running acs-deploy-check Step: acs-deploy-check Results: /workspace/source/source/results/acs-deploy-check Custom root CA variable is not set. Make sure CA trust is established Running acs-deploy-check:rox-deploy-check Using rox central endpoint central-rhacs-operator.apps.rosa.rhtap-services.xmdt.p3.openshiftapps.com:443 Using gitops repository: https://github.com/rhtap-rhdh-qe/e2e-tests-python-ddblvcod-gitops Cloning into 'gitops'... List of files in gitops repository root: total 40 drwxr-sr-x. 8 root 1000970000 4096 May 4 23:32 . drwxrwsr-x. 10 root 1000970000 4096 May 4 23:32 .. drwxr-sr-x. 8 root 1000970000 4096 May 4 23:32 .git drwxr-sr-x. 2 root 1000970000 4096 May 4 23:32 .tekton drwxr-sr-x. 2 root 1000970000 4096 May 4 23:32 app-of-apps -rw-r--r--. 1 root 1000970000 664 May 4 23:32 application.yaml -rw-r--r--. 1 root 1000970000 703 May 4 23:32 catalog-info.yaml drwxr-sr-x. 3 root 1000970000 4096 May 4 23:32 components drwxr-sr-x. 2 root 1000970000 4096 May 4 23:32 docs drwxr-sr-x. 2 root 1000970000 4096 May 4 23:32 tssc List of components in the gitops repository: total 4 drwxr-sr-x. 5 root 1000970000 4096 May 4 23:32 e2e-tests-python-ddblvcod Download roxctl cli Performing scan for e2e-tests-python-ddblvcod component ROXCTL on components/e2e-tests-python-ddblvcod/base/deployment.yaml Running acs-deploy-check:report ACS_DEPLOY_EYECATCHER_BEGIN { "results": [ { "metadata": { "id": "8ea53765-44a5-4d95-b72d-e1f443d67353", "additionalInfo": { "name": "e2e-tests-python-ddblvcod", "namespace": "default", "type": "Deployment" } }, "summary": { "CRITICAL": 0, "HIGH": 1, "LOW": 3, "MEDIUM": 1, "TOTAL": 5 }, "violatedPolicies": [ { "name": "Fixable Severity at least Important", "severity": "HIGH", "description": "Alert on deployments with fixable vulnerabilities with a Severity Rating at least Important", "violation": [ "Fixable CVE-2024-21626 (CVSS 8.6) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.1.12", "Fixable CVE-2024-23651 (CVSS 7.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23651 (CVSS 8.7) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23652 (CVSS 10) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23652 (CVSS 9.1) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-23653 (CVSS 9.8) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5", "Fixable CVE-2024-24557 (CVSS 7.8) (severity Important) found in component 'github.com/docker/docker' (version v24.0.7+incompatible) in container 'container-image', resolved by version 24.0.9+incompatible", "Fixable CVE-2024-24786 (CVSS 7.5) (severity Important) found in component 'google.golang.org/protobuf' (version v1.31.0) in container 'container-image', resolved by version 1.33.0", "Fixable CVE-2024-24790 (CVSS 9.8) (severity Critical) found in component 'stdlib' (version 1.20.12) in container 'container-image', resolved by version 1.21.11", "Fixable CVE-2024-25621 (CVSS 7.3) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.29", "Fixable CVE-2024-25621 (CVSS 7.3) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.27) in container 'container-image', resolved by version 1.7.29", "Fixable CVE-2024-25621 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.29", "Fixable CVE-2024-25621 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.27) in container 'container-image', resolved by version 1.7.29", "Fixable CVE-2024-29903 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/cosign/v2' (version v2.0.0-20260203083305-11481f04a524+dirty) in container 'container-image', resolved by version 2.2.4", "Fixable CVE-2024-3727 (CVSS 8.3) (severity Important) found in component 'github.com/containers/image/v5' (version v5.29.0) in container 'container-image', resolved by version 5.29.3", "Fixable CVE-2024-40635 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.27", "Fixable CVE-2024-41110 (CVSS 9.9) (severity Critical) found in component 'github.com/docker/docker' (version v24.0.7+incompatible) in container 'container-image', resolved by version 25.0.6", "Fixable CVE-2024-45337 (CVSS 9.1) (severity Critical) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.31.0", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.2.2+incompatible) in container 'container-image', resolved by version 29.2.0", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.2.2+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.3.0+incompatible) in container 'container-image', resolved by version 