Container: step-report { "results": [ { "metadata": { "id": "27d354f7-3df2-419a-811d-142e8ec6f809", "additionalInfo": { "name": "mh6rjfksm-python", "namespace": "default", "type": "Deployment" } }, "summary": { "CRITICAL": 0, "HIGH": 1, "LOW": 3, "MEDIUM": 1, "TOTAL": 5 }, "violatedPolicies": [ { "name": "Fixable Severity at least Important", "severity": "HIGH", "description": "Alert on deployments with fixable vulnerabilities with a Severity Rating at least Important", "violation": [ "Fixable CVE-2024-21626 (CVSS 8.6) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.1.12", "Fixable CVE-2024-23651 (CVSS 8.7) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23652 (CVSS 10) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23653 (CVSS 9.8) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-24786 (CVSS 7.5) (severity Important) found in component 'google.golang.org/protobuf' (version v1.31.0) in container 'container-image', resolved by version 1.33.0", "Fixable CVE-2024-3727 (CVSS 8.3) (severity Important) found in component 'github.com/containers/image/v5' (version v5.29.0) in container 'container-image', resolved by version 5.29.3", "Fixable CVE-2024-41110 (CVSS 9.9) (severity Critical) found in component 'github.com/docker/docker' (version v24.0.7+incompatible) in container 'container-image', resolved by version 25.0.6", "Fixable CVE-2024-45337 (CVSS 9.1) (severity Critical) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.31.0", "Fixable CVE-2025-21613 (CVSS 9.8) (severity Critical) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0", "Fixable CVE-2025-21614 (CVSS 7.5) (severity Important) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0", "Fixable CVE-2025-22868 (CVSS 7.5) (severity Important) found in component 'golang.org/x/oauth2' (version v0.16.0) in container 'container-image', resolved by version 0.27.0", "Fixable CVE-2025-22868 (CVSS 7.5) (severity Important) found in component 'golang.org/x/oauth2' (version v0.25.0) in container 'container-image', resolved by version 0.27.0", "Fixable CVE-2025-22869 (CVSS 7.5) (severity Important) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.35.0", "Fixable CVE-2025-22869 (CVSS 7.5) (severity Important) found in component 'golang.org/x/crypto' (version v0.32.0) in container 'container-image', resolved by version 0.35.0", "Fixable CVE-2025-46569 (CVSS 0) (severity Important) found in component 'github.com/open-policy-agent/opa' (version v0.70.0) in container 'container-image', resolved by version 1.4.0", "Fixable CVE-2025-46569 (CVSS 0) (severity Important) found in component 'github.com/open-policy-agent/opa' (version v1.1.0) in container 'container-image', resolved by version 1.4.0", "Fixable CVE-2025-8959 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.6) in container 'container-image', resolved by version 1.7.9", "Fixable CVE-2025-8959 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.8) in container 'container-image', resolved by version 1.7.9", "Fixable RHSA-2025:10148 (CVSS 7.6) (severity Important) found in component 'python3.11' (version 3.11.11-2.el9) in container 'container-image', resolved by version 0:3.11.11-2.el9_6.1", "Fixable RHSA-2025:10148 (CVSS 7.6) (severity Important) found in component 'python3.11-libs' (version 3.11.11-2.el9) in container 'container-image', resolved by version 0:3.11.11-2.el9_6.1", "Fixable RHSA-2025:10550 (CVSS 8.3) (severity Important) found in component 'podman' (version 5:5.4.0-9.el9_6) in container 'container-image', resolved by version 5:5.4.0-12.el9_6", "Fixable RHSA-2025:10699 (CVSS 9.1) (severity Important) found in component 'libxml2' (version 2.9.13-9.el9_6) in container 'container-image', resolved by version 0:2.9.13-10.el9_6", "Fixable RHSA-2025:11462 (CVSS 8.3) (severity Important) found in component 'git-core' (version 2.47.1-2.el9_6) in container 'container-image', resolved by version 0:2.47.3-1.el9_6", "Fixable RHSA-2025:11992 (CVSS 7.7) (severity Important) found in component 'sqlite-libs' (version 3.34.1-7.el9_3) in container 'container-image', resolved by version 0:3.34.1-8.el9_6", "Fixable RHSA-2025:12447 (CVSS 7.8) (severity Important) found in component 'libxml2' (version 2.9.13-9.el9_6) in container 'container-image', resolved by version 0:2.9.13-11.el9_6", "Fixable RHSA-2025:14130 (CVSS 7.3) (severity Important) found in component 'libarchive' (version 3.5.3-4.el9) in container 'container-image', resolved by version 0:3.5.3-6.el9_6", "Fixable RHSA-2025:15099 (CVSS 7.8) (severity Important) found in component 'pam' (version 1.5.1-23.el9) in container 'container-image', resolved by version 0:1.5.1-26.el9_6", "Fixable RHSA-2025:9526 (CVSS 7.8) (severity Important) found in component 'pam' (version 1.5.1-23.el9) in container 'container-image', resolved by version 0:1.5.1-25.el9_6" ], "remediation": "Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.", "failingCheck": false }, { "name": "Pod Service Account Token Automatically Mounted", "severity": "MEDIUM", "description": "Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.", "violation": [ "Deployment mounts the service account tokens.", "Namespace has name 'default'", "Service Account is set to 'default'" ], "remediation": "Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.", "failingCheck": false }, { "name": "Docker CIS 4.1: Ensure That a User for the Container Has Been Created", "severity": "LOW", "description": "Containers should run as a non-root user", "violation": [ "Container 'container-image' has image with user 'root'" ], "remediation": "Ensure that the Dockerfile for each container switches from the root user", "failingCheck": false }, { "name": "Latest tag", "severity": "LOW", "description": "Alert on deployments with images using tag 'latest'", "violation": [ "Container 'container-image' has image with tag 'latest'" ], "remediation": "Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.", "failingCheck": false }, { "name": "Red Hat Package Manager in Image", "severity": "LOW", "description": "Alert on deployments with components of the Red Hat/Fedora/CentOS package management system.", "violation": [ "Container 'container-image' includes component 'microdnf' (version 3.9.1-3.el9)", "Container 'container-image' includes component 'rpm' (version 4.16.1.3-37.el9)" ], "remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers.", "failingCheck": false } ] } ], "summary": { "CRITICAL": 0, "HIGH": 1, "LOW": 3, "MEDIUM": 1, "TOTAL": 5 } }