📝 Code Report

yaml.kubernetes.security.run-as-non-root.run-as-non-root — When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
File: clusters/main/kubernetes/core/kyverno-policies/app/ensure-digest.yaml:50, Severity: Moderate

yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext — In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
File: clusters/main/kubernetes/core/kyverno-policies/app/ensure-digest.yaml:52, Severity: Moderate

generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash — bcrypt hash detected
File: clusters/main/kubernetes/flux-system/weave-gitops/app/helm-release.yaml:39, Severity: Moderate

yaml.kubernetes.security.privileged-container.privileged-container — Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.
File: clusters/main/kubernetes/kube-system/cilium/app/helm-release.yaml:57, Severity: Moderate

generic.secrets.security.detected-jwt-token.detected-jwt-token — JWT token detected
File: clusters/main/kubernetes/tools/mend-renovate/app/helm-release.yaml:65, Severity: Moderate

dockerfile.security.missing-user.missing-user — By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
File: Dockerfile:33, Severity: Moderate

go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb — Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size.
File: internal/utils/download.go:138, Severity: Moderate