29.2.0", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.3.0+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v29.0.3+incompatible) in container 'container-image', resolved by version 29.2.0", "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v29.0.3+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible", "Fixable CVE-2025-21613 (CVSS 9.8) (severity Critical) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0", "Fixable CVE-2025-21614 (CVSS 7.5) (severity Important) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0", "Fixable CVE-2025-22868 (CVSS 7.5) (severity Important) found in component 'golang.org/x/oauth2' (version v0.16.0) in container 'container-image', resolved by version 0.27.0", "Fixable CVE-2025-22869 (CVSS 7.5) (severity Important) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.35.0", "Fixable CVE-2025-31133 (CVSS 7.8) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8", "Fixable CVE-2025-46569 (CVSS 0) (severity Important) found in component 'github.com/open-policy-agent/opa' (version v1.1.0) in container 'container-image', resolved by version 1.4.0", "Fixable CVE-2025-52565 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8", "Fixable CVE-2025-52881 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8", "Fixable CVE-2025-52881 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/selinux' (version v1.11.0) in container 'container-image', resolved by version 1.13.0", "Fixable CVE-2025-66506 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/fulcio' (version v1.4.3) in container 'container-image', resolved by version 1.8.3", "Fixable CVE-2025-66506 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/fulcio' (version v1.6.3) in container 'container-image', resolved by version 1.8.3", "Fixable CVE-2025-66564 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/timestamp-authority' (version v1.2.2) in container 'container-image', resolved by version 2.0.3", "Fixable CVE-2025-66564 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/timestamp-authority' (version v1.2.7) in container 'container-image', resolved by version 2.0.3", "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.20.12) in container 'container-image', resolved by version 1.24.13", "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.24.4) in container 'container-image', resolved by version 1.24.13", "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.24.6) in container 'container-image', resolved by version 1.24.13", "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.25.5) in container 'container-image', resolved by version 1.25.7", "Fixable CVE-2025-8959 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.8) in container 'container-image', resolved by version 1.7.9", "Fixable CVE-2026-1229 (CVSS 9.8) (severity Critical) found in component 'github.com/cloudflare/circl' (version v1.3.7) in container 'container-image', resolved by version 1.6.3", "Fixable CVE-2026-1229 (CVSS 9.8) (severity Critical) found in component 'github.com/cloudflare/circl' (version v1.6.1) in container 'container-image', resolved by version 1.6.3", "Fixable CVE-2026-23991 (CVSS 7.5) (severity Important) found in component 'github.com/theupdateframework/go-tuf/v2' (version v2.0.2) in container 'container-image', resolved by version 2.3.1", "Fixable CVE-2026-23992 (CVSS 7.5) (severity Important) found in component 'github.com/theupdateframework/go-tuf/v2' (version v2.0.2) in container 'container-image', resolved by version 2.3.1", "Fixable CVE-2026-24051 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.37.0) in container 'container-image', resolved by version 1.40.0", "Fixable CVE-2026-24051 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.38.0) in container 'container-image', resolved by version 1.40.0", "Fixable CVE-2026-27135 (CVSS 7.5) (severity Important) found in component 'libnghttp2' (version 1.43.0-6.el9) in container 'container-image', resolved by version 0:1.43.0-6.el9_7.1", "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.67.3) in container 'container-image', resolved by version 1.79.3", "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.70.0) in container 'container-image', resolved by version 1.79.3", "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.76.0) in container 'container-image', resolved by version 1.79.3", "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.78.0) in container 'container-image', resolved by version 1.79.3", "Fixable CVE-2026-33540 (CVSS 7.5) (severity Important) found in component 'github.com/distribution/distribution/v3' (version v3.0.0-20230519140516-983358f8e250) in container 'container-image', resolved by version 3.1.0", "Fixable CVE-2026-33747 (CVSS 8.