Jump to Content
Docs
Recipes
API Reference
Changelog
Home
GitHub
Sign Up
Docs
Home
GitHub
Sign Up
Moon (Dark Mode)
Sun (Light Mode)
Docs
Recipes
API Reference
Changelog
Nexus
Search
Get started
Welcome to ARMO Platform
Getting started
Installation
Connect your Kubernetes cluster
Installation troubleshooting
Adjusting resource usage for your cluster
Permissions required
Configuring cloud providers
Amazon Elastic Kubernetes Service integration
Azure Kubernetes Service integration
Google Cloud Services integration
Egress and Ingress communication for firewalls
navigate armo platform
Navigating ARMO Platform
Security Risks
Attack Path
Kubernetes Compliance
Cloud Compliance
Smart Remediation
Vulnerabilities Management
Workloads View
CVEs View
Images View
SBOM View
Vulnerabilities In Use
Risk Spotlight
RBAC Insights
Network Policy
Seccomp Profile
Repository Scanning
Registry Scanning
Threat Detection
Risk Acceptance
Security Risks
Vulnerabilities
Compliance
Runtime Incidents
Accept Risk from the CLI
Workflows
Customize your scans
Customize your scans
Frameworks
Creating a custom framework
Review Controls
Controls
C-0001 - Forbidden Container Registries
C-0002 - Prevent containers from allowing command execution
C-0004 - Resources memory limit and request
C-0005 - API server insecure port is enabled
C-0007 - Roles with delete capabilities
C-0009 - Resource limits
C-0012 - Applications credentials in configuration files
C-0013 - Non-root containers
C-0014 - Access Kubernetes dashboard
C-0015 - List Kubernetes secrets
C-0016 - Allow privilege escalation
C-0017 - Immutable container filesystem
C-0018 - Configured readiness probe
C-0020 - Mount service principal
C-0021 - Exposed sensitive interfaces
C-0026 - Kubernetes CronJob
C-0030 - Ingress and Egress blocked
C-0031 - Delete Kubernetes events
C-0034 - Automatic mapping of service account
C-0035 - Administrative Roles
C-0036 - Validate admission controller (validating)
C-0037 - CoreDNS poisoning
C-0038 - Host PID/IPC privileges
C-0039 - Validate admission controller (mutating)
C-0041 - HostNetwork access
C-0042 - SSH server running inside container
C-0044 - Container hostPort
C-0045 - Writable hostPath mount
C-0046 - Insecure capabilities
C-0048 - HostPath mount
C-0049 - Network mapping
C-0050 - Resources CPU limit and request
C-0052 - Instance Metadata API
C-0053 - Access container service account
C-0054 - Cluster internal networking
C-0055 - Linux hardening
C-0056 - Configured liveness probe
C-0057 - Privileged container
C-0058 - CVE-2021-25741 - Using symlink for arbitrary host file system access.
