version can cause failures due to unanticipated changes in required packages ... 5668: 3674: name: calico-node 5669: 3675: namespace: kube-system 5670: 3676: 5671: [16]: bash-tools/kubernetes-configs/pod-security-policy-rolebinding.yaml:36 5672: 035: name: restricted-pod-rolebinding 5673: 036: namespace: default 5674: 037: roleRef: 5675: Unpinned Package Version in Pip Install, Severity: MEDIUM, Results: 5 5676: Description: Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 5693: 045: 5694: 046: RUN python3 -m pip install --user 'urllib3>=1.26.5' awsebcli && echo && echo "Checking EB CLI runtime..." && echo && eb --help --quiet 5695: 047: 5696: [5]: docker-images/superset/Dockerfile:15 5697: 014: # nosemgrep: dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned 5698: 015: FROM centos:8 5699: 016: 5700: Unpinned Package Version in Apk Add, Severity: MEDIUM, Results: 42 5701: Description: Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 6060: 042: affinity: 6061: [33]: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-hub.yaml:46 6062: 045: app: selenium-hub 6063: 046: spec: 6064: 047: priorityClassName: high-priority 6065: [34]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:43 6066: 042: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 6067: 043: spec: 6068: 044: # agent pod should go on stable node pool so that builds don't fail due to preemption. Requires priorityclass.yaml ... 6153: Service Account Name Undefined Or Empty, Severity: MEDIUM, Results: 3 6154: Description: A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. 6155: Platform: Kubernetes 6156: CWE: 665 6157: Learn more about this vulnerability: https://docs.kics.io/latest/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9 6158: [1]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:43 6159: 042: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 6160: 043: spec: 6161: 044: # agent pod should go on stable node pool so that builds don't fail due to preemption. Requires priorityclass.yaml ... 6680: 209: image: hashicorp/terraform:1.1.2 # XXX: set this to match the Terraform version you need 6681: [50]: bash-tools/kubernetes-configs/clair/base/deployment.yaml:45 6682: 044: containers: 6683: 045: - name: clair 6684: 046: image: quay.io/projectquay/clair:4.6.1 6685: [51]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 6686: 080: containers: 6687: 081: - name: jenkins 6688: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 6849: 224: image: alpine/terragrunt:1.1.2 # XXX: set this to match the Terraform version you need 6850: [16]: bash-tools/kubernetes-configs/jenkins/base/agent-pod.yaml:375 6851: 374: # generic CLI container 6852: 375: - name: busybox 6853: 376: #image: busybox:3 6854: [17]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 6855: 080: containers: 6856: 081: - name: jenkins 6857: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 7239: 057: ports: 7240: [60]: bash-tools/kubernetes-configs/deployment.yaml:220 7241: 219: initContainers: 7242: 220: - name: init-files 7243: 221: image: alpine/git:latest 7244: [61]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 7245: 080: containers: 7246: 081: - name: jenkins 7247: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8609: 6212: allowPrivilegeEscalation: false 8610: [34]: bash-tools/kubernetes-configs/knative/base/knative-v1.9.3-serving-core.yaml:6321 8611: 6320: value: knative.dev/serving 8612: 6321: securityContext: 8613: 6322: allowPrivilegeEscalation: false 8614: [35]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:86 8615: 085: securityContext: 8616: 086: runAsUser: 0 # required to access docker.sock 8617: 087: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 8709: 230: image: busybox:latest 8710: [59]: bash-tools/kubernetes-configs/deployment.yaml:355 8711: 354: readOnly: true 8712: 355: securityContext: 8713: 356: runAsNonRoot: true 8714: [60]: bash-tools/kubernetes-configs/jenkins/base/agent.statefulset-DooD.yaml:108 8715: 107: securityContext: 8716: 108: runAsUser: 0 # required to access docker.sock 8717: 109: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 8721: 398: # The default Cloud SQL proxy image runs as the 8722: [62]: bash-tools/kubernetes-configs/argocd/base/repo-server.kustomize.patch.yaml:55 8723: 054: containers: 8724: 055: - name: argocd-repo-server 8725: 056: volumeMounts: 8726: [63]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 8727: 080: containers: 8728: 081: - name: jenkins 8729: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8750: 255: image: traefik/whoami:latest 8751: [3]: bash-tools/kubernetes-configs/deployment-stress.yaml:59 8752: 058: imagePullPolicy: Always 8753: 059: name: stress 8754: 060: args: 8755: [4]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:86 8756: 085: securityContext: 8757: 086: runAsUser: 0 # required to access docker.sock 8758: 087: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 8810: 045: image: perl 8811: [18]: bash-tools/kubernetes-configs/octopus-deploy/base/octopus-deploy-mssql.yaml:51 8812: 050: containers: 8813: 051: - name: mssql 8814: 052: image: mcr.microsoft.com/mssql/server:2019-latest 8815: [19]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 8816: 080: containers: 8817: 081: - name: jenkins 8818: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8858: 3684: namespace: kube-system 8859: [30]: docker-images/teamcity/kubernetes-teamcity-agent.yaml:46 8860: 045: containers: 8861: 046: - name: teamcity-agent 8862: 047: image: jetbrains/teamcity-agent:2020.2 8863: [31]: bash-tools/kubernetes-configs/jenkins/base/agent.statefulset-DooD.yaml:108 8864: 107: securityContext: 8865: 108: runAsUser: 0 # required to access docker.sock 8866: 109: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 10485: 3521: privileged: true 10486: [53]: bash-tools/kubernetes-configs/teamcity/base/teamcity-server.yaml:81 10487: 080: containers: 10488: 081: - name: teamcity-server 10489: 082: image: jetbrains/teamcity-server:2020.2.1 10490: [54]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 10491: 080: containers: 10492: 081: - name: jenkins 10493: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 12296: ##[warning]Container should not share the host network namespace 12297: ##[warning]Container should not share the host network namespace 12298: ##[warning]A Service Account token is shared between workloads 12299: ##[warning]A Service Account token is shared between workloads 12300: ##[warning]A Service Account token is shared between workloads 12301: ##[warning]A Service Account token is shared between workloads 12302: ##[warning]A Service Account token is shared between workloads 12303: ##[warning]A Service Account token is shared between workloads 12304: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12305: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12306: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12307: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12308: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12309: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12310: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12311: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12312: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12313: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12314: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12315: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12316: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12317: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12318: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12319: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12320: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12321: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12322: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12323: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12324: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12325: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12326: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12327: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12328: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12329: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12330: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12331: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12332: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12333: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12334: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12335: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12336: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12337: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12338: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12339: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12340: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12341: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12342: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12343: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12344: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12345: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12346: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12347: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12348: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12349: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12350: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 12359: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12360: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12361: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12362: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12363: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12364: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12365: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12366: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12367: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12368: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12369: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12370: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12371: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12372: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12373: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12374: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12375: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12376: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12377: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12378: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12379: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12380: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12381: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12382: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12383: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12384: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12385: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12386: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12387: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12388: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12389: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12390: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12391: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12392: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12393: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12394: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12395: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12396: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12397: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12398: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12399: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12400: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12401: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12402: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12403: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12404: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12405: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12406: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12407: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12408: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12409: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12410: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12411: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12412: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12413: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12414: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12415: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12416: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12417: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12418: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12419: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12420: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12421: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12422: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12423: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12424: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12425: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12426: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12427: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12428: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12429: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12430: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12431: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12432: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12433: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12434: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12435: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12436: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12437: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12438: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12439: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12440: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12441: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12442: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12443: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12444: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12445: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12446: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12447: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12448: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12449: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12450: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12451: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12452: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12453: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12454: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12455: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12456: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12457: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12458: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12459: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages ... 13338: ##[warning]Container should not use secrets as environment variables 13339: ##[warning]Container should not use secrets as environment variables 13340: ##[warning]Container should not use secrets as environment variables 13341: ##[warning]Container should not use secrets as environment variables 13342: ##[warning]Container should not use secrets as environment variables 13343: ##[warning]Container should not use secrets as environment variables 13344: ##[warning]AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) 13345: ##[warning]AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) 13346: ##[warning]Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter ... 13441: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13442: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13443: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13444: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13445: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13446: ##[warning]It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance 13447: ##[warning]As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. 13448: ##[warning]Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set 13449: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13450: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13451: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13452: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13453: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13454: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13455: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13456: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13457: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13458: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13459: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13460: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13461: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13462: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13463: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13464: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13465: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13466: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13467: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13468: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13469: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13470: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13471: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13472: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13473: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it ... 13489: ##[warning]Volumes shared between containers can cause data corruption or can be used to share malicious files between containers. 13490: ##[warning]Volumes shared between containers can cause data corruption or can be used to share malicious files between containers. 13491: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13492: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13493: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13494: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13495: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13496: KICS scan status code: 50 13497: ##[error]KICS scan failed with exit code 50 ... 13503: matrix: null 13504: wait-for-processing: true 13505: env: 13506: CONFIG: 13507: CONFIG_FILE: 13508: DEBUG: 13509: SCAN_PATH: . 13510: ##[endgroup] 13511: ##[error]CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/

---

✨ CI feedback usage guide:

---

The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
The tool analyzes the failed checks and provides several feedbacks:

• Failed stage
• Failed test name
• Failure summary
• Relevant error logs

In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

/checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

Configuration options

• enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
• excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
• enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
• persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
• final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

See more information about the checks tool in the docs.

