C-0259 - Workload with credential access
Framework
security
Severity
High
Description of the the issue
This control checks if workloads specifications have sensitive information in their environment variables.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check if the workload has sensitive information in environment variables, by using list of known sensitive key names.
Remediation
Use Kubernetes secrets or Key Management Systems to store credentials.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Sensitive Values
sensitiveValues
Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable.
Allowed Values
sensitiveValuesAllowed
Reduce false positives with known values.
Sensitive Keys
sensitiveKeyNames
Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable.
Allowed Keys
sensitiveKeyNamesAllowed
Reduce false positives with known key names.
Example
No example
Updated about 1 month ago