C-0059 - CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
C-0061 - Pods in default namespace
C-0062 - Sudo in container entrypoint
C-0063 - Portforwarding privileges
C-0065 - No impersonation
C-0066 - Secret/etcd encryption enabled
C-0067 - Audit logs enabled
C-0068 - PSP enabled
C-0069 - Disable anonymous access to Kubelet service
C-0070 - Enforce Kubelet client TLS authentication
C-0073 - Naked pods
C-0074 - Container runtime socket mounted
C-0075 - Image pull policy on latest tag
C-0076 - Label usage for resources
C-0077 - K8s common labels usage
C-0078 - Images from allowed registry
C-0079 - CVE-2022-0185-linux-kernel-container-escape
C-0081 - CVE-2022-24348-argocddirtraversal
C-0083 - Workloads with Critical vulnerabilities exposed to external traffic
C-0084 - Workloads with RCE vulnerabilities exposed to external traffic
C-0085 - Workloads with excessive amount of vulnerabilities
C-0087 - CVE-2022-23648-containerd-fs-escape
C-0088 - RBAC enabled
C-0089 - CVE-2022-3172-aggregated-API-server-redirect
C-0090 - CVE-2022-39328-grafana-auth-bypass
C-0091 - CVE-2022-47633-kyverno-signature-bypass
C-0092 - Ensure that the API server pod specification file permissions are set to 600 or more restrictive
C-0093 - Ensure that the API server pod specification file ownership is set to root:root
C-0094 - Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
C-0095 - Ensure that the controller manager pod specification file ownership is set to root:root
C-0096 - Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
C-0097 - Ensure that the scheduler pod specification file ownership is set to root:root
C-0098 - Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
C-0099 - Ensure that the etcd pod specification file ownership is set to root:root
C-0100 - Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
C-0101 - Ensure that the Container Network Interface file ownership is set to root:root
C-0102 - Ensure that the etcd data directory permissions are set to 700 or more restrictive
C-0103 - Ensure that the etcd data directory ownership is set to etcd:etcd
C-0104 - Ensure that the admin.conf file permissions are set to 600
C-0105 - Ensure that the admin.conf file ownership is set to root:root
C-0106 - Ensure that the scheduler.conf file permissions are set to 600 or more restrictive
C-0107 - Ensure that the scheduler.conf file ownership is set to root:root
C-0108 - Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive
C-0109 - Ensure that the controller-manager.conf file ownership is set to root:root
C-0110 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root
C-0111 - Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive
C-0112 - Ensure that the Kubernetes PKI key file permissions are set to 600
C-0113 - Ensure that the API Server --anonymous-auth argument is set to false
C-0114 - Ensure that the API Server --token-auth-file parameter is not set
C-0115 - Ensure that the API Server --DenyServiceExternalIPs is not set
C-0116 - Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
C-0117 - Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate
C-0118 - Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow
C-0119 - Ensure that the API Server --authorization-mode argument includes Node
C-0120 - Ensure that the API Server --authorization-mode argument includes RBAC
C-0121 - Ensure that the admission control plugin EventRateLimit is set
C-0122 - Ensure that the admission control plugin AlwaysAdmit is not set
C-0123 - Ensure that the admission control plugin AlwaysPullImages is set
C-0124 - Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
C-0125 - Ensure that the admission control plugin ServiceAccount is set
C-0126 - Ensure that the admission control plugin NamespaceLifecycle is set
C-0127 - Ensure that the admission control plugin NodeRestriction is set
C-0128 - Ensure that the API Server --secure-port argument is not set to 0
C-0129 - Ensure that the API Server --profiling argument is set to false
C-0130 - Ensure that the API Server --audit-log-path argument is set
C-0131 - Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate
C-0132 - Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate
C-0133 - Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate
C-0134 - Ensure that the API Server --request-timeout argument is set as appropriate
C-0135 - Ensure that the API Server --service-account-lookup argument is set to true
C-0136 - Ensure that the API Server --service-account-key-file argument is set as appropriate
C-0137 - Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate
C-0138 - Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate
C-0139 - Ensure that the API Server --client-ca-file argument is set as appropriate
C-0140 - Ensure that the API Server --etcd-cafile argument is set as appropriate
C-0141 - Ensure that the API Server --encryption-provider-config argument is set as appropriate
C-0142 - Ensure that encryption providers are appropriately configured
C-0143 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers
C-0144 - Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate
C-0145 - Ensure that the Controller Manager --profiling argument is set to false
C-0146 - Ensure that the Controller Manager --use-service-account-credentials argument is set to true
C-0147 - Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate
C-0148 - Ensure that the Controller Manager --root-ca-file argument is set as appropriate
C-0149 - Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true
C-0150 - Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1
C-0151 - Ensure that the Scheduler --profiling argument is set to false
C-0152 - Ensure that the Scheduler --bind-address argument is set to 127.0.0.1
C-0153 - Ensure that the --cert-file and --key-file arguments are set as appropriate
