Terraform Image Missing Digest
Description
Identifies Kubernetes container configurations that use container images without a digest tag (e.g., @sha256:...). Using container images without digest tags is risky since tags like 'latest' or version numbers can be mutated, potentially allowing malicious code to be introduced into your cluster.
Detection Strategy
• Identifies Kubernetes resource files that define containers (like Deployments, StatefulSets, DaemonSets)
• Examines the container image specifications under the 'spec' field of these resources
• Reports a vulnerability when a container image reference does not include a digest tag (format: image@sha256:...)
• Checks both direct container specs and nested container definitions in pod templates
Vulnerable code example
resource "kubernetes_pod" "example" {
metadata {
name = "vulnerable-pod"
}
spec {
container {
name = "web"
image = "nginx" # Vulnerable: Using image without pinned hash allows for potential supply chain attacks...✅ Secure code example
resource "kubernetes_pod" "example" {
metadata {
name = "secure-pod"
labels = {
app = "web"
}
}
spec {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.