6 rules to find security misconfigurations in your Kubernetes files

Hello,

We are happy to announce the support of Kubernetes analysis and the first set of 6 rules to help developers write more secure containerized applications.

Here is the list of rules:

• S6431: Using host namespaces is security-sensitive
• S6430: Allowing process privilege escalation is security-sensitive
• S6429: Exposing Docker sockets is security-sensitive
• S5849: Setting capabilities is security-sensitive
• S6433: Mounting sensitive file system paths is security-sensitive
• S6428: Enabling privileged mode on containers is security-sensitive

How to get this?

• For SonarCloud: it’s there, nothing to activate, just trigger a scan of your repository containing some K8S files and you will see the results in the Security Hotspots space
• For SonarQube: it will be embedded in the upcoming version 9.6

Don’t hesitate to share your feedback about this first release supporting Kubernetes analysis.

Alex

YEAH!

Unfortunately it doesn’t work on Helm charts. Most of our K8s deployments are Helm chart templates. Got tons of errors:

ERROR: Failed to parse file…

Hi @jseletz , can you create a new thread and attach the following?

• DEBUG logs of the Sonar scan analysis (sonar.verbose=true)
• sample file that reproduces the issue

If you prefer to not share the file publicly, please state in the new thread and we can privately message you.

done: Sonar scan of Helm charts for Kubernetes security misconfigurations fails to parse files

Hello,

Thanks for the feedback.

For the moment, we just support Kubernetes files and we don’t support Helm Chart template files. This is why you have these parse errors. This is not ideal and we will try to improve the user experience.

Alex

A post was split to a new topic: Can Sonarqube scan Kubernetes manifest files?