Json Yaml Missing Drop All
Description
Detects when Kubernetes container security contexts do not explicitly drop "ALL" capabilities, which may leave containers with unnecessary privileges. Dropping all capabilities and then selectively adding only required ones is a security best practice for limiting container privileges.
Detection Strategy
• Analyzes Kubernetes container specifications in YAML/JSON configuration files
• Checks the 'drop' field under container security contexts
• Reports a vulnerability if 'drop' list exists but does not contain 'ALL' capability (case insensitive)
• Examines each container definition in the spec.template.spec.containers array
Vulnerable code example
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
containers:
- name: nginx
image: nginx...✅ Secure code example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
labels:
app: nginx
spec:
automountServiceAccountToken: false # Prevent access to K8s API...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.