Skip to content

bug(misconf): AVD-KSV-0109 false positive on Helm ConfigMap using string interpolation #9049

Description

@nikpivkin

Discussed in #8865

Some checks are currently applied to different types of configuration files, which in some cases can lead to false positives.

For example:

  • Kubernetes checks are applied both to plain Kubernetes manifests and to rendered Helm templates. The AVD-KSV-0109 check that detects secrets in ConfigMaps, falsely triggers on interpolated strings like:

    REDIS_MASTER_PASSWORD: "$(cat ${REDIS_MASTER_PASSWORD_FILE})"

    Such expressions do not indicate a secret leak in the case of Helm, as they remain unchanged in the rendered manifest. However, if a user applies a Kubernetes manifest using envsubst, like:

    SOME_ACCESS_TOKEN=test envsubst < config.yaml | kubectl apply -f -

    — the variables are actually substituted, and sensitive data may be exposed.

  • Dockerfile checks, such as AVD-DS-0016, are applied both to original Dockerfiles and to those restored from image history.
    However, multistage builds cannot be accurately restored - information about stages (FROM ... AS <name>) is not stored in the image history. As a result, making the AVD-DS-0016 check invalid in this context.
    We have already addressed this issue by filtering such checks directly in the image history analyzer after scanning.

Possible solutions:

  1. Ignore interpolated strings, such as ${VAR} or $(...).
    This is reasonable for Helm templates, where variables remain unresolved. However, this approach is unsafe for regular Kubernetes manifests, as they may be pre-rendered by the user and variables may contain actual secrets.

  2. Completely disable the check for Helm. This reduces coverage but ensures that false positives do not occur.

  3. Expose the scanner type or configuration source to Rego, so that checks can determine applicability themselves:

    deny contains res if {
      not skip_check
      ...
    }
    
    skip_check(s) if {
      input.scanner == "helm"
      startswith(s, "${")
    }

    This enables flexible policies that take into account the scan context (source, format, etc.).

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions