diff --git a/auditors/apparmor/apparmor.go b/auditors/apparmor/apparmor.go index 0a7c26eb..24e820d8 100644 --- a/auditors/apparmor/apparmor.go +++ b/auditors/apparmor/apparmor.go @@ -65,7 +65,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isAppArmorAnnotationMissing(containerAnnotation, annotations) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AppArmorAnnotationMissing, + Rule: AppArmorAnnotationMissing, Severity: kubeaudit.Error, Message: fmt.Sprintf("AppArmor annotation missing. The annotation '%s' should be added.", containerAnnotation), Metadata: kubeaudit.Metadata{ @@ -82,7 +82,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isAppArmorDisabled(containerAnnotation, annotations) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AppArmorDisabled, + Rule: AppArmorDisabled, Message: fmt.Sprintf("AppArmor is disabled. The apparmor annotation should be set to '%s' or start with '%s'.", ProfileRuntimeDefault, ProfileNamePrefix), Severity: kubeaudit.Error, Metadata: kubeaudit.Metadata{ @@ -110,7 +110,7 @@ func auditPodAnnotations(resource k8s.Resource, containerNames []string) []*kube if !contains(containerNames, containerName) { auditResults = append(auditResults, &kubeaudit.AuditResult{ Auditor: Name, - Name: AppArmorInvalidAnnotation, + Rule: AppArmorInvalidAnnotation, Severity: kubeaudit.Error, Message: fmt.Sprintf("AppArmor annotation key refers to a container that doesn't exist. Remove the annotation '%s: %s'.", annotationKey, annotationValue), Metadata: kubeaudit.Metadata{ diff --git a/auditors/asat/asat.go b/auditors/asat/asat.go index 99639d1c..b20dc7da 100644 --- a/auditors/asat/asat.go +++ b/auditors/asat/asat.go @@ -46,7 +46,7 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A if isDeprecatedServiceAccountName(podSpec) && !hasServiceAccountName(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AutomountServiceAccountTokenDeprecated, + Rule: AutomountServiceAccountTokenDeprecated, Severity: kubeaudit.Warn, Message: "serviceAccount is a deprecated alias for serviceAccountName. serviceAccountName should be used instead.", PendingFix: &fixDeprecatedServiceAccountName{ @@ -62,7 +62,7 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A if usesDefaultServiceAccount(podSpec) && isAutomountTokenTrue(podSpec, defaultServiceAccount) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AutomountServiceAccountTokenTrueAndDefaultSA, + Rule: AutomountServiceAccountTokenTrueAndDefaultSA, Severity: kubeaudit.Error, Message: "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.", PendingFix: &fixDefaultServiceAccountWithAutomountToken{ diff --git a/auditors/capabilities/capabilities.go b/auditors/capabilities/capabilities.go index ce95ee71..a59079da 100644 --- a/auditors/capabilities/capabilities.go +++ b/auditors/capabilities/capabilities.go @@ -76,7 +76,7 @@ func auditContainer(container *k8s.ContainerV1, capability string, allowAddList message := fmt.Sprintf("Capability \"%s\" added. It should be removed from the capability add list. If you need this capability, add an override label such as '%s: SomeReason'.", capability, override.GetContainerOverrideLabel(container.Name, getOverrideLabel(capability))) auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: CapabilityAdded, + Rule: CapabilityAdded, Severity: kubeaudit.Error, Message: message, PendingFix: &fixCapabilityAdded{ @@ -105,7 +105,7 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult message := "Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL." return &kubeaudit.AuditResult{ Auditor: Name, - Name: CapabilityOrSecurityContextMissing, + Rule: CapabilityOrSecurityContextMissing, Severity: kubeaudit.Error, Message: message, PendingFix: &fixMissingSecurityContextOrCapability{ @@ -121,7 +121,7 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult message := "Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label." return &kubeaudit.AuditResult{ Auditor: Name, - Name: CapabilityShouldDropAll, + Rule: CapabilityShouldDropAll, Severity: kubeaudit.Error, Message: message, PendingFix: &fixCapabilityNotDroppedAll{ diff --git a/auditors/deprecatedapis/depreceatedapis.go b/auditors/deprecatedapis/depreceatedapis.go index f1bea0c4..60e67347 100644 --- a/auditors/deprecatedapis/depreceatedapis.go +++ b/auditors/deprecatedapis/depreceatedapis.go @@ -120,7 +120,7 @@ func (deprecatedAPIs *DeprecatedAPIs) Audit(resource k8s.Resource, _ []k8s.Resou } auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: DeprecatedAPIUsed, + Rule: DeprecatedAPIUsed, Severity: severity, Message: deprecationMessage, Metadata: metadata, diff --git a/auditors/hostns/hostns.go b/auditors/hostns/hostns.go index 16264987..318f4da9 100644 --- a/auditors/hostns/hostns.go +++ b/auditors/hostns/hostns.go @@ -63,7 +63,7 @@ func auditHostNetwork(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { } return &kubeaudit.AuditResult{ Auditor: Name, - Name: NamespaceHostNetworkTrue, + Rule: NamespaceHostNetworkTrue, Severity: kubeaudit.Error, Message: "hostNetwork is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostNetworkTrue{ @@ -84,7 +84,7 @@ func auditHostIPC(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { } return &kubeaudit.AuditResult{ Auditor: Name, - Name: NamespaceHostIPCTrue, + Rule: NamespaceHostIPCTrue, Severity: kubeaudit.Error, Message: "hostIPC is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostIPCTrue{ @@ -105,7 +105,7 @@ func auditHostPID(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { } return &kubeaudit.AuditResult{ Auditor: Name, - Name: NamespaceHostPIDTrue, + Rule: NamespaceHostPIDTrue, Severity: kubeaudit.Error, Message: "hostPID is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostPIDTrue{ diff --git a/auditors/image/image.go b/auditors/image/image.go index 1678481e..5059fdc3 100644 --- a/auditors/image/image.go +++ b/auditors/image/image.go @@ -51,7 +51,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe if isImageTagMissing(containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: ImageTagMissing, + Rule: ImageTagMissing, Severity: kubeaudit.Warn, Message: "Image tag is missing.", Metadata: kubeaudit.Metadata{ @@ -63,7 +63,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe if isImageTagIncorrect(name, tag, containerName, containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: ImageTagIncorrect, + Rule: ImageTagIncorrect, Severity: kubeaudit.Error, Message: fmt.Sprintf("Container tag is incorrect. It should be set to '%s'.", tag), Metadata: kubeaudit.Metadata{ @@ -75,7 +75,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe if isImageCorrect(name, tag, containerName, containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: ImageCorrect, + Rule: ImageCorrect, Severity: kubeaudit.Info, Message: "Image tag is correct", Metadata: kubeaudit.Metadata{ diff --git a/auditors/limits/limits.go b/auditors/limits/limits.go index 0b7988fa..7ad46ff8 100644 --- a/auditors/limits/limits.go +++ b/auditors/limits/limits.go @@ -66,7 +66,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [ if isLimitsNil(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: LimitsNotSet, + Rule: LimitsNotSet, Severity: kubeaudit.Warn, Message: "Resource limits not set.", Metadata: kubeaudit.Metadata{ @@ -83,7 +83,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [ if isCPULimitUnset(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: LimitsCPUNotSet, + Rule: LimitsCPUNotSet, Severity: kubeaudit.Warn, Message: "Resource CPU limit not set.", Metadata: kubeaudit.Metadata{ @@ -95,7 +95,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [ maxCPU := limits.maxCPU.String() auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: LimitsCPUExceeded, + Rule: LimitsCPUExceeded, Severity: kubeaudit.Warn, Message: fmt.Sprintf("CPU limit exceeded. It is set to '%s' which exceeds the max CPU limit of '%s'.", cpu, maxCPU), Metadata: kubeaudit.Metadata{ @@ -110,7 +110,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [ if isMemoryLimitUnset(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: LimitsMemoryNotSet, + Rule: LimitsMemoryNotSet, Severity: kubeaudit.Warn, Message: "Resource Memory limit not set.", Metadata: kubeaudit.Metadata{ @@ -122,7 +122,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [ maxMemory := limits.maxMemory.String() auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: LimitsMemoryExceeded, + Rule: LimitsMemoryExceeded, Severity: kubeaudit.Warn, Message: fmt.Sprintf("Memory limit exceeded. It is set to '%s' which exceeds the max Memory limit of '%s'.", memory, maxMemory), Metadata: kubeaudit.Metadata{ diff --git a/auditors/mounts/mounts.go b/auditors/mounts/mounts.go index efac26e0..104db4ef 100644 --- a/auditors/mounts/mounts.go +++ b/auditors/mounts/mounts.go @@ -101,7 +101,7 @@ func auditContainer(container *k8s.ContainerV1, sensitiveVolumes map[string]v1.V if volume, ok := sensitiveVolumes[mount.Name]; ok { auditResults = append(auditResults, &kubeaudit.AuditResult{ Auditor: Name, - Name: SensitivePathsMounted, + Rule: SensitivePathsMounted, Severity: kubeaudit.Error, Message: fmt.Sprintf("Sensitive path mounted as volume: %s (hostPath: %s). It should be removed from the container's mounts list.", mount.Name, volume.HostPath.Path), Metadata: kubeaudit.Metadata{ diff --git a/auditors/netpols/netpols.go b/auditors/netpols/netpols.go index 9c796709..233eb873 100644 --- a/auditors/netpols/netpols.go +++ b/auditors/netpols/netpols.go @@ -73,7 +73,7 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe if allIngressTrafficAllowed(networkPolicy) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: AllowAllIngressNetworkPolicyExists, + Rule: AllowAllIngressNetworkPolicyExists, Severity: kubeaudit.Warn, Message: "Found allow all ingress traffic NetworkPolicy.", Metadata: kubeaudit.Metadata{ @@ -86,7 +86,7 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe if allEgressTrafficAllowed(networkPolicy) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: AllowAllEgressNetworkPolicyExists, + Rule: AllowAllEgressNetworkPolicyExists, Severity: kubeaudit.Warn, Message: "Found allow all egress traffic NetworkPolicy.", Metadata: kubeaudit.Metadata{ @@ -111,7 +111,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou if !hasDefaultDenyIngress { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: MissingDefaultDenyIngressNetworkPolicy, + Rule: MissingDefaultDenyIngressNetworkPolicy, Severity: kubeaudit.Error, Message: fmt.Sprintf("All ingress traffic should be blocked by default for namespace %s.", namespace), Metadata: kubeaudit.Metadata{ @@ -129,7 +129,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou if !hasDefaultDenyEgress { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: MissingDefaultDenyEgressNetworkPolicy, + Rule: MissingDefaultDenyEgressNetworkPolicy, Severity: kubeaudit.Error, Message: fmt.Sprintf("All egress traffic should be blocked by default for namespace %s.", namespace), Metadata: kubeaudit.Metadata{ @@ -154,7 +154,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou if !hasIngressOverride && !hasEgressOverride { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: MissingDefaultDenyIngressAndEgressNetworkPolicy, + Rule: MissingDefaultDenyIngressAndEgressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny ingress and egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ @@ -171,7 +171,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou if hasIngressOverride && hasEgressOverride { auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy), + Rule: override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy), Severity: kubeaudit.Warn, Message: "Namespace is missing a default deny ingress and egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ @@ -186,7 +186,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou // fixed and the other is overridden auditResult := &kubeaudit.AuditResult{ Auditor: Name, - Name: MissingDefaultDenyIngressNetworkPolicy, + Rule: MissingDefaultDenyIngressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny ingress NetworkPolicy.", Metadata: kubeaudit.Metadata{ @@ -202,7 +202,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou auditResult = &kubeaudit.AuditResult{ Auditor: Name, - Name: MissingDefaultDenyEgressNetworkPolicy, + Rule: MissingDefaultDenyEgressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ diff --git a/auditors/nonroot/nonroot.go b/auditors/nonroot/nonroot.go index 83e0d9ed..7dba3e0a 100644 --- a/auditors/nonroot/nonroot.go +++ b/auditors/nonroot/nonroot.go @@ -57,7 +57,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if *container.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsUserCSCRoot, + Rule: RunAsUserCSCRoot, Severity: kubeaudit.Error, Message: "runAsUser is set to UID 0 (root user) in the container SecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", PendingFix: &fixRunAsNonRoot{ @@ -73,7 +73,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if *podSpec.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsUserPSCRoot, + Rule: RunAsUserPSCRoot, Severity: kubeaudit.Warn, Message: "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", Metadata: kubeaudit.Metadata{ @@ -90,7 +90,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if *podSpec.