606 pod(s) mount host filesystem paths. A compromised container could traverse the host filesystem.
Affected Resources
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442 mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67 mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj mounts hostPath=/
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf mounts hostPath=/
- falco/test-falco-4ttzt mounts hostPath=/var/run/docker.sock
- falco/test-falco-4ttzt mounts hostPath=/run/podman/podman.sock
- falco/test-falco-4ttzt mounts hostPath=/run/host-containerd/containerd.sock
- falco/test-falco-4ttzt mounts hostPath=/run/containerd/containerd.sock
- falco/test-falco-4ttzt mounts hostPath=/run/crio/crio.sock
- falco/test-falco-4ttzt mounts hostPath=/run/k3s/containerd/containerd.sock
- falco/test-falco-4ttzt mounts hostPath=/boot
- falco/test-falco-4ttzt mounts hostPath=/lib/modules
- falco/test-falco-4ttzt mounts hostPath=/usr
- falco/test-falco-4ttzt mounts hostPath=/etc
- falco/test-falco-4ttzt mounts hostPath=/dev
- falco/test-falco-4ttzt mounts hostPath=/sys/module
- falco/test-falco-4ttzt mounts hostPath=/sys/kernel
- falco/test-falco-4ttzt mounts hostPath=/proc
- falco/test-falco-5sbff mounts hostPath=/var/run/docker.sock
- falco/test-falco-5sbff mounts hostPath=/run/podman/podman.sock
- falco/test-falco-5sbff mounts hostPath=/run/host-containerd/containerd.sock
- falco/test-falco-5sbff mounts hostPath=/run/containerd/containerd.sock
- falco/test-falco-5sbff mounts hostPath=/run/crio/crio.sock
- falco/test-falco-5sbff mounts hostPath=/run/k3s/containerd/containerd.sock
5 ClusterRole(s) grant pods/exec or pods/attach create access, enabling code injection into running containers.
Affected Resources
- ClusterRole/admin
- ClusterRole/cnpg-manager
- ClusterRole/cnpg-operator-cloudnative-pg
- ClusterRole/edit
- ClusterRole/system:aggregate-to-edit
9 container(s) have sensitive-looking values in plain-text env vars (not using secretKeyRef).
Affected Resources
- splunk/splunk-cm-test-cluster-manager-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-idxc-test-indexer-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-idxc-test-indexer-1/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-idxc-test-indexer-2/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-mc-test-monitoring-console-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-shc-test-deployer-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-shc-test-search-head-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-shc-test-search-head-1/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
- splunk/splunk-shc-test-search-head-2/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
9 ingress(es) expose web applications without WAF annotations (ModSecurity/OWASP CRS). XSS attacks against exposed web apps are not mitigated at the ingress layer.
Affected Resources
- argo-cd/argo-cd-argocd-server
- burpsuite/bsee-ingress
- nats/test-nats-ui-nui
- nats/test-nats-ws
- owasp-scanner/owasp-scanner
- pgadmin4/test-pgadmin4
- splunk/shc-test-ingress
- tenable-enclave/test-tenable-enclave-tes-operator
- vector-aggregator/test-vector-aggregator
83 container(s) run without readOnlyRootFilesystem AND runAsNonRoot. If command injection is exploited, attackers gain writable root filesystem access as root user.
Affected Resources
- burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/enterprise-server
- burpsuite/test-burpsuite-web-server-8464668497-kp4m4/web-server
- burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu
- default/httpbin-56c54d77b8-9cd8d/httpbin
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf/debugger
- falco/test-falco-4ttzt/falco
- falco/test-falco-4ttzt/falcoctl-artifact-follow
- falco/test-falco-5sbff/falco
- falco/test-falco-5sbff/falcoctl-artifact-follow
- falco/test-falco-bw6sg/falco
- falco/test-falco-bw6sg/falcoctl-artifact-follow
- falco/test-falco-fm42l/falco
- falco/test-falco-fm42l/falcoctl-artifact-follow
- falco/test-falco-hd8g7/falco
- falco/test-falco-hd8g7/falcoctl-artifact-follow
- falco/test-falco-k8p25/falco
- falco/test-falco-k8p25/falcoctl-artifact-follow
- falco/test-falco-mblws/falco
- falco/test-falco-mblws/falcoctl-artifact-follow
- falco/test-falco-mq8vw/falco
- falco/test-falco-mq8vw/falcoctl-artifact-follow
7 ingress(es) have no external authentication configured (auth-url, auth-signin, etc).