C-0154 - Ensure that the --client-cert-auth argument is set to true
C-0155 - Ensure that the --auto-tls argument is not set to true
C-0156 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
C-0157 - Ensure that the --peer-client-cert-auth argument is set to true
C-0158 - Ensure that the --peer-auto-tls argument is not set to true
C-0159 - Ensure that a unique Certificate Authority is used for etcd
C-0160 - Ensure that a minimal audit policy is created
C-0161 - Ensure that the audit policy covers key security concerns
C-0162 - Ensure that the kubelet service file permissions are set to 600 or more restrictive
C-0163 - Ensure that the kubelet service file ownership is set to root:root
C-0164 - If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
C-0165 - If proxy kubeconfig file exists ensure ownership is set to root:root
C-0166 - Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
C-0167 - Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
C-0168 - Ensure that the certificate authorities file permissions are set to 600 or more restrictive
C-0169 - Ensure that the client certificate authorities file ownership is set to root:root
C-0170 - If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive
C-0171 - If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
C-0172 - Ensure that the --anonymous-auth argument is set to false
C-0173 - Ensure that the --authorization-mode argument is not set to AlwaysAllow
C-0174 - Ensure that the --client-ca-file argument is set as appropriate
C-0175 - Verify that the --read-only-port argument is set to 0
C-0176 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0
C-0177 - Ensure that the --protect-kernel-defaults argument is set to true
C-0178 - Ensure that the --make-iptables-util-chains argument is set to true
C-0179 - Ensure that the --hostname-override argument is not set
C-0180 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
C-0181 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
C-0182 - Ensure that the --rotate-certificates argument is not set to false
C-0183 - Verify that the RotateKubeletServerCertificate argument is set to true
C-0184 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
C-0185 - Ensure that the cluster-admin role is only used where required
C-0186 - Minimize access to secrets
C-0187 - Minimize wildcard use in Roles and ClusterRoles
C-0188 - Minimize access to create pods
C-0189 - Ensure that default service accounts are not actively used
C-0190 - Ensure that Service Account Tokens are only mounted where necessary
C-0191 - Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
C-0192 - Ensure that the cluster has at least one active policy control mechanism in place
C-0193 - Minimize the admission of privileged containers
C-0194 - Minimize the admission of containers wishing to share the host process ID namespace
C-0195 - Minimize the admission of containers wishing to share the host IPC namespace
C-0196 - Minimize the admission of containers wishing to share the host network namespace
C-0197 - Minimize the admission of containers with allowPrivilegeEscalation
C-0198 - Minimize the admission of root containers
C-0199 - Minimize the admission of containers with the NET_RAW capability
C-0200 - Minimize the admission of containers with added capabilities
C-0201 - Minimize the admission of containers with capabilities assigned
C-0202 - Minimize the admission of Windows HostProcess Containers
C-0203 - Minimize the admission of HostPath volumes
C-0204 - Minimize the admission of containers which use HostPorts
C-0205 - Ensure that the CNI in use supports Network Policies
C-0206 - Ensure that all Namespaces have Network Policies defined
C-0207 - Prefer using secrets as files over secrets as environment variables
C-0208 - Consider external secret storage
C-0209 - Create administrative boundaries between resources using namespaces
C-0210 - Ensure that the seccomp profile is set to docker/default in your pod definitions
C-0211 - Apply Security Context to Your Pods and Containers
C-0212 - The default namespace should not be used
C-0213 - Minimize the admission of privileged containers
C-0214 - Minimize the admission of containers wishing to share the host process ID namespace
C-0215 - Minimize the admission of containers wishing to share the host IPC namespace
C-0216 - Minimize the admission of containers wishing to share the host network namespace
C-0217 - Minimize the admission of containers with allowPrivilegeEscalation
C-0218 - Minimize the admission of root containers
C-0219 - Minimize the admission of containers with added capabilities
C-0220 - Minimize the admission of containers with capabilities assigned
C-0221 - Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider
C-0222 - Minimize user access to Amazon ECR
C-0223 - Minimize cluster access to read-only for Amazon ECR
C-0225 - Prefer using dedicated EKS Service Accounts
C-0226 - Prefer using a container-optimized OS when possible
C-0227 - Restrict Access to the Control Plane Endpoint
C-0228 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
C-0229 - Ensure clusters are created with Private Nodes
C-0230 - Ensure Network Policy is Enabled and set as appropriate
C-0231 - Encrypt traffic to HTTPS load balancers with TLS certificates
C-0232 - Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156
C-0233 - Consider Fargate for running untrusted workloads
C-0234 - Consider external secret storage
C-0235 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
C-0236 - Verify image signature
C-0237 - Check if signature exists
C-0238 - Ensure that the kubeconfig file permissions are set to 644 or more restrictive
C-0239 - Prefer using dedicated AKS Service Accounts
C-0240 - Ensure Network Policy is Enabled and set as appropriate
C-0241 - Use Azure RBAC for Kubernetes Authorization.