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-33747 (CVSS 8.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.23.2) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-33747 (CVSS 9.8) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-33747 (CVSS 9.8) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.23.2) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-33748 (CVSS 0) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-33748 (CVSS 0) (severity Important) found in component 'github.com/moby/buildkit' (version v0.23.2) in container 'container-image', resolved by version 0.28.1", "Fixable CVE-2026-3497 (CVSS 8.2) (severity Important) found in component 'openssh' (version 8.7p1-47.el9_7) in container 'container-image', resolved by version 0:8.7p1-48.el9_7", "Fixable CVE-2026-3497 (CVSS 8.2) (severity Important) found in component 'openssh-clients' (version 8.7p1-47.el9_7) in container 'container-image', resolved by version 0:8.7p1-48.el9_7", "Fixable CVE-2026-34986 (CVSS 7.5) (severity Important) found in component 'github.com/go-jose/go-jose/v3' (version v3.0.1) in container 'container-image', resolved by version 3.0.5", "Fixable CVE-2026-34986 (CVSS 7.5) (severity Important) found in component 'github.com/go-jose/go-jose/v3' (version v3.0.4) in container 'container-image', resolved by version 3.0.5", "Fixable CVE-2026-34986 (CVSS 7.5) (severity Important) found in component 'github.com/go-jose/go-jose/v4' (version v4.1.2) in container 'container-image', resolved by version 4.1.4", "Fixable CVE-2026-34986 (CVSS 7.5) (severity Important) found in component 'github.com/go-jose/go-jose/v4' (version v4.1.3) in container 'container-image', resolved by version 4.1.4", "Fixable CVE-2026-35172 (CVSS 7.5) (severity Important) found in component 'github.com/distribution/distribution/v3' (version v3.0.0-20230519140516-983358f8e250) in container 'container-image', resolved by version 3.1.0", "Fixable CVE-2026-39883 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.37.0) in container 'container-image', resolved by version 1.43.0", "Fixable CVE-2026-39883 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.38.0) in container 'container-image', resolved by version 1.43.0", "Fixable CVE-2026-4660 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.8) in container 'container-image', resolved by version 1.8.6", "Fixable CVE-2026-4660 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.9) in container 'container-image', resolved by version 1.8.6" ], "remediation": "Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.", "failingCheck": false }, { "name": "Pod Service Account Token Automatically Mounted", "severity": "MEDIUM", "description": "Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.", "violation": [ "Deployment mounts the service account tokens.", "Namespace has name 'default'", "Service Account is set to 'default'" ], "remediation": "Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.", "failingCheck": false }, { "name": "Docker CIS 4.1: Ensure That a User for the Container Has Been Created", "severity": "LOW", "description": "Containers should run as a non-root user", "violation": [ "Container 'container-image' has image with user 'root'" ], "remediation": "Ensure that the Dockerfile for each container switches from the root user", "failingCheck": false }, { "name": "Latest tag", "severity": "LOW", "description": "Alert on deployments with images using tag 'latest'", "violation": [ "Container 'container-image' has image with tag 'latest'" ], "remediation": "Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.", "failingCheck": false }, { "name": "Red Hat Package Manager in Image", "severity": "LOW", "description": "Alert on deployments with components of the Red Hat/Fedora/CentOS package management system.", "violation": [ "Container 'container-image' includes component 'microdnf' (version 3.9.1-3.el9)", "Container 'container-image' includes component 'rpm' (version 4.16.1.3-39.el9)" ], "remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers.", "failingCheck": false } ] } ], "summary": { "CRITICAL": 0, "HIGH": 1, "LOW": 3, "MEDIUM": 1, "TOTAL": 5 } } ACS_DEPLOY_EYECATCHER_END