[qodo-code-review]

CI Failure Feedback 🧐

Action: Trivy / Config Scan Action

Failed stage: Trivy Config severity exit 1 [❌]

Failure summary: The action failed due to multiple security misconfigurations found by Trivy scanner: 1. Most Dockerfile configurations lack a USER command to run containers as non-root users, which is a security best practice to prevent container escape situations (AVD-DS-0002) 2. Multiple Kubernetes configurations have security issues: - Overly permissive role permissions - Missing security contexts - Mounting docker.sock which gives container root access to host 3. CloudFormation templates have security misconfigurations related to: - Missing encryption settings - Insecure volume configurations - Missing security group restrictions The pipeline was configured to fail if HIGH or CRITICAL severity issues were found.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 611: ##[endgroup] 612: ##[group]Checking out the ref 613: [command]/usr/bin/git checkout --progress --force -B master refs/remotes/origin/master 614: branch 'master' set up to track 'origin/master'. 615: Reset branch 'master' 616: ##[endgroup] 617: [command]/usr/bin/git log -1 --format='%H' 618: '1628b65536f2cfb683e7139d13f5f9c34000f16f' 619: ##[group]Run # fail the pipeline if any of the issues are in $SEVERITY eg. HIGH,CRITICAL 620: �[36;1m# fail the pipeline if any of the issues are in $SEVERITY eg. HIGH,CRITICAL�[0m ... 628: + trivy config . --exit-code 1 --severity HIGH,CRITICAL 629: INFO [misconfig] Misconfiguration scanning is enabled 630: INFO [misconfig] Need to update the built-in checks 631: INFO [misconfig] Downloading the built-in checks... 632: 160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100msWARN [cloudformation parser] Missing parameter values file_path="bash-tools/templates/ec2.yaml" parameters="KeyName" 633: INFO Detected config files num=411 634: bash-tools/kubernetes-configs/argocd/base/cm.azure-ad.patch.yaml (kubernetes) 635: ============================================================================= 636: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 641: See https://avd.aquasec.com/misconfig/avd-ksv-0109 642: ──────────────────────────────────────── 643: bash-tools/kubernetes-configs/argocd/base/cm.azure-ad.patch.yaml:42 644: ──────────────────────────────────────── 645: 42 [ --- 646: ──────────────────────────────────────── 647: bash-tools/kubernetes-configs/argocd/base/cm.repos.patch.yaml (kubernetes) 648: ========================================================================== 649: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 654: See https://avd.aquasec.com/misconfig/avd-ksv-0109 655: ──────────────────────────────────────── 656: bash-tools/kubernetes-configs/argocd/base/cm.repos.patch.yaml:38 657: ──────────────────────────────────────── 658: 38 [ --- 659: ──────────────────────────────────────── 660: bash-tools/kubernetes-configs/argocd/base/repo-server.kustomize.patch.yaml (kubernetes) 661: ======================================================================================= 662: Tests: 34 (SUCCESSES: 32, FAILURES: 2) ... 682: bash-tools/kubernetes-configs/argocd/base/repo-server.kustomize.patch.yaml:41-53 683: ──────────────────────────────────────── 684: 41 ┌ - name: download-tools 685: 42 │ image: alpine:3.8 686: 43 │ command: [sh, -c] 687: 44 │ env: 688: 45 │ # XXX: Edit Kustomize version here 689: 46 │ - name: KUSTOMIZE_VERSION 690: 47 │ value: 4.5.7 # needs to be fairly recent to bypass error 'unknown field "includeCRDs"' when combining Kustomize + Helm with includeCRDs option seen in adjacent *-kustomization.yaml 691: 48 │ args: 692: 49 └ - wget -qO- https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv$(KUSTOMIZE_VERSION)/kustomize_v$(KUSTOMIZE_VERSION)_linux_amd64.tar.gz | tar -xvzf - && 693: .. 694: ──────────────────────────────────────── 695: bash-tools/kubernetes-configs/buildkite/base/buildkite-agent.yaml (kubernetes) 696: ============================================================================== 697: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 711: 84 │ - name: BUILDKITE_AGENT_TOKEN 712: 85 │ valueFrom: 713: 86 │ secretKeyRef: 714: 87 └ name: buildkite-agent-token 715: .. 716: ──────────────────────────────────────── 717: bash-tools/kubernetes-configs/circleci/base/circleci-runner-deployment.yaml (kubernetes) 718: ======================================================================================== 719: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 733: 93 │ # https://circleci.com/docs/2.0/runner-config-reference/ 734: 94 │ # 735: 95 │ env: 736: 96 └ - name: CIRCLECI_RESOURCE_CLASS 737: .. 738: ──────────────────────────────────────── 739: bash-tools/kubernetes-configs/clair/base/deployment.yaml (kubernetes) 740: ===================================================================== 741: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 755: 50 │ protocol: TCP 756: 51 │ - containerPort: 8089 757: 52 │ name: clair-health 758: 53 └ protocol: TCP 759: .. 760: ──────────────────────────────────────── 761: bash-tools/kubernetes-configs/cloud-sql-proxy/base/deployment.yaml (kubernetes) 762: =============================================================================== 763: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 777: 86 │ # XXX: trade off exposing listener on 0.0.0.0 required for having a kubernetes health check 778: 87 │ #- "-instances=$(CLOUD_SQL_INSTANCE)=tcp:0.0.0.0:3306" # mysql 779: 88 │ - "-instances=$(CLOUD_SQL_INSTANCE)=tcp:0.0.0.0:5432" # postgres 780: 89 └ - "-use_http_health_check" 781: .. 782: ──────────────────────────────────────── 783: bash-tools/kubernetes-configs/daemonset.yaml (kubernetes) 784: ========================================================= 785: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 799: 49 │ port: http 800: 50 │ initialDelaySeconds: 60 801: 51 │ periodSeconds: 10 802: 52 └ timeoutSeconds: 5 803: .. 804: ──────────────────────────────────────── 805: bash-tools/kubernetes-configs/deployment-stress.yaml (kubernetes) 806: ================================================================= 807: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 821: 62 │ - "2" 822: 63 │ - -mem-total 823: 64 │ - 950Mi 824: 65 └ - -mem-alloc-size 825: .. 826: ──────────────────────────────────────── 827: bash-tools/kubernetes-configs/deployment.yaml (kubernetes) 828: ========================================================== 829: Tests: 36 (SUCCESSES: 32, FAILURES: 4) ... 879: bash-tools/kubernetes-configs/deployment.yaml:226-228 880: ──────────────────────────────────────── 881: 226 ┌ - name: init-mysql-service 882: 227 │ image: busybox:latest 883: 228 └ command: ['sh', '-c', 'until nslookup mysql; do echo waiting for mysql service DNS to come up; sleep 1; done'] 884: ──────────────────────────────────────── 885: bash-tools/kubernetes-configs/docker-in-docker/base/statefulset.yaml (kubernetes) 886: ================================================================================= 887: Tests: 33 (SUCCESSES: 31, FAILURES: 2) ... 919: 91 │ ports: 920: 92 │ - name: http 921: 93 │ containerPort: 2375 922: 94 └ protocol: TCP 923: .. 924: ──────────────────────────────────────── 925: bash-tools/kubernetes-configs/echoserver.yaml (kubernetes) 926: ========================================================== 927: Tests: 34 (SUCCESSES: 33, FAILURES: 1) ... 941: 82 │ - name: NODE_NAME 942: 83 │ valueFrom: 943: 84 │ fieldRef: 944: 85 └ fieldPath: spec.nodeName 945: .. 946: ──────────────────────────────────────── 947: bash-tools/kubernetes-configs/git-askpass.configmap.yaml (kubernetes) 948: ===================================================================== 949: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 954: See https://avd.aquasec.com/misconfig/avd-ksv-0109 955: ──────────────────────────────────────── 956: bash-tools/kubernetes-configs/git-askpass.configmap.yaml:28 957: ──────────────────────────────────────── 958: 28 [ --- 959: ──────────────────────────────────────── 960: bash-tools/kubernetes-configs/github-actions/base/github-actions-runner.yaml (kubernetes) 961: ========================================================================================= 962: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 976: 100 │ - --url 977: 101 │ - https://github.com/<REPO_OR_ORG> # XXX: replace 978: 102 │ - --token 979: 103 └ # XXX: kubectl create secret generic -n github-actions github-actions-runner-token --from-literal=github-actions-runner-token=TOKEN 980: ... 981: ──────────────────────────────────────── 982: bash-tools/kubernetes-configs/init-container-fix.patch.yaml (kubernetes) 983: ======================================================================== 984: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 996: 40 │ command: ['sh', '-c', 'chown -R 8983:8983 /var/solr'] 997: 41 │ volumeMounts: 998: 42 │ # XXX: Edit to match containers 999: 43 │ - name: var-solr 1000: 44 └ mountPath: /var/solr/ 1001: ──────────────────────────────────────── 1002: bash-tools/kubernetes-configs/jenkins/base/agent-pod.yaml (kubernetes) 1003: ====================================================================== 1004: Tests: 48 (SUCCESSES: 32, FAILURES: 16) ... 1288: 258 │ command: 1289: 259 │ - cat 1290: 260 │ tty: true 1291: 261 └ resources: 1292: ... 1293: ──────────────────────────────────────── 1294: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml (kubernetes) 1295: ================================================================================= 1296: Tests: 33 (SUCCESSES: 31, FAILURES: 2) ... 1299: ════════════════════════════════════════ 1300: Mounting docker.sock from the host can give the container full root access to the host. 1301: See https://avd.aquasec.com/misconfig/ksv006 1302: ──────────────────────────────────────── 1303: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:45-124 1304: ──────────────────────────────────────── 1305: 45 ┌ priorityClassName: high-priority # requires priorityclass.yaml 1306: 46 │ affinity: 1307: 47 │ # avoid preemption which can cause build failures ... 1328: 95 │ imagePullPolicy: IfNotPresent 1329: 96 │ readinessProbe: 1330: 97 │ tcpSocket: 1331: 98 └ port: 50001 1332: .. 1333: ──────────────────────────────────────── 1334: bash-tools/kubernetes-configs/jenkins/base/agent.statefulset-DooD.yaml (kubernetes) 1335: =================================================================================== 1336: Tests: 34 (SUCCESSES: 31, FAILURES: 3) ... 