Discussed in #8865
Some checks are currently applied to different types of configuration files, which in some cases can lead to false positives.
For example:
-
Kubernetes checks are applied both to plain Kubernetes manifests and to rendered Helm templates. The AVD-KSV-0109 check that detects secrets in ConfigMaps, falsely triggers on interpolated strings like:
REDIS_MASTER_PASSWORD: "$(cat ${REDIS_MASTER_PASSWORD_FILE})"
Such expressions do not indicate a secret leak in the case of Helm, as they remain unchanged in the rendered manifest. However, if a user applies a Kubernetes manifest using envsubst, like:
SOME_ACCESS_TOKEN=test envsubst < config.yaml | kubectl apply -f -
— the variables are actually substituted, and sensitive data may be exposed.
-
Dockerfile checks, such as AVD-DS-0016, are applied both to original Dockerfiles and to those restored from image history.
However, multistage builds cannot be accurately restored - information about stages (FROM ... AS <name>) is not stored in the image history. As a result, making the AVD-DS-0016 check invalid in this context.
We have already addressed this issue by filtering such checks directly in the image history analyzer after scanning.
Possible solutions:
-
Ignore interpolated strings, such as ${VAR} or $(...).
This is reasonable for Helm templates, where variables remain unresolved. However, this approach is unsafe for regular Kubernetes manifests, as they may be pre-rendered by the user and variables may contain actual secrets.
-
Completely disable the check for Helm. This reduces coverage but ensures that false positives do not occur.
-
Expose the scanner type or configuration source to Rego, so that checks can determine applicability themselves:
deny contains res if {
not skip_check
...
}
skip_check(s) if {
input.scanner == "helm"
startswith(s, "${")
}
This enables flexible policies that take into account the scan context (source, format, etc.).
Discussed in #8865
Some checks are currently applied to different types of configuration files, which in some cases can lead to false positives.
For example:
Kubernetes checks are applied both to plain Kubernetes manifests and to rendered Helm templates. The
AVD-KSV-0109check that detects secrets in ConfigMaps, falsely triggers on interpolated strings like:Such expressions do not indicate a secret leak in the case of Helm, as they remain unchanged in the rendered manifest. However, if a user applies a Kubernetes manifest using
envsubst, like:— the variables are actually substituted, and sensitive data may be exposed.
Dockerfile checks, such as
AVD-DS-0016, are applied both to original Dockerfiles and to those restored from image history.However, multistage builds cannot be accurately restored - information about stages (
FROM ... AS <name>) is not stored in the image history. As a result, making theAVD-DS-0016check invalid in this context.We have already addressed this issue by filtering such checks directly in the image history analyzer after scanning.
Possible solutions:
Ignore interpolated strings, such as
${VAR}or$(...).This is reasonable for Helm templates, where variables remain unresolved. However, this approach is unsafe for regular Kubernetes manifests, as they may be pre-rendered by the user and variables may contain actual secrets.
Completely disable the check for Helm. This reduces coverage but ensures that false positives do not occur.
Expose the scanner type or configuration source to Rego, so that checks can determine applicability themselves:
This enables flexible policies that take into account the scan context (source, format, etc.).