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsUserPSCRoot, + Rule: RunAsUserPSCRoot, Severity: kubeaudit.Error, Message: "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", PendingFix: &fixRunAsNonRoot{ @@ -108,7 +108,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isContainerRunAsNonRootCSCFalse(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsNonRootCSCFalse, + Rule: RunAsNonRootCSCFalse, Severity: kubeaudit.Error, Message: "runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.", PendingFix: &fixRunAsNonRoot{ @@ -124,7 +124,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isPodRunAsNonRootNil(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsNonRootPSCNilCSCNil, + Rule: RunAsNonRootPSCNilCSCNil, Severity: kubeaudit.Error, Message: "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.", PendingFix: &fixRunAsNonRoot{ @@ -139,7 +139,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isPodRunAsNonRootFalse(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: RunAsNonRootPSCFalseCSCNil, + Rule: RunAsNonRootPSCFalseCSCNil, Severity: kubeaudit.Error, Message: "runAsNonRoot is set to false in the PodSecurityContext. Either set it to true or set runAsUser to a value > 0.", PendingFix: &fixRunAsNonRoot{ diff --git a/auditors/privesc/privesc.go b/auditors/privesc/privesc.go index 531d236d..2833a56a 100644 --- a/auditors/privesc/privesc.go +++ b/auditors/privesc/privesc.go @@ -45,7 +45,7 @@ func auditContainer(container *k8s.ContainerV1) *kubeaudit.AuditResult { if isAllowPrivilegeEscalationNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AllowPrivilegeEscalationNil, + Rule: AllowPrivilegeEscalationNil, Severity: kubeaudit.Error, Message: "allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.", PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{ @@ -60,7 +60,7 @@ func auditContainer(container *k8s.ContainerV1) *kubeaudit.AuditResult { if isAllowPrivilegeEscalationTrue(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: AllowPrivilegeEscalationTrue, + Rule: AllowPrivilegeEscalationTrue, Severity: kubeaudit.Error, Message: "allowPrivilegeEscalation set to 'true'. It should be set to 'false'.", PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{ diff --git a/auditors/privileged/privileged.go b/auditors/privileged/privileged.go index f3b23efa..296d9dfe 100644 --- a/auditors/privileged/privileged.go +++ b/auditors/privileged/privileged.go @@ -44,7 +44,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isPrivilegedNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: PrivilegedNil, + Rule: PrivilegedNil, Severity: kubeaudit.Warn, Message: "privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.", PendingFix: &fixPrivileged{ @@ -59,7 +59,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isPrivilegedTrue(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: PrivilegedTrue, + Rule: PrivilegedTrue, Severity: kubeaudit.Error, Message: "privileged is set to 'true' in container SecurityContext. It should be set to 'false'.", PendingFix: &fixPrivileged{ diff --git a/auditors/rootfs/rootfs.go b/auditors/rootfs/rootfs.go index 319fecc9..5f71eb5b 100644 --- a/auditors/rootfs/rootfs.go +++ b/auditors/rootfs/rootfs.go @@ -44,7 +44,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isReadOnlyRootFilesystemNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: ReadOnlyRootFilesystemNil, + Rule: ReadOnlyRootFilesystemNil, Severity: kubeaudit.Error, Message: "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.", PendingFix: &fixReadOnlyRootFilesystem{ @@ -59,7 +59,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isReadOnlyRootFilesystemFalse(container) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: ReadOnlyRootFilesystemFalse, + Rule: ReadOnlyRootFilesystemFalse, Severity: kubeaudit.Error, Message: "readOnlyRootFilesystem is set to 'false' in container SecurityContext. It should be set to 'true'.", PendingFix: &fixReadOnlyRootFilesystem{ diff --git a/auditors/seccomp/seccomp.go b/auditors/seccomp/seccomp.go index 91ab760d..3f01d319 100644 --- a/auditors/seccomp/seccomp.go +++ b/auditors/seccomp/seccomp.go @@ -77,7 +77,7 @@ func auditPod(resource k8s.Resource) *kubeaudit.AuditResult { return &kubeaudit.AuditResult{ Auditor: Name, - Name: SeccompAnnotationMissing, + Rule: SeccompAnnotationMissing, Severity: kubeaudit.Error, Message: fmt.Sprintf("Seccomp