1386: 149 │ #image: khulnasoft/jenkins-agent-docker:4.6 1387: 150 │ imagePullPolicy: IfNotPresent 1388: 151 │ workingDir: /var/jenkins 1389: 152 └ command: 1390: ... 1391: ──────────────────────────────────────── 1392: bash-tools/kubernetes-configs/jenkins/base/server-role.yaml (kubernetes) 1393: ======================================================================== 1394: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1401: bash-tools/kubernetes-configs/jenkins/base/server-role.yaml:26-28 1402: ──────────────────────────────────────── 1403: 26 ┌ - apiGroups: ["", "apps"] # "" indicates the core API group 1404: 27 │ resources: ["*"] 1405: 28 └ verbs: ["*"] 1406: ──────────────────────────────────────── 1407: bash-tools/kubernetes-configs/jenkins/base/server.yaml (kubernetes) 1408: =================================================================== 1409: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1411: AVD-KSV-0014 (HIGH): Container 'jenkins' of StatefulSet 'jenkins' should set 'securityContext.readOnlyRootFilesystem' to true 1412: ════════════════════════════════════════ 1413: An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. 1414: See https://avd.aquasec.com/misconfig/ksv014 1415: ──────────────────────────────────────── 1416: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81-130 1417: ──────────────────────────────────────── 1418: 81 ┌ - name: jenkins 1419: 82 │ # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: 1420: 83 │ # 1421: 84 │ # java.lang.NoSuchMethodError: 'com.google.common.hash.HashCode com.google.common.hash.HashFunction.hashString(java.lang.CharSequence)' ... 1423: 86 │ # TODO: FIX to a specific LTS version number 1424: 87 │ image: jenkins/jenkins:lts 1425: 88 │ #image: jenkins/jenkins:2.228 1426: 89 └ ports: 1427: .. 1428: ──────────────────────────────────────── 1429: bash-tools/kubernetes-configs/jenkins/overlay/jcasc-cm.patch.yaml (kubernetes) 1430: ============================================================================== 1431: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1436: See https://avd.aquasec.com/misconfig/avd-ksv-0109 1437: ──────────────────────────────────────── 1438: bash-tools/kubernetes-configs/jenkins/overlay/jcasc-cm.patch.yaml:27 1439: ──────────────────────────────────────── 1440: 27 [ --- 1441: ──────────────────────────────────────── 1442: bash-tools/kubernetes-configs/job.yaml (kubernetes) 1443: =================================================== 1444: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1458: 49 │ args: 1459: 50 │ - -Mbignum=bpi 1460: 51 │ - -wle 1461: 52 └ - print bpi(2000) 1462: .. 1463: ──────────────────────────────────────── 1464: bash-tools/kubernetes-configs/knative/base/knative-v1.9.3-serving-core.yaml (kubernetes) 1465: ======================================================================================== 1466: Tests: 43 (SUCCESSES: 33, FAILURES: 10) ... 1578: bash-tools/kubernetes-configs/knative/base/knative-v1.9.3-serving-core.yaml:172-174 1579: ──────────────────────────────────────── 1580: 172 ┌ - apiGroups: ["admissionregistration.k8s.io"] 1581: 173 │ resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 1582: 174 └ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 1583: ──────────────────────────────────────── 1584: bash-tools/kubernetes-configs/octopus-deploy/base/octopus-deploy-mssql.yaml (kubernetes) 1585: ======================================================================================== 1586: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1600: 56 │ - name: MSSQL_PID 1601: 57 │ value: Express 1602: 58 │ - name: ACCEPT_EULA 1603: 59 └ value: 'Y' 1604: .. 1605: ──────────────────────────────────────── 1606: bash-tools/kubernetes-configs/octopus-deploy/base/octopus-deploy-sts.yaml (kubernetes) 1607: ====================================================================================== 1608: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1622: 66 │ ports: 1623: 67 │ - containerPort: 8080 1624: 68 │ name: web 1625: 69 └ - containerPort: 10943 1626: .. 1627: ──────────────────────────────────────── 1628: bash-tools/kubernetes-configs/pod.yaml (kubernetes) 1629: =================================================== 1630: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1644: 50 │ # environment variable remapping: 1645: 51 │ # neither $(VAR) nor $VAR will work due to order of evaluation as these are evaluated only at yaml generation time which happens before pod creation, Kubernetes has no way of inferring the current value as this must be generated before the pod is created 1646: 52 │ # instead do it inside the command / script 1647: 53 └ #env: 1648: .. 1649: ──────────────────────────────────────── 1650: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-distributor.yaml (kubernetes) 1651: ======================================================================================================== 1652: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1666: 69 │ - name: JAVA_OPTS 1667: 70 │ value: "-Xmx512m" 1668: 71 │ - name: SE_EVENT_BUS_HOST 1669: 72 └ value: "selenium-event-bus" 1670: .. 1671: ──────────────────────────────────────── 1672: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-event-bus.yaml (kubernetes) 1673: ====================================================================================================== 1674: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1688: 69 │ - containerPort: 5557 1689: 70 │ env: 1690: 71 │ - name: JAVA_OPTS 1691: 72 └ value: "-Xmx512m" 1692: .. 1693: ──────────────────────────────────────── 1694: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-node-chrome.yaml (kubernetes) 1695: ======================================================================================================== 1696: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1710: 69 │ - containerPort: 5555 1711: 70 │ - containerPort: 5900 # VNC 1712: 71 │ - containerPort: 7900 # noVNC (browser) 1713: 72 └ env: 1714: .. 1715: ──────────────────────────────────────── 1716: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-node-edge.yaml (kubernetes) 1717: ====================================================================================================== 1718: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1732: 69 │ - containerPort: 5900 # VNC 1733: 70 │ - containerPort: 7900 # noVNC (browser) 1734: 71 │ env: 1735: 72 └ - name: JAVA_OPTS 1736: .. 1737: ──────────────────────────────────────── 1738: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-node-firefox.yaml (kubernetes) 1739: ========================================================================================================= 1740: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1754: 69 │ - containerPort: 5555 1755: 70 │ - containerPort: 5900 # VNC 1756: 71 │ - containerPort: 7900 # noVNC (browser) 1757: 72 └ env: 1758: .. 1759: ──────────────────────────────────────── 1760: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-router.yaml (kubernetes) 1761: =================================================================================================== 1762: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1776: 69 │ - name: JAVA_OPTS 1777: 70 │ value: "-Xmx512m" 1778: 71 │ - name: SE_DISTRIBUTOR_HOST 1779: 72 └ value: "selenium-distributor" 1780: .. 1781: ──────────────────────────────────────── 1782: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-session-queue.yaml (kubernetes) 1783: ========================================================================================================== 1784: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1798: 69 │ - name: JAVA_OPTS 1799: 70 │ value: "-Xmx512m" 1800: 71 │ - name: SE_EVENT_BUS_HOST 1801: 72 └ value: "selenium-event-bus" 1802: .. 1803: ──────────────────────────────────────── 1804: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-sessions.yaml (kubernetes) 1805: ===================================================================================================== 1806: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1820: 69 │ - name: JAVA_OPTS 1821: 70 │ value: "-Xmx512m" 1822: 71 │ - name: SE_EVENT_BUS_HOST 1823: 72 └ value: "selenium-event-bus" 1824: .. 1825: ──────────────────────────────────────── 1826: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-hub.yaml (kubernetes) 1827: ==================================================================================== 1828: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1842: 74 │ - containerPort: 5555 # needed for status in webdriver protocol 1843: 75 │ env: 1844: 76 │ - name: JAVA_OPTS 1845: 77 └ value: "-Xms1G -Xmx1G" 1846: .. 1847: ──────────────────────────────────────── 1848: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-node-chrome.yaml (kubernetes) 1849: ============================================================================================ 1850: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1864: 69 │ - containerPort: 5555 1865: 70 │ - containerPort: 5900 # VNC 1866: 71 │ - containerPort: 7900 # noVNC (browser) 1867: 72 └ env: 1868: .. 1869: ──────────────────────────────────────── 1870: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-node-edge.yaml (kubernetes) 1871: ========================================================================================== 1872: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1886: 69 │ - containerPort: 5900 # VNC 1887: 70 │ - containerPort: 7900 # noVNC (browser) 1888: 71 │ env: 1889: 72 └ - name: JAVA_OPTS 1890: .. 1891: ──────────────────────────────────────── 1892: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-node-firefox.yaml (kubernetes) 1893: ============================================================================================= 1894: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1908: 69 │ - containerPort: 5555 1909: 70 │ - containerPort: 5900 # VNC 1910: 71 │ - containerPort: 7900 # noVNC (browser) 1911: 72 └ env: 1912: .. 