Json Yaml Image Missing Digest
Description
Detects Kubernetes container specifications that use images without a digest (SHA256 hash). Using container images without digests is insecure as it allows for potential supply chain attacks where the image content could be modified without detection.
Detection Strategy
• Examines container specifications in Kubernetes manifests
• Looks for 'containers' sections that contain 'image' specifications
• Checks if the image reference lacks a digest (SHA256 hash) component
• Reports a vulnerability for any container image specified without a SHA256 digest
Vulnerable code example
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
privileged: true # Dangerous: Allows privileged mode which bypasses security controls
containers:
- name: vuln-container...✅ Secure code example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
labels:
app: web
spec:
# Remove privileged: true as it's a dangerous security risk...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.