annotation is missing. The annotation %s: %s should be added.", PodAnnotationKey, ProfileRuntimeDefault), PendingFix: &fix.ByAddingPodAnnotation{ @@ -95,7 +95,7 @@ func auditPod(resource k8s.Resource) *kubeaudit.AuditResult { if isSeccompProfileDeprecated(podSeccompProfile) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: SeccompDeprecatedPod, + Rule: SeccompDeprecatedPod, Severity: kubeaudit.Error, Message: fmt.Sprintf("Seccomp pod annotation is set to deprecated value %s. It should be set to %s instead.", podSeccompProfile, ProfileRuntimeDefault), PendingFix: &fix.BySettingPodAnnotation{ @@ -112,7 +112,7 @@ func auditPod(resource k8s.Resource) *kubeaudit.AuditResult { if !isSeccompEnabled(podSeccompProfile) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: SeccompDisabledPod, + Rule: SeccompDisabledPod, Severity: kubeaudit.Error, Message: fmt.Sprintf("Seccomp pod annotation is set to %s which disables Seccomp. It should be set to the default profile %s or should start with %s.", podSeccompProfile, ProfileRuntimeDefault, ProfileNamePrefix), PendingFix: &fix.BySettingPodAnnotation{ @@ -158,7 +158,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if isSeccompProfileDeprecated(containerSeccompProfile) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: SeccompDeprecatedContainer, + Rule: SeccompDeprecatedContainer, Severity: kubeaudit.Error, Message: fmt.Sprintf("Seccomp container annotation is set to deprecated value %s. It should be set to %s instead.", containerSeccompProfile, ProfileRuntimeDefault), PendingFix: pendingFix, @@ -172,7 +172,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi if !isSeccompEnabled(containerSeccompProfile) { return &kubeaudit.AuditResult{ Auditor: Name, - Name: SeccompDisabledContainer, + Rule: SeccompDisabledContainer, Severity: kubeaudit.Error, Message: fmt.Sprintf("Seccomp container annotation is set to %s which disables Seccomp. It should be set to the default profile %s or should start with %s.", containerSeccompProfile, ProfileRuntimeDefault, ProfileNamePrefix), PendingFix: pendingFix, diff --git a/example_custom_test.go b/example_custom_test.go index 44e7cefd..1c8a5a5c 100644 --- a/example_custom_test.go +++ b/example_custom_test.go @@ -29,7 +29,7 @@ type myAuditor struct{} func (a *myAuditor) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { return []*kubeaudit.AuditResult{ { - Name: "MyAudit", + Rule: "MyAudit", Severity: kubeaudit.Error, Message: "My custom error", PendingFix: &myAuditorFix{ diff --git a/internal/sarif/sarif.go b/internal/sarif/sarif.go index 14abd79b..71cb55cb 100644 --- a/internal/sarif/sarif.go +++ b/internal/sarif/sarif.go @@ -37,11 +37,12 @@ var AuditorNames = map[string]string{ seccomp.Name: "Finds containers running without seccomp", } -func CreateSarifReport() (*sarif.Report, *sarif.Run) { +// CreateSarifReport creates a new sarif Report and Run or returns an error +func CreateSarifReport() (*sarif.Report, *sarif.Run, error) { // create a new report object report, err := sarif.New(sarif.Version210) if err != nil { - panic(err) + return nil, nil, err } // create a run for kubeaudit @@ -49,7 +50,7 @@ func CreateSarifReport() (*sarif.Report, *sarif.Run) { report.AddRun(run) - return report, run + return report, run, nil } func AddSarifRules(kubeauditReport *kubeaudit.Report, run *sarif.Run) { @@ -62,16 +63,16 @@ func AddSarifRules(kubeauditReport *kubeaudit.Report, run *sarif.Run) { for _, result := range results { auditor := strings.ToLower(result.Auditor) - ruleID := strings.ToLower(result.Name) + ruleID := strings.ToLower(result.Rule) var docsURL string - // create a new rule for each rule id + if strings.Contains(ruleID, auditor) { docsURL = "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/" + auditor + ".md" } helpMessage := fmt.Sprintf("**Type**: kubernetes\n**Docs**: %s\n**Description:** %s", docsURL, AuditorNames[auditor]) - run.AddRule(result.Name). + run.AddRule(result.Rule). WithName(result.Auditor). WithMarkdownHelp(helpMessage). WithProperties(sarif.Properties{ @@ -106,7 +107,7 @@ func AddSarifResult(kubeauditReport *kubeaudit.Report, run *sarif.Run) { location := sarif.NewPhysicalLocation(). WithArtifactLocation(sarif.NewSimpleArtifactLocation(r.FilePath).WithUriBaseId("ROOTPATH")). WithRegion(sarif.NewRegion().WithStartLine(1)) - result := sarif.NewRuleResult(r.Name). + result := sarif.NewRuleResult(r.Rule). WithMessage(sarif.NewTextMessage(r.Message)). WithLevel(severityLevel). WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)}) diff --git a/internal/sarif/sarif_test.go b/internal/sarif/sarif_test.go index c22d41c0..07401d3e 100644 --- a/internal/sarif/sarif_test.go +++ b/internal/sarif/sarif_test.go @@ -13,7 +13,8 @@ import ( ) func TestCreateSarifReport(t *testing.T) { - sarifReport, _ := CreateSarifReport() + sarifReport, _, err := CreateSarifReport() + require.NoError(t, err) require.Len(t, sarifReport.Runs, 1) assert.Equal(t, "https://github.com/Shopify/kubeaudit", *sarifReport.Runs[0].Tool.Driver.InformationURI) } @@ -55,7 +56,9 @@ func TestAddSarifResultToReport(t *testing.T) { // verify that the file path is correct assert.Contains(t, kubeAuditReport.Results()[0].GetAuditResults()[0].FilePath, "sarif/fixtures") - sarifReport, sarifRun := CreateSarifReport() + sarifReport, sarifRun, err := CreateSarifReport() + + require.NoError(t, err) AddSarifRules(kubeAuditReport, sarifRun) diff --git a/internal/test/test.go b/internal/test/test.go index ecf86f6a..bf22435d 100644 --- a/internal/test/test.go +++ b/internal/test/test.go @@ -46,7 +46,7 @@ func AuditMultiple(t *testing.T, fixtureDir, fixture string, auditables []kubeau errors := make(map[string]bool) for _, result := range report.Results() { for _, auditResult := range result.GetAuditResults() { - errors[auditResult.Name] = true + errors[auditResult.Rule] = true } } diff --git a/pkg/override/override.go b/pkg/override/override.go index ce099085..c1318d22 100644 --- a/pkg/override/override.go +++ b/pkg/override/override.go @@ -26,7 +26,7 @@ func GetOverriddenResultName(resultName string) string { // label because there are no security issues found, so the label is redundant func NewRedundantOverrideResult(containerName string, overrideReason, overrideLabel string) *kubeaudit.AuditResult { return &kubeaudit.AuditResult{ - Name: kubeaudit.RedundantAuditorOverride, + Rule: kubeaudit.RedundantAuditorOverride, Severity: kubeaudit.Warn, Message: "Auditor is disabled via label but there were no security issues found by the auditor. The label should be removed.", Metadata: kubeaudit.Metadata{ @@ -49,7 +49,7 @@ func ApplyOverride(auditResult *kubeaudit.AuditResult, containerName string, res return NewRedundantOverrideResult(containerName, overrideReason, overrideLabel) } - auditResult.Name = GetOverriddenResultName(auditResult.Name) + auditResult.Rule = GetOverriddenResultName(auditResult.Rule) auditResult.PendingFix = nil auditResult.Severity = kubeaudit.Info auditResult.Message = "Audit result overridden: " + auditResult.Message diff --git a/printer.go b/printer.go index 437e656a..538276a0 100644 --- a/printer.go +++ b/printer.go @@ -109,7 +109,7 @@ func (p *Printer) prettyPrintReport(report *Report) { } p.print("-- ") p.printColor(severityColor, "["+auditResult.Severity.String()+"] ") - p.print(auditResult.Name + "\n") + p.print(auditResult.Rule + "\n") p.print(" Message: " + auditResult.Message + "\n") if len(auditResult.Metadata) > 0 { p.print(" Metadata:\n") @@ -166,7 +166,7 @@ func (p *Printer) getLogFieldsForResult(resource k8s.Resource, result *AuditResu objectMeta := k8s.GetObjectMeta(resource) fields := log.Fields{ - "AuditResultName": result.Name, + "AuditResultName": result.Rule, "ResourceKind": kind, "ResourceApiVersion": apiVersion, } diff --git a/result.go b/result.go index e769b3c1..dd941bb8 100644 --- a/result.go +++ b/result.go @@ -38,7 +38,7 @@ func (s SeverityLevel) String() string { // AuditResult represents a potential security issue. There may be multiple AuditResults per resource and audit type AuditResult struct { Auditor string // auditor name - Name string // Name uniquely identifies a type of audit result + Rule string // Rule uniquely identifies a type of violation Severity SeverityLevel // Severity is one of Error, Warn, or Info Message string // Message is a human-readable description of the audit result PendingFix PendingFix // PendingFix is the fix that will be applied to automatically fix the security issue diff --git a/util_test.go b/util_test.go index bce54c8d..2a3b46fc 100644 --- a/util_test.go +++ b/util_test.go @@ -56,7 +56,7 @@ func TestPrintResults(t *testing.T) { func newTestAuditResult(severity SeverityLevel) *AuditResult { return &AuditResult{ - Name: "MyAuditResult", + Rule: "MyAuditResult", Severity: severity, Metadata: Metadata{"Foo": "bar"}, }