1913: ──────────────────────────────────────── 1914: bash-tools/kubernetes-configs/service-external-name.yaml (kubernetes) 1915: ===================================================================== 1916: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1921: See https://avd.aquasec.com/misconfig/avd-ksv-0108 1922: ──────────────────────────────────────── 1923: bash-tools/kubernetes-configs/service-external-name.yaml:26 1924: ──────────────────────────────────────── 1925: 26 [ --- 1926: ──────────────────────────────────────── 1927: bash-tools/kubernetes-configs/teamcity/base/teamcity-agent-cloudprofile-deployment.yaml (kubernetes) 1928: ==================================================================================================== 1929: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1943: 125 │ - containerPort: 9090 1944: 126 │ #securityContext: 1945: 127 │ # # required for DOCKER_IN_DOCKER 1946: 128 └ # privileged: true 1947: ... 1948: ──────────────────────────────────────── 1949: bash-tools/kubernetes-configs/teamcity/base/teamcity-agent.yaml (kubernetes) 1950: ============================================================================ 1951: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1965: 112 │ - containerPort: 9090 1966: 113 │ #securityContext: 1967: 114 │ # # required for DOCKER_IN_DOCKER 1968: 115 └ # privileged: true 1969: ... 1970: ──────────────────────────────────────── 1971: bash-tools/kubernetes-configs/teamcity/base/teamcity-server-role.yaml (kubernetes) 1972: ================================================================================== 1973: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 1980: bash-tools/kubernetes-configs/teamcity/base/teamcity-server-role.yaml:26-28 1981: ──────────────────────────────────────── 1982: 26 ┌ - apiGroups: ["", "apps"] # "" indicates the core API group 1983: 27 │ resources: ["*"] 1984: 28 └ verbs: ["*"] 1985: ──────────────────────────────────────── 1986: bash-tools/kubernetes-configs/teamcity/base/teamcity-server.yaml (kubernetes) 1987: ============================================================================= 1988: Tests: 33 (SUCCESSES: 32, FAILURES: 1) ... 2002: 86 │ # 2003: 87 │ # https://youtrack.jetbrains.com/issue/TW-62305 2004: 88 │ # 2005: 89 └ # don't use readiness probe, prevents accessing default /mnt page during bootup and just delays 503 2006: .. 2007: ──────────────────────────────────────── 2008: bash-tools/kubernetes-configs/traefik/base/old.yaml (kubernetes) 2009: ================================================================ 2010: Tests: 36 (SUCCESSES: 33, FAILURES: 3) ... 2060: 60 │ hostPort: 80 2061: 61 │ - name: admin 2062: 62 │ containerPort: 8080 2063: 63 └ hostPort: 8080 2064: .. 2065: ──────────────────────────────────────── 2066: bash-tools/kubernetes-configs/whoami.yaml (kubernetes) 2067: ====================================================== 2068: Tests: 35 (SUCCESSES: 33, FAILURES: 2) ... 2100: 301 │ ports: 2101: 302 │ - containerPort: 80 2102: 303 │ readinessProbe: 2103: 304 └ httpGet: 2104: ... 2105: ──────────────────────────────────────── 2106: bash-tools/templates/Dockerfile (dockerfile) 2107: ============================================ 2108: Tests: 21 (SUCCESSES: 20, FAILURES: 1) ... 2113: See https://avd.aquasec.com/misconfig/ds012 2114: ──────────────────────────────────────── 2115: bash-tools/templates/Dockerfile:223 2116: ──────────────────────────────────────── 2117: 223 [ FROM golang:1.15 as builder 2118: ──────────────────────────────────────── 2119: bash-tools/templates/ec2.yaml (cloudformation) 2120: ============================================== 2121: Tests: 19 (SUCCESSES: 17, FAILURES: 2) ... 2155: 19 │ KeyName: !Ref KeyName 2156: 20 │ SecurityGroups: 2157: 21 │ - Ref: InstanceSecurityGroup 2158: 22 └ Tags: 2159: .. 2160: ──────────────────────────────────────── 2161: bash-tools/vagrant-configs/kubernetes/calico.yaml (kubernetes) 2162: ============================================================== 2163: Tests: 43 (SUCCESSES: 33, FAILURES: 10) ... 2333: 3462 │ valueFrom: 2334: 3463 │ fieldRef: 2335: 3464 │ fieldPath: spec.nodeName 2336: 3465 └ - name: CALICO_NETWORKING_BACKEND 2337: .... 2338: ──────────────────────────────────────── 2339: docker-images/alluxio/Dockerfile (dockerfile) 2340: ============================================= 2341: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2342: Failures: 1 (HIGH: 1, CRITICAL: 0) 2343: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2344: ════════════════════════════════════════ 2345: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2346: See https://avd.aquasec.com/misconfig/ds002 2347: ──────────────────────────────────────── 2348: docker-images/alpine-dev/Dockerfile (dockerfile) 2349: ================================================ 2350: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2351: Failures: 1 (HIGH: 1, CRITICAL: 0) 2352: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2353: ════════════════════════════════════════ 2354: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2355: See https://avd.aquasec.com/misconfig/ds002 2356: ──────────────────────────────────────── 2357: docker-images/alpine-github/Dockerfile (dockerfile) 2358: =================================================== 2359: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2360: Failures: 1 (HIGH: 1, CRITICAL: 0) 2361: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2362: ════════════════════════════════════════ 2363: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2364: See https://avd.aquasec.com/misconfig/ds002 2365: ──────────────────────────────────────── 2366: docker-images/alpine-java/Dockerfile (dockerfile) 2367: ================================================= 2368: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2369: Failures: 1 (HIGH: 1, CRITICAL: 0) 2370: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2371: ════════════════════════════════════════ 2372: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2373: See https://avd.aquasec.com/misconfig/ds002 2374: ──────────────────────────────────────── 2375: docker-images/apache-drill/Dockerfile (dockerfile) 2376: ================================================== 2377: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2378: Failures: 1 (HIGH: 1, CRITICAL: 0) 2379: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2380: ════════════════════════════════════════ 2381: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2382: See https://avd.aquasec.com/misconfig/ds002 2383: ──────────────────────────────────────── 2384: docker-images/appveyor-centos/Dockerfile (dockerfile) 2385: ===================================================== 2386: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2399: ──────────────────────────────────────── 2400: 25 ┌ RUN yum install -y curl && \ 2401: 26 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_powershell_rhel.sh | bash && \ 2402: 27 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_appveyor_byoc.sh | bash && \ 2403: 28 └ curl -sS https://raw.githubusercontent.com/KhulnaSoft/bash-tools/master/bin/clean_caches.sh | sh 2404: ──────────────────────────────────────── 2405: docker-images/appveyor-debian/Dockerfile (dockerfile) 2406: ===================================================== 2407: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2424: 28 │ apt-get install -y curl && \ 2425: 29 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_powershell_debian.sh | bash && \ 2426: 30 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_appveyor_byoc.sh | bash && \ 2427: 31 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/bash-tools/master/bin/clean_caches.sh | sh \ 2428: 32 └ ' 2429: ──────────────────────────────────────── 2430: docker-images/appveyor-ubuntu/Dockerfile (dockerfile) 2431: ===================================================== 2432: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2450: 29 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_powershell_ubuntu.sh | bash && \ 2451: 30 │ rm -fv packages-microsoft-prod.deb && \ 2452: 31 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/DevOps-Bash-tools/master/install/install_appveyor_byoc.sh | bash && \ 2453: 32 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/bash-tools/master/bin/clean_caches.sh | sh \ 2454: 33 └ ' 2455: ──────────────────────────────────────── 2456: docker-images/awless/Dockerfile (dockerfile) 2457: ============================================ 2458: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2459: Failures: 1 (HIGH: 1, CRITICAL: 0) 2460: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2461: ════════════════════════════════════════ 2462: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2463: See https://avd.aquasec.com/misconfig/ds002 2464: ──────────────────────────────────────── 2465: docker-images/backstage/Dockerfile (dockerfile) 2466: =============================================== 2467: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2479: docker-images/backstage/Dockerfile:39-41 2480: ──────────────────────────────────────── 2481: 39 ┌ RUN apt-get update && \ 2482: 40 │ apt-get install -y curl && \ 2483: 41 └ curl -sSL "$RELEASE_URL" | tar zxv --strip-components=1 2484: ──────────────────────────────────────── 2485: docker-images/cassandra-dev/Dockerfile (dockerfile) 2486: =================================================== 2487: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2488: Failures: 1 (HIGH: 1, CRITICAL: 0) 2489: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2490: ════════════════════════════════════════ 2491: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2492: See https://avd.aquasec.com/misconfig/ds002 2493: ──────────────────────────────────────── 2494: docker-images/centos-dev/Dockerfile (dockerfile) 2495: ================================================ 2496: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2497: Failures: 1 (HIGH: 1, CRITICAL: 0) 2498: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2499: ════════════════════════════════════════ 2500: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2501: See https://avd.aquasec.com/misconfig/ds002 2502: ──────────────────────────────────────── 2503: docker-images/centos-github/Dockerfile (dockerfile) 2504: =================================================== 2505: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2506: Failures: 1 (HIGH: 1, CRITICAL: 0) 2507: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2508: ════════════════════════════════════════ 2509: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2510: See https://avd.aquasec.com/misconfig/ds002 2511: ──────────────────────────────────────── 2512: docker-images/centos-java/Dockerfile (dockerfile) 2513: ================================================= 2514: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2515: Failures: 1 (HIGH: 1, CRITICAL: 0) 2516: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2517: ════════════════════════════════════════ 2518: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2519: See https://avd.aquasec.com/misconfig/ds002 2520: ──────────────────────────────────────── 2521: docker-images/centos-scala/Dockerfile (dockerfile) 2522: ================================================== 2523: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2524: Failures: 1 (HIGH: 1, CRITICAL: 0) 2525: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2526: ════════════════════════════════════════ 2527: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2528: See https://avd.aquasec.com/misconfig/ds002 2529: ──────────────────────────────────────── 2530: docker-images/collectd/Dockerfile (dockerfile) 2531: ============================================== 2532: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2533: Failures: 1 (HIGH: 1, CRITICAL: 0) 2534: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2535: ════════════════════════════════════════ 2536: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2537: See https://avd.aquasec.com/misconfig/ds002 2538: ──────────────────────────────────────── 2539: docker-images/consul-dev/Dockerfile (dockerfile) 2540: ================================================ 2541: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2542: Failures: 1 (HIGH: 1, CRITICAL: 0) 2543: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2544: ════════════════════════════════════════ 2545: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2546: See https://avd.aquasec.com/misconfig/ds002 2547: ──────────────────────────────────────── 2548: docker-images/consul/Dockerfile (dockerfile) 2549: ============================================ 2550: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2569: 44 │ wget -t 100 --retry-connrefused -O "consul_${CONSUL_VERSION}_linux_amd64.zip" "https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip" && \ 2570: 45 │ unzip "consul_${CONSUL_VERSION}_linux_amd64.zip" && \ 2571: 46 │ rm -fv "consul_${CONSUL_VERSION}_linux_amd64.zip" && \ 2572: 47 └ chmod +x consul && \ 2573: .. 2574: ──────────────────────────────────────── 2575: docker-images/debian-dev/Dockerfile (dockerfile) 2576: ================================================ 2577: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2578: Failures: 1 (HIGH: 1, CRITICAL: 0) 2579: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2580: ════════════════════════════════════════ 2581: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2582: See https://avd.aquasec.com/misconfig/ds002 2583: ──────────────────────────────────────── 2584: docker-images/debian-github/Dockerfile (dockerfile) 2585: =================================================== 2586: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2587: Failures: 1 (HIGH: 1, CRITICAL: 0) 2588: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2589: ════════════════════════════════════════ 2590: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2591: See https://avd.aquasec.com/misconfig/ds002 2592: ──────────────────────────────────────── 2593: docker-images/debian-java/Dockerfile (dockerfile) 2594: ================================================= 2595: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2596: Failures: 1 (HIGH: 1, CRITICAL: 0) 2597: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2598: ════════════════════════════════════════ 2599: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2600: See https://avd.aquasec.com/misconfig/ds002 2601: ──────────────────────────────────────── 2602: docker-images/devops-bash-tools-alpine/Dockerfile (dockerfile) 2603: ============================================================== 2604: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2605: Failures: 1 (HIGH: 1, CRITICAL: 0) 2606: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2607: ════════════════════════════════════════ 2608: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2609: See https://avd.aquasec.com/misconfig/ds002 2610: ──────────────────────────────────────── 2611: docker-images/devops-bash-tools-centos/Dockerfile (dockerfile) 2612: ============================================================== 2613: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2614: Failures: 1 (HIGH: 1, CRITICAL: 0) 2615: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2616: ════════════════════════════════════════ 2617: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2618: See https://avd.aquasec.com/misconfig/ds002 2619: ──────────────────────────────────────── 2620: docker-images/devops-bash-tools-debian/Dockerfile (dockerfile) 2621: ============================================================== 2622: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2623: Failures: 1 (HIGH: 1, CRITICAL: 0) 2624: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2625: ════════════════════════════════════════ 2626: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2627: See https://avd.aquasec.com/misconfig/ds002 2628: ──────────────────────────────────────── 2629: docker-images/devops-bash-tools-fedora/Dockerfile (dockerfile) 2630: ============================================================== 2631: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2632: Failures: 1 (HIGH: 1, CRITICAL: 0) 2633: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2634: ════════════════════════════════════════ 2635: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2636: See https://avd.aquasec.com/misconfig/ds002 2637: ──────────────────────────────────────── 2638: docker-images/devops-bash-tools-ubuntu/Dockerfile (dockerfile) 2639: ============================================================== 2640: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2641: Failures: 1 (HIGH: 1, CRITICAL: 0) 2642: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2643: ════════════════════════════════════════ 2644: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2645: See https://avd.aquasec.com/misconfig/ds002 2646: ──────────────────────────────────────── 2647: docker-images/devops-golang-tools-debian/Dockerfile (dockerfile) 2648: ================================================================ 2649: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2650: Failures: 1 (HIGH: 1, CRITICAL: 0) 2651: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2652: ════════════════════════════════════════ 2653: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2654: See https://avd.aquasec.com/misconfig/ds002 2655: ──────────────────────────────────────── 2656: docker-images/devops-perl-tools-alpine/Dockerfile (dockerfile) 2657: ============================================================== 2658: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2659: Failures: 1 (HIGH: 1, CRITICAL: 0) 2660: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2661: ════════════════════════════════════════ 2662: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2663: See https://avd.aquasec.com/misconfig/ds002 2664: ──────────────────────────────────────── 2665: docker-images/devops-perl-tools-centos/Dockerfile (dockerfile) 2666: ============================================================== 2667: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2668: Failures: 1 (HIGH: 1, CRITICAL: 0) 2669: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2670: ════════════════════════════════════════ 2671: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2672: See https://avd.aquasec.com/misconfig/ds002 2673: ──────────────────────────────────────── 2674: docker-images/devops-perl-tools-debian/Dockerfile (dockerfile) 2675: ============================================================== 2676: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2677: Failures: 1 (HIGH: 1, CRITICAL: 0) 2678: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2679: ════════════════════════════════════════ 2680: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2681: See https://avd.aquasec.com/misconfig/ds002 2682: ──────────────────────────────────────── 2683: docker-images/devops-perl-tools-fedora/Dockerfile (dockerfile) 2684: ============================================================== 2685: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2686: Failures: 1 (HIGH: 1, CRITICAL: 0) 2687: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2688: ════════════════════════════════════════ 2689: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2690: See https://avd.aquasec.com/misconfig/ds002 2691: ──────────────────────────────────────── 2692: docker-images/devops-perl-tools-ubuntu/Dockerfile (dockerfile) 2693: ============================================================== 2694: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2695: Failures: 1 (HIGH: 1, CRITICAL: 0) 2696: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2697: ════════════════════════════════════════ 2698: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2699: See https://avd.aquasec.com/misconfig/ds002 2700: ──────────────────────────────────────── 2701: docker-images/devops-python-tools-alpine/Dockerfile (dockerfile) 2702: ================================================================ 2703: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2704: Failures: 1 (HIGH: 1, CRITICAL: 0) 2705: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2706: ════════════════════════════════════════ 2707: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2708: See https://avd.aquasec.com/misconfig/ds002 2709: ──────────────────────────────────────── 2710: docker-images/devops-python-tools-centos/Dockerfile (dockerfile) 2711: ================================================================ 2712: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2713: Failures: 1 (HIGH: 1, CRITICAL: 0) 2714: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2715: ════════════════════════════════════════ 2716: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2717: See https://avd.aquasec.com/misconfig/ds002 2718: ──────────────────────────────────────── 2719: docker-images/devops-python-tools-debian/Dockerfile (dockerfile) 2720: ================================================================ 2721: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2722: Failures: 1 (HIGH: 1, CRITICAL: 0) 2723: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2724: ════════════════════════════════════════ 