Skip to content

DEMO (do not merge): intentionally insecure examples #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
karlllewis wants to merge 5 commits into
base: main
Choose a base branch
from

Merge remote-tracking branch 'origin/main' into test/bad-examples

ed32318
Select commit
Loading
Failed to load commit list.
Draft

DEMO (do not merge): intentionally insecure examples #1

Merge remote-tracking branch 'origin/main' into test/bad-examples
ed32318
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Aug 11, 2025 in 2s

21 new alerts including 5 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 5 high
  • 5 medium
  • 11 low

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 1 in examples/Dockerfile.bad

See this annotation in the file changed.

Code scanning / Trivy

Image user should not be 'root' High

Artifact: examples/Dockerfile.bad
Type: dockerfile
Vulnerability DS002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: DS002

Check notice on line 1 in examples/Dockerfile.bad

See this annotation in the file changed.

Code scanning / Trivy

No HEALTHCHECK defined Low

Artifact: examples/Dockerfile.bad
Type: dockerfile
Vulnerability DS026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: DS026

Check warning on line 2 in examples/Dockerfile.bad

See this annotation in the file changed.

Code scanning / Trivy

':latest' tag used Medium

Artifact: examples/Dockerfile.bad
Type: dockerfile
Vulnerability DS001
Severity: MEDIUM
Message: Specify a tag in the 'FROM' statement for image 'node'
Link: DS001

Check failure on line 3 in examples/Dockerfile.bad

See this annotation in the file changed.

Code scanning / Trivy

'apt-get' missing '--no-install-recommends' High

Artifact: examples/Dockerfile.bad
Type: dockerfile
Vulnerability DS029
Severity: HIGH
Message: '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y curl'
Link: DS029

Check warning on line 1 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Seccomp policies disabled Medium

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV104
Severity: MEDIUM
Message: container "app" of pod "insecure-pod" in "default" namespace should specify a seccomp profile
Link: KSV104

Check failure on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Access to host network High

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV009
Severity: HIGH
Message: Pod 'insecure-pod' should not set 'spec.template.spec.hostNetwork' to true
Link: KSV009

Check warning on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Can elevate its own privileges Medium

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop all Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV003
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

CPU not limited Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV011
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'resources.limits.cpu'
Link: KSV011

Check warning on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs as root user Medium

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.runAsNonRoot' to true
Link: KSV012

Check warning on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Image tag ":latest" used Medium

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV013
Severity: MEDIUM
Message: Container 'app' of Pod 'insecure-pod' should specify an image tag
Link: KSV013

Check failure on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Root file system is not read-only High

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV014
Severity: HIGH
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.readOnlyRootFilesystem' to true
Link: KSV014

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

CPU requests not specified Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV015
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'resources.requests.cpu'
Link: KSV015

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Memory requests not specified Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV016
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'resources.requests.memory'
Link: KSV016

Check failure on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Privileged High

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV017
Severity: HIGH
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.privileged' to false
Link: KSV017

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Memory not limited Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV018
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'resources.limits.memory'
Link: KSV018

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with UID <= 10000 Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV020
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.runAsUser' > 10000
Link: KSV020

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with GID <= 10000 Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV021
Severity: LOW
Message: Container 'app' of Pod 'insecure-pod' should set 'securityContext.runAsGroup' > 10000
Link: KSV021

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runtime/Default Seccomp profile not set Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV030
Severity: LOW
Message: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Link: KSV030

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Container capabilities must only include NET_BIND_SERVICE Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV106
Severity: LOW
Message: container should drop all
Link: KSV106

Check notice on line 14 in examples/pod-insecure.yaml

See this annotation in the file changed.

Code scanning / Trivy

Containers must not set runAsUser to 0 Low

Artifact: examples/pod-insecure.yaml
Type: kubernetes
Vulnerability KSV105
Severity: LOW
Message: securityContext.runAsUser should be set to a value greater than 0
Link: KSV105