Affected Resources
- argo-cd/argo-cd-argocd-server (argo.never-security.sms.dev.sci.scs.sap)
- burpsuite/bsee-ingress (burpsuite.never-security.sms.dev.sci.scs.sap)
- nats/test-nats-ws (nats.never-security.sms.dev.sci.scs.sap)
- owasp-scanner/owasp-scanner (owasp-scanner.never-security.sms.dev.sci.scs.sap)
- pgadmin4/test-pgadmin4 (pgadmin4.never-security.sms.dev.sci.scs.sap)
- splunk/shc-test-ingress (splunk.never-security.sms.dev.sci.scs.sap)
- tenable-enclave/test-tenable-enclave-tes-operator (tenable-enclave.never-security.sms.dev.sci.scs.sap)
Only 1 NetworkPolicy(ies) across 29 namespaces. Pods can reach cloud metadata endpoints (169.254.169.254) and internal services, enabling SSRF attacks.
84 container(s) have no resource limits. A runaway process could exhaust node resources (Denial of Service).
Affected Resources
- argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2/dex-server
- argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-5dxdb/haproxy
- argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-8fsl8/haproxy
- argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-czddh/haproxy
- argo-cd/argo-cd-redis-ha-server-0/split-brain-fix
- argo-cd/argo-cd-redis-ha-server-0/redis-exporter
- argo-cd/argo-cd-redis-ha-server-1/split-brain-fix
- argo-cd/argo-cd-redis-ha-server-1/redis-exporter
- argo-cd/argo-cd-redis-ha-server-2/split-brain-fix
- argo-cd/argo-cd-redis-ha-server-2/redis-exporter
- cert-manager/cert-manager-cainjector-cf4f94f8c-vjf64/cert-manager-cainjector
- cert-manager/cert-manager-cd6c7c6b9-k6w8l/cert-manager-controller
- cert-manager/cert-manager-webhook-6d78ddb474-vzlwx/cert-manager-webhook
- cert-manager/trust-manager-86c84f6d48-jvqm8/trust-manager
- cnpg/cnpg-operator-cloudnative-pg-58c485df56-jjlx9/manager
- default/httpbin-56c54d77b8-9cd8d/httpbin
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger
- default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf/debugger
- external-dns/external-dns-5bf4f5dfb5-swdlz/external-dns
- falco/test-falco-4ttzt/falcoctl-artifact-follow
- falco/test-falco-5sbff/falcoctl-artifact-follow
- falco/test-falco-bw6sg/falcoctl-artifact-follow
112 pod(s) automount service account tokens. Compromised pods can use the token to impersonate the SA and bypass authorization via the user-controlled token.
Affected Resources
- (112 pods — list truncated)
XSS, SQL Injection, and CSRF are primarily application-code vulnerabilities. Mitigation: Use WAFs at the ingress layer, keep container images updated, run vulnerability scanners on application code.
Out-of-bounds Write/Read, Use After Free, Buffer Overflows, and NULL Pointer Dereference are binary-level vulnerabilities. Mitigation: Use container image vulnerability scanners (Trivy, Grype) to detect known CVEs in base images. Apply readOnlyRootFilesystem and drop all capabilities to limit exploit impact.
Applies to web applications allowing file uploads. Mitigation: readOnlyRootFilesystem, ephemeral container storage, and network policies limit post-exploitation impact.
Trivy Operator may not be running active image scans. Deploy trivy-operator to detect CWE-related CVEs in images.
All database services use ClusterIP (internal only).