2725: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2726: See https://avd.aquasec.com/misconfig/ds002 2727: ──────────────────────────────────────── 2728: docker-images/devops-python-tools-fedora/Dockerfile (dockerfile) 2729: ================================================================ 2730: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2731: Failures: 1 (HIGH: 1, CRITICAL: 0) 2732: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2733: ════════════════════════════════════════ 2734: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2735: See https://avd.aquasec.com/misconfig/ds002 2736: ──────────────────────────────────────── 2737: docker-images/devops-python-tools-ubuntu/Dockerfile (dockerfile) 2738: ================================================================ 2739: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2740: Failures: 1 (HIGH: 1, CRITICAL: 0) 2741: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2742: ════════════════════════════════════════ 2743: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2744: See https://avd.aquasec.com/misconfig/ds002 2745: ──────────────────────────────────────── 2746: docker-images/devops-tools-alpine/Dockerfile (dockerfile) 2747: ========================================================= 2748: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2749: Failures: 1 (HIGH: 1, CRITICAL: 0) 2750: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2751: ════════════════════════════════════════ 2752: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2753: See https://avd.aquasec.com/misconfig/ds002 2754: ──────────────────────────────────────── 2755: docker-images/devops-tools-centos/Dockerfile (dockerfile) 2756: ========================================================= 2757: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2758: Failures: 1 (HIGH: 1, CRITICAL: 0) 2759: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2760: ════════════════════════════════════════ 2761: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2762: See https://avd.aquasec.com/misconfig/ds002 2763: ──────────────────────────────────────── 2764: docker-images/devops-tools-debian/Dockerfile (dockerfile) 2765: ========================================================= 2766: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2767: Failures: 1 (HIGH: 1, CRITICAL: 0) 2768: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2769: ════════════════════════════════════════ 2770: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2771: See https://avd.aquasec.com/misconfig/ds002 2772: ──────────────────────────────────────── 2773: docker-images/devops-tools-fedora/Dockerfile (dockerfile) 2774: ========================================================= 2775: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2776: Failures: 1 (HIGH: 1, CRITICAL: 0) 2777: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2778: ════════════════════════════════════════ 2779: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2780: See https://avd.aquasec.com/misconfig/ds002 2781: ──────────────────────────────────────── 2782: docker-images/devops-tools-ubuntu/Dockerfile (dockerfile) 2783: ========================================================= 2784: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2785: Failures: 1 (HIGH: 1, CRITICAL: 0) 2786: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2787: ════════════════════════════════════════ 2788: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2789: See https://avd.aquasec.com/misconfig/ds002 2790: ──────────────────────────────────────── 2791: docker-images/fakes3/Dockerfile (dockerfile) 2792: ============================================ 2793: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2794: Failures: 1 (HIGH: 1, CRITICAL: 0) 2795: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2796: ════════════════════════════════════════ 2797: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2798: See https://avd.aquasec.com/misconfig/ds002 2799: ──────────────────────────────────────── 2800: docker-images/fedora-dev/Dockerfile (dockerfile) 2801: ================================================ 2802: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2803: Failures: 1 (HIGH: 1, CRITICAL: 0) 2804: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2805: ════════════════════════════════════════ 2806: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2807: See https://avd.aquasec.com/misconfig/ds002 2808: ──────────────────────────────────────── 2809: docker-images/fedora-github/Dockerfile (dockerfile) 2810: =================================================== 2811: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2812: Failures: 1 (HIGH: 1, CRITICAL: 0) 2813: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2814: ════════════════════════════════════════ 2815: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2816: See https://avd.aquasec.com/misconfig/ds002 2817: ──────────────────────────────────────── 2818: docker-images/fedora-java/Dockerfile (dockerfile) 2819: ================================================= 2820: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2821: Failures: 1 (HIGH: 1, CRITICAL: 0) 2822: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2823: ════════════════════════════════════════ 2824: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2825: See https://avd.aquasec.com/misconfig/ds002 2826: ──────────────────────────────────────── 2827: docker-images/fedora-scala/Dockerfile (dockerfile) 2828: ================================================== 2829: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2830: Failures: 1 (HIGH: 1, CRITICAL: 0) 2831: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2832: ════════════════════════════════════════ 2833: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2834: See https://avd.aquasec.com/misconfig/ds002 2835: ──────────────────────────────────────── 2836: docker-images/git-kustomize/Dockerfile (dockerfile) 2837: =================================================== 2838: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2839: Failures: 1 (HIGH: 1, CRITICAL: 0) 2840: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2841: ════════════════════════════════════════ 2842: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2843: See https://avd.aquasec.com/misconfig/ds002 2844: ──────────────────────────────────────── 2845: docker-images/h2o/Dockerfile (dockerfile) 2846: ========================================= 2847: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2848: Failures: 1 (HIGH: 1, CRITICAL: 0) 2849: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2850: ════════════════════════════════════════ 2851: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2852: See https://avd.aquasec.com/misconfig/ds002 2853: ──────────────────────────────────────── 2854: docker-images/hadoop-dev/Dockerfile (dockerfile) 2855: ================================================ 2856: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2867: ──────────────────────────────────────── 2868: docker-images/hadoop-dev/Dockerfile:32-33 2869: ──────────────────────────────────────── 2870: 32 ┌ RUN set -eux && \ 2871: 33 └ yum install -y openssh-server openssh-clients wget tar which 2872: ──────────────────────────────────────── 2873: docker-images/hadoop/Dockerfile (dockerfile) 2874: ============================================ 2875: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 2886: ──────────────────────────────────────── 2887: docker-images/hadoop/Dockerfile:32-33 2888: ──────────────────────────────────────── 2889: 32 ┌ RUN set -eux && \ 2890: 33 └ yum install -y openssh-server openssh-clients tar which 2891: ──────────────────────────────────────── 2892: docker-images/hbase-dev/Dockerfile (dockerfile) 2893: =============================================== 2894: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2895: Failures: 1 (HIGH: 1, CRITICAL: 0) 2896: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2897: ════════════════════════════════════════ 2898: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2899: See https://avd.aquasec.com/misconfig/ds002 2900: ──────────────────────────────────────── 2901: docker-images/hbase/Dockerfile (dockerfile) 2902: =========================================== 2903: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 2904: Failures: 1 (HIGH: 1, CRITICAL: 0) 2905: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 2906: ════════════════════════════════════════ 2907: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 2908: See https://avd.aquasec.com/misconfig/ds002 2909: ──────────────────────────────────────── 2910: docker-images/jenkins-agent-docker/Dockerfile (dockerfile) 2911: ========================================================== 2912: Tests: 21 (SUCCESSES: 20, FAILURES: 1) ... 2921: 31 ┌ RUN apt-get update && \ 2922: 32 │ apt-get install -y docker.io docker-compose && \ 2923: 33 │ curl -sS https://raw.githubusercontent.com/KhulnaSoft/bash-tools/master/bin/clean_caches.sh | sh && \ 2924: 34 │ apt-get clean && \ 2925: 35 └ rm -rf /var/lib/apt/lists/* 2926: ──────────────────────────────────────── 2927: docker-images/jenkins-agent-php/Dockerfile (dockerfile) 2928: ======================================================= 2929: Tests: 24 (SUCCESSES: 20, FAILURES: 4) ... 2993: 72 │ curl https://download.newrelic.com/548C16BF.gpg | apt-key add - && \ 2994: 73 │ apt-get update && \ 2995: 74 │ apt-get -y install newrelic-php5 && \ 2996: 75 │ apt-get clean && \ 2997: 76 └ rm -rf /var/lib/apt/lists/* 2998: ──────────────────────────────────────── 2999: docker-images/jenkins/Dockerfile (dockerfile) 3000: ============================================= 3001: Tests: 21 (SUCCESSES: 20, FAILURES: 1) 3002: Failures: 1 (HIGH: 1, CRITICAL: 0) 3003: AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument 3004: ════════════════════════════════════════ 3005: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. 3006: See https://avd.aquasec.com/misconfig/ds002 3007: ──────────────────────────────────────── 3008: docker-images/jython-dev/Dockerfile (dockerfile) 3009: ================================================ 3010: Tests: 21 (SUCCESSES: 19, FAILURES: 2) ... 3029: 40 │ java -jar jython-installer.jar -s -t standard -d "$JYTHON_HOME" && \ 3030: 41 │ jython -m pip install jip mock && \ 3031: 42 │ rm -f jython-installer.jar && \ 3032: 43 └ ln -sfv "$JYT...

