logo

Database

Terraform Missing Security Context Capabilities

Description

Detects Kubernetes containers that have missing or improperly configured security context capabilities. This is a security risk since container capabilities control what privileged operations a container can perform, and missing restrictions could allow containers to perform dangerous system-level operations.

Weakness:

267 - Excessive Privileges - Kubernetes

Category: Functionality Abuse

Detection Strategy

    Analyzes Kubernetes resource files (Pod, Deployment, StatefulSet, etc.)

    Examines container specifications within these resources

    Checks if securityContext.capabilities section is properly defined for each container

    Reports a vulnerability if capabilities are missing or improperly configured

Vulnerable code example

resource "kubernetes_pod_v1" "vulnerable_pod" {
  metadata {
    name = "vulnerable-pod"
  }
  spec {
    container {
      name  = "nginx"
      image = "nginx"...

✅ Secure code example

resource "kubernetes_pod_v1" "secure_pod" {
  metadata {
    name = "secure-pod"
  }
  spec {
    # Pod-level security context adds base security controls
    security_context {
      run_as_non_root = true...