C-0242 - Hostile multi-tenant workloads
C-0243 - Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider
C-0244 - Ensure Kubernetes Secrets are encrypted
C-0245 - Encrypt traffic to HTTPS load balancers with TLS certificates
C-0246 - Avoid use of system:masters group
C-0247 - Restrict Access to the Control Plane Endpoint
C-0248 - Ensure clusters are created with Private Nodes
C-0249 - Restrict untrusted workloads
C-0250 - Minimize cluster access to read-only for Azure Container Registry (ACR)
C-0251 - Minimize user access to Azure Container Registry (ACR)
C-0252 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
C-0253 - Deprecated Kubernetes image registry
C-0254 - Enable audit Logs
C-0255 - Workload with secret access
C-0256 - External facing
C-0257 - Workload with PVC access
C-0258 - Workload with ConfigMap access
C-0259 - Workload with credential access
C-0260 - Missing network policy
C-0261 - ServiceAccount token mounted
C-0262 - Anonymous user has RoleBinding
C-0263 - Ingress uses TLS
C-0264 - PersistentVolume without encyption
C-0265 - system:authenticated user has elevated roles
C-0266 - Exposure to internet via Gateway API or Istio Ingress
C-0267 - Workload with cluster takeover roles
C-0268 - Ensure CPU requests are set
C-0269 - Ensure memory requests are set
C-0270 - Ensure CPU limits are set
C-0271 - Ensure memory limits are set
C-0272 - Workload with administrative roles
C-0273 - Outdated Kubernetes version
C-0274 - Verify Authenticated Service
Creating your own controls
Customize control configurations
Parameter: cpu_limit_max
Parameter: cpu_limit_min
Parameter: cpu_request_max
Parameter: cpu_request_min
Parameter: imageRepositoryAllowList
Parameter: insecureCapabilities
Parameter: k8sRecommendedLabels
Parameter: listOfDangerousArtifcats
Parameter: max_critical_vulnerabilities
Parameter: max_high_vulnerabilities
Parameter: memory_limit_max
Parameter: memory_limit_min
Parameter: memory_request_max
Parameter: memory_request_min
Parameter: publicRegistries
Parameter: recommendedLabels
Parameter: sensitiveInterfaces
Parameter: sensitiveKeyNames
Parameter: sensitiveKeyNamesAllowed
Parameter: sensitiveValues
Parameter: sensitiveValuesAllowed
Parameter: trustedCosignPublicKeys
Parameter: untrustedRegistries
Parameter: servicesNames
Integrations
Integrations
Alerting
Email Notifications
Microsoft Teams
Slack
PagerDuty
Ticketing
Jira
GitHub Issues
Container Registries
Elastic Container Registry
Google Artifact Registry
Azure Container Registry
Harbor
Quay.io
Nexus
CI/CD pipelines
Integrating with Jenkins CI/CD
Integrating with CircleCI workflows
Integrating with GitLab CI/CD
Integrating with GitHub Actions
Integrating with Argo CD
Integrating with Azure DevOps pipeline
Monitoring software
Prometheus Exporter
IDE plugins
Scanning files with the Visual Studio Code extension
Scanning clusters within Kubernetes Lens
Integrating with Plural
troubleshooting
Limitations
Scan your environment
Scanning clusters
Scanning code repositories
Scanning registries
references
Finding your account ID
Scanning your hosts
Managing your account
Running a command-line scan
Usage and examples
Options
Access Kubescape's interactive OpenAPI
Scan status
Powered by
Nexus
Suggest Edits
Updated 15 days ago