[codiumai-pr-agent-free]

CI Feedback 🧐

(Feedback updated until commit 1628b65)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Kics / Kics Scan

Failed stage: Kics Scan [❌]

Failed test name: KICS security scan

Failure summary: The action failed because the KICS (Keeping Infrastructure as Code Secure) scan detected security issues in the codebase with a severity level that triggered a failure. The scan exited with status code 50, which indicates failure. Key issues detected include: Unpinned package versions in various package managers (apt, pip, apk) Missing liveness probes in container configurations Containers sharing host network namespace Service account tokens shared between workloads Serverless functions without Dead Letter Queue configuration Containers using secrets as environment variables Usage of default/system Kubernetes namespaces Additionally, there was a warning about using deprecated CodeQL Action versions (v1 and v2).

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 777: comments_with_queries: false 778: excluded_column_for_comments_with_queries: description_id,similarity_id,search_line,search_value 779: env: 780: CONFIG: 781: CONFIG_FILE: 782: DEBUG: 783: SCAN_PATH: . 784: ##[endgroup] 785: ##[command]/usr/bin/docker run --name d4ee59fb9af4d7c13545fc8fe2d7f2e8016540_1dad18 --label d4ee59 --workdir /github/workspace --rm -e "CONFIG" -e "CONFIG_FILE" -e "DEBUG" -e "SCAN_PATH" -e "INPUT_PATH" -e "INPUT_FAIL_ON" -e "INPUT_IGNORE_ON_EXIT" -e "INPUT_OUTPUT_PATH" -e "INPUT_OUTPUT_FORMATS" -e "INPUT_QUERIES" -e "INPUT_TOKEN" -e "INPUT_ENABLE_ANNOTATIONS" -e "INPUT_ENABLE_COMMENTS" -e "INPUT_ENABLE_JOBS_SUMMARY" -e "INPUT_COMMENTS_WITH_QUERIES" -e "INPUT_EXCLUDED_COLUMN_FOR_COMMENTS_WITH_QUERIES" -e "INPUT_TIMEOUT" -e "INPUT_PROFILING" -e "INPUT_CONFIG_PATH" -e "INPUT_PLATFORM_TYPE" -e "INPUT_EXCLUDE_PATHS" -e "INPUT_EXCLUDE_QUERIES" -e "INPUT_EXCLUDE_CATEGORIES" -e "INPUT_EXCLUDE_RESULTS" -e "INPUT_EXCLUDE_SEVERITIES" -e "INPUT_EXCLUDE_GITIGNORE" -e "INPUT_PAYLOAD_PATH" -e "INPUT_SECRETS_REGEXES_PATH" -e "INPUT_LIBRARIES_PATH" -e "INPUT_DISABLE_FULL_DESCRIPTIONS" -e "INPUT_DISABLE_SECRETS" -e "INPUT_TYPE" -e "INPUT_VERBOSE" -e "INPUT_INCLUDE_QUERIES" -e "INPUT_BOM" -e "INPUT_CLOUD_PROVIDER" -e "INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES" -e "WORKSPACE_PATH" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/DevX/DevX":"/github/workspace" d4ee59:fb9af4d7c13545fc8fe2d7f2e8016540 "." "" "" "" "" "" "" "" "" "" "" "" "" "json,sarif" "results" "" "" "" "" "" "" "" "" "" "" ... 915: 052: - name: Download Prometheus 916: 053: get_url: 917: 054: url: "https://github.com/prometheus/prometheus/releases/download/{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz" 918: [2]: bash-tools/ansible/prometheus_node_exporter/playbook.yml:47 919: 046: - name: Download Prometheus Node Exporter 920: 047: get_url: 921: 048: url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" 922: Liveness Probe Is Not Defined, Severity: INFO, Results: 25 923: Description: In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it ... 1531: 004: TestFunction: 1532: 005: Properties: 1533: 006: CodeUri: s3://myBucket/1a23456b78901c234d56e78fa9012bc3 1534: [2]: bash-tools/templates/lambda_func.yaml:6 1535: 005: Type: AWS::Serverless::Function 1536: 006: Properties: 1537: 007: Handler: index.handler 1538: Serverless Function Without Dead Letter Queue, Severity: LOW, Results: 1 1539: Description: Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter ... 1789: 091: # there is no lts tag at this time 1790: [43]: bash-tools/kubernetes-configs/teamcity/base/teamcity-agent-cloudprofile-deployment.yaml:120 1791: 119: containers: 1792: 120: - name: teamcity-agent 1793: 121: #image: jetbrains/teamcity-agent:2020.2.1 1794: [44]: bash-tools/kubernetes-configs/docker-in-docker/base/statefulset.yaml:111 1795: 110: # mkdir: can't create directory '/certs/ca': Read-only file system 1796: 111: readOnlyRootFilesystem: false 1797: 112: # [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 65 [0 1000 1 1 100000 65536] failed: : fork/exec /usr/bin/newuidmap: operation not permitted ... 1865: 065: image: selenium/sessions:4.1.2 1866: [62]: bash-tools/kubernetes-configs/clair/base/deployment.yaml:45 1867: 044: containers: 1868: 045: - name: clair 1869: 046: image: quay.io/projectquay/clair:4.6.1 1870: [63]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 1871: 080: containers: 1872: 081: - name: jenkins 1873: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 1915: 045: image: perl 1916: [2]: bash-tools/kubernetes-configs/octopus-deploy/base/octopus-deploy-sts.yaml:61 1917: 060: containers: 1918: 061: - name: octopus 1919: 062: image: octopusdeploy/octopusdeploy:2021.3 1920: [3]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 1921: 080: containers: 1922: 081: - name: jenkins 1923: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 2852: 045: image: gcr.io/google-containers/fluentd-elasticsearch:1.20 2853: [53]: bash-tools/kubernetes-configs/pod.yaml:45 2854: 044: containers: 2855: 045: - name: privileged-pod 2856: 046: image: busybox 2857: [54]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 2858: 080: containers: 2859: 081: - name: jenkins 2860: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 3764: 065: #image: selenium/node-chrome:3.141.59 # XXX: selenide is using 3.141.59 dependency, gets Chrome binary not found on this version 3765: [9]: bash-tools/kubernetes-configs/selenium-grid-distributed/base/selenium-grid-node-firefox.yaml:64 3766: 063: containers: 3767: 064: - name: selenium-node-firefox 3768: 065: #image: selenium/node-firefox:3.141.59 3769: [10]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 3770: 080: containers: 3771: 081: - name: jenkins 3772: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 5226: 219: initContainers: 5227: 220: - name: init-files 5228: 221: image: alpine/git:latest 5229: [18]: bash-tools/kubernetes-configs/argocd/base/repo-server.kustomize.patch.yaml:41 5230: 040: initContainers: 5231: 041: - name: download-tools 5232: 042: image: alpine:3.8 5233: Yum install Without Version, Severity: MEDIUM, Results: 93 5234: Description: Not specifying the package version can cause failures due to unanticipated changes in required packages ... 5672: 097: name: traefik-ingress-service 5673: 098: namespace: kube-system 5674: 099: spec: 5675: [16]: bash-tools/vagrant-configs/kubernetes/calico.yaml:3684 5676: 3683: name: calico-kube-controllers 5677: 3684: namespace: kube-system 5678: 3685: labels: 5679: Unpinned Package Version in Pip Install, Severity: MEDIUM, Results: 5 5680: Description: Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 5697: 045: 5698: 046: RUN python3 -m pip install --user 'urllib3>=1.26.5' awsebcli && echo && echo "Checking EB CLI runtime..." && echo && eb --help --quiet 5699: 047: 5700: [5]: docker-images/jython-dev/Dockerfile:35 5701: 034: 5702: 035: RUN bash -c ' set -euxo pipefail && apt-get update && apt-get install -y wget && wget -cO jython-installer.jar "http://search.maven.org/remotecontent?filepath=org/python/jython-installer/$JYTHON_VERSION/jython-installer-$JYTHON_VERSION.jar 5703: 036: 5704: Unpinned Package Version in Apk Add, Severity: MEDIUM, Results: 42 5705: Description: Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 6012: 668: description: RevisionSpec holds the desired state of the Revision (from the client). 6013: [20]: bash-tools/kubernetes-configs/deploy.yaml:66 6014: 065: tier: backend 6015: 066: spec: 6016: 067: # for business critical workloads to get priority access to the stable node pool instead of preemptible node pool, will evict lower priority pods to preemptible node pool (default 0) if necessary. Requires: priorityclass.yaml 6017: [21]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:43 6018: 042: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 6019: 043: spec: 6020: 044: # agent pod should go on stable node pool so that builds don't fail due to preemption. Requires priorityclass.yaml ... 6161: Learn more about this vulnerability: https://docs.kics.io/latest/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9 6162: [1]: bash-tools/kubernetes-configs/jenkins/base/agent-pod.yaml:38 6163: 037: datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: liveness probe is not relevant for CI/CD CLI shell containers 6164: 038: spec: 6165: 039: priorityClassName: high-priority # requires priorityclass.yaml 6166: [2]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:43 6167: 042: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 6168: 043: spec: 6169: 044: # agent pod should go on stable node pool so that builds don't fail due to preemption. Requires priorityclass.yaml ... 6604: 096: #image: khulnasoft/github-actions-runner:2.284 6605: [30]: bash-tools/kubernetes-configs/octopus-deploy/base/octopus-deploy-sts.yaml:61 6606: 060: containers: 6607: 061: - name: octopus 6608: 062: image: octopusdeploy/octopusdeploy:2021.3 6609: [31]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 6610: 080: containers: 6611: 081: - name: jenkins 6612: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 6805: 327: #image: bridgecrew/checkov:2.0.715 6806: [4]: bash-tools/kubernetes-configs/jenkins/base/agent-pod.yaml:375 6807: 374: # generic CLI container 6808: 375: - name: busybox 6809: 376: #image: busybox:3 6810: [5]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 6811: 080: containers: 6812: 081: - name: jenkins 6813: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 7059: 038: image: busybox 7060: [14]: bash-tools/kubernetes-configs/jenkins/base/agent-pod.yaml:306 7061: 305: # doesn't stay alive given this issue: https://github.com/anchore/grype/issues/1287 7062: 306: - name: grype 7063: 307: #image: anchore/grype:v0.61.1 7064: [15]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 7065: 080: containers: 7066: 081: - name: jenkins 7067: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8541: 062: image: octopusdeploy/octopusdeploy:2021.3 8542: [16]: bash-tools/kubernetes-configs/teamcity/base/teamcity-server.yaml:81 8543: 080: containers: 8544: 081: - name: teamcity-server 8545: 082: image: jetbrains/teamcity-server:2020.2.1 8546: [17]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:86 8547: 085: securityContext: 8548: 086: runAsUser: 0 # required to access docker.sock 8549: 087: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container 8550: [18]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 8551: 080: containers: 8552: 081: - name: jenkins 8553: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8577: 052: image: mcr.microsoft.com/mssql/server:2019-latest 8578: [25]: bash-tools/kubernetes-configs/selenium-grid/base/selenium-grid-node-chrome.yaml:64 8579: 063: containers: 8580: 064: - name: selenium-node-chrome 8581: 065: #image: selenium/node-chrome:3.141.59 # XXX: selenide is using 3.141.59 dependency, gets Chrome binary not found on this version 8582: [26]: bash-tools/kubernetes-configs/jenkins/base/agent.statefulset-DooD.yaml:108 8583: 107: securityContext: 8584: 108: runAsUser: 0 # required to access docker.sock 8585: 109: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 8754: 3476: privileged: true 8755: [3]: bash-tools/kubernetes-configs/buildkite/base/buildkite-agent.yaml:104 8756: 103: - pgrep buildkite-agent 8757: 104: securityContext: 8758: 105: #runAsNonRoot: true 8759: [4]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 8760: 080: containers: 8761: 081: - name: jenkins 8762: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 8786: 057: ports: 8787: [11]: bash-tools/vagrant-configs/kubernetes/calico.yaml:3511 8788: 3510: name: cni-net-dir 8789: 3511: securityContext: 8790: 3512: privileged: true 8791: [12]: bash-tools/kubernetes-configs/jenkins/base/agent.cloud-pod-DooD.yaml:86 8792: 085: securityContext: 8793: 086: runAsUser: 0 # required to access docker.sock 8794: 087: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container 8795: [13]: bash-tools/kubernetes-configs/circleci/base/circleci-runner-deployment.yaml:88 8796: 087: containers: 8797: 088: - name: circleci-runner 8798: 089: image: circleci/runner:launch-agent 8799: [14]: bash-tools/kubernetes-configs/jenkins/base/agent.statefulset-DooD.yaml:108 8800: 107: securityContext: 8801: 108: runAsUser: 0 # required to access docker.sock 8802: 109: #fsGroup: 1000 # jenkins gid to access docker.sock, but fails to change socket group owner in container ... 10421: 047: image: jetbrains/teamcity-agent:2020.2 10422: [36]: bash-tools/vagrant-configs/kubernetes/calico.yaml:3683 10423: 3682: metadata: 10424: 3683: name: calico-kube-controllers 10425: 3684: namespace: kube-system 10426: [37]: bash-tools/kubernetes-configs/jenkins/base/server.yaml:81 10427: 080: containers: 10428: 081: - name: jenkins 10429: 082: # NOTE: BEWARE LTS tag will auto-upgrade - will inevitably break some plugins which could break SSO login or all pipelines referencing plugin method such as slackSend with the error below: ... 