SAST for Kubernetes manifests
Problem to solve
Kubernetes manifests should be checked for sensitive data, especially pods definitions. Secrets should be encrypted.
PodSecurityPolicies are useful at runtime, but they're not enough. That's why we should run SAST on K8S yaml files.
Detect yaml files in repos, and analyze their content to determine if they're manifests (maybe look for specific keys and values like
kind: Pod, etc.). We'll have to tweak the output of kubesec to fit our format.
Permissions and Security
E2E tests like for any other sast analyzer.
What does success look like, and how can we measure that?
Users get security insights for their kubernetes manifests.
What is the type of buyer?
Links / references
- Has permissive software license
- Headless execution (CLI tool)
- Executable using GitLab Runner's Linux or Windows Docker executor
- Language identification method (file extension, package file, etc)
Minimal vulnerability data
- description (helpful but not mandatory)
- type (unique value to avoid collisions with other occurrences)
- file path
- line number