12303: ##[warning]Container should not share the host network namespace 12304: ##[warning]Container should not share the host network namespace 12305: ##[warning]A Service Account token is shared between workloads 12306: ##[warning]A Service Account token is shared between workloads 12307: ##[warning]A Service Account token is shared between workloads 12308: ##[warning]A Service Account token is shared between workloads 12309: ##[warning]A Service Account token is shared between workloads 12310: ##[warning]A Service Account token is shared between workloads 12311: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12312: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12313: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12314: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12315: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12316: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12317: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12318: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12319: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12320: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12321: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12322: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12323: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12324: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12325: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12326: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12327: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12328: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12329: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12330: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12331: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12332: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12333: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12334: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12335: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12336: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12337: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12338: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12339: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12340: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12341: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12342: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12343: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12344: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12345: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12346: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12347: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12348: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12349: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12350: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12351: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12352: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12353: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12354: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12355: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12356: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes 12357: ##[warning]Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ... 12366: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12367: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12368: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12369: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12370: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12371: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12372: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12373: ##[warning]Namespaces like 'default', 'kube-system' or 'kube-public' should not be used 12374: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12375: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12376: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12377: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12378: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12379: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12380: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12381: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12382: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12383: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12384: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12385: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12386: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12387: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12388: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12389: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12390: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12391: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12392: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12393: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12394: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12395: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12396: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12397: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12398: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12399: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12400: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12401: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12402: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12403: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12404: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12405: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12406: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12407: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12408: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12409: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12410: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12411: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12412: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12413: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12414: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12415: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12416: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12417: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12418: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12419: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12420: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12421: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12422: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12423: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12424: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12425: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12426: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12427: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12428: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12429: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12430: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12431: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12432: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12433: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12434: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12435: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12436: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12437: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12438: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12439: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12440: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12441: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12442: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12443: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12444: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12445: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12446: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12447: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12448: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12449: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12450: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12451: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12452: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12453: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12454: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12455: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12456: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12457: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12458: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12459: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12460: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12461: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12462: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12463: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12464: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12465: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages 12466: ##[warning]Not specifying the package version can cause failures due to unanticipated changes in required packages ... 13345: ##[warning]Container should not use secrets as environment variables 13346: ##[warning]Container should not use secrets as environment variables 13347: ##[warning]Container should not use secrets as environment variables 13348: ##[warning]Container should not use secrets as environment variables 13349: ##[warning]Container should not use secrets as environment variables 13350: ##[warning]Container should not use secrets as environment variables 13351: ##[warning]Container should not use secrets as environment variables 13352: ##[warning]Container should not use secrets as environment variables 13353: ##[warning]Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter ... 13450: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13451: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13452: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13453: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13454: ##[warning]After using apt-get install, it is needed to delete apt-get lists 13455: ##[warning]It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance 13456: ##[warning]As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. 13457: ##[warning]Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set 13458: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13459: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13460: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13461: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13462: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13463: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13464: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13465: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13466: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13467: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13468: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13469: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13470: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13471: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13472: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13473: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13474: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13475: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13476: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13477: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13478: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13479: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13480: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13481: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it 13482: ##[warning]In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it ... 13498: ##[warning]Volumes shared between containers can cause data corruption or can be used to share malicious files between containers. 13499: ##[warning]Volumes shared between containers can cause data corruption or can be used to share malicious files between containers. 13500: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13501: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13502: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13503: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13504: ##[warning]Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited 13505: KICS scan status code: 50 13506: ##[error]KICS scan failed with exit code 50 ... 13512: matrix: null 13513: wait-for-processing: true 13514: env: 13515: CONFIG: 13516: CONFIG_FILE: 13517: DEBUG: 13518: SCAN_PATH: . 13519: ##[endgroup] 13520: ##[error]CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/