├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md ├── sync.yml └── workflows │ ├── create-release-v2.yaml │ ├── ks-check.yaml │ ├── pr-comments.yaml │ ├── pr-tests.yaml │ ├── push-releasedev-updates.yaml │ ├── scorecard.yml │ └── sync.yml ├── .gitignore ├── .gitmodules ├── .golangci.yml ├── ADOPTERS.md ├── CODE_OF_CONDUCT.md ├── COMMUNITY.md ├── CONTRIBUTING.md ├── ControlID_RuleName.csv ├── FWName_CID_CName.csv ├── GOVERNANCE.md ├── LICENSE ├── MAINTAINERS.md ├── README.md ├── SECURITY.md ├── attack-tracks ├── external-wl-unauthenticated.json ├── external-workload-with-cluster-takeover-roles.json ├── service-destruction.json ├── workload-external-track.json └── workload-unauthenticated-service.json ├── categories └── mapCategoryNameToID.json ├── controlIDsmigration └── newids.json ├── controls ├── C-0001-forbiddencontainerregistries.json ├── C-0002-execintocontainer.json ├── C-0004-resourcesmemorylimitandrequest.json ├── C-0005-apiserverinsecureportisenabled.json ├── C-0007-datadestruction.json ├── C-0009-resourcelimits.json ├── C-0012-applicationscredentialsinconfigurationfiles.json ├── C-0013-nonrootcontainers.json ├── C-0014-accesskubernetesdashboard.json ├── C-0015-listkubernetessecrets.json ├── C-0016-allowprivilegeescalation.json ├── C-0017-immutablecontainerfilesystem.json ├── C-0018-configuredreadinessprobe.json ├── C-0020-mountserviceprincipal.json ├── C-0021-exposedsensitiveinterfaces.json ├── C-0026-kubernetescronjob.json ├── C-0030-ingressandegressblocked.json ├── C-0031-deletekubernetesevents.json ├── C-0034-automaticmappingofserviceaccount.json ├── C-0035-clusteradminbinding.json ├── C-0036-maliciousadmissioncontrollervalidating.json ├── C-0037-corednspoisoning.json ├── C-0038-hostpidipcprivileges.json ├── C-0039-maliciousadmissioncontrollermutating.json ├── C-0041-hostnetworkaccess.json ├── C-0042-sshserverrunninginsidecontainer.json ├── C-0044-containerhostport.json ├── C-0045-writablehostpathmount.json ├── C-0046-insecurecapabilities.json ├── C-0048-hostpathmount.json ├── C-0049-networkmapping.json ├── C-0050-resourcescpulimitandrequest.json ├── C-0052-instancemetadataapi.json ├── C-0053-accesscontainerserviceaccount.json ├── C-0054-clusterinternalnetworking.json ├── C-0055-linuxhardening.json ├── C-0056-configuredlivenessprobe.json ├── C-0057-privilegedcontainer.json ├── C-0058-cve202125741usingsymlinkforarbitraryhostfilesystemaccess.json ├── C-0059-cve202125742nginxingresssnippetannotationvulnerability.json ├── C-0061-podsindefaultnamespace.json ├── C-0062-sudoincontainerentrypoint.json ├── C-0063-portforwardingprivileges.json ├── C-0065-noimpersonation.json ├── C-0066-secretetcdencryptionenabled.json ├── C-0067-auditlogsenabled.json ├── C-0068-pspenabled.json ├── C-0069-disableanonymousaccesstokubeletservice.json ├── C-0070-enforcekubeletclienttlsauthentication.json ├── C-0073-nakedpods.json ├── C-0074-containersmountingdockersocket.json ├── C-0075-imagepullpolicyonlatesttag.json ├── C-0076-labelusageforresources.json ├── C-0077-k8scommonlabelsusage.json ├── C-0078-imagesfromallowedregistry.json ├── C-0079-cve20220185linuxkernelcontainerescape.json ├── C-0081-cve202224348argocddirtraversal.json ├── C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json ├── C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json ├── C-0085-workloadswithexcessiveamountofvulnerabilities.json ├── C-0087-cve202223648containerdfsescape.json ├── C-0088-rbacenabled.json ├── C-0089-cve20223172aggregatedapiserverredirect.json ├── C-0090-cve202239328grafanaauthbypass.json ├── C-0091-cve202247633kyvernosignaturebypass.json ├── C-0092-ensurethattheapiserverpodspecificationfilepermissionsaresetto600ormorerestrictive.json ├── C-0093-ensurethattheapiserverpodspecificationfileownershipissettorootroot.json ├── C-0094-ensurethatthecontrollermanagerpodspecificationfilepermissionsaresetto600ormorerestrictive.json ├── C-0095-ensurethatthecontrollermanagerpodspecificationfileownershipissettorootroot.json ├── C-0096-ensurethattheschedulerpodspecificationfilepermissionsaresetto600ormorerestrictive.json ├── C-0097-ensurethattheschedulerpodspecificationfileownershipissettorootroot.json ├── C-0098-ensurethattheetcdpodspecificationfilepermissionsaresetto600ormorerestrictive.json ├── C-0099-ensurethattheetcdpodspecificationfileownershipissettorootroot.json ├── C-0100-ensurethatthecontainernetworkinterfacefilepermissionsaresetto600ormorerestrictive.json ├── C-0101-ensurethatthecontainernetworkinterfacefileownershipissettorootroot.json ├── C-0102-ensurethattheetcddatadirectorypermissionsaresetto700ormorerestrictive.json ├── C-0103-ensurethattheetcddatadirectoryownershipissettoetcdetcd.json ├── C-0104-ensurethattheadminconffilepermissionsaresetto600.json ├── C-0105-ensurethattheadminconffileownershipissettorootroot.json ├── C-0106-ensurethattheschedulerconffilepermissionsaresetto600ormorerestrictive.json ├── C-0107-ensurethattheschedulerconffileownershipissettorootroot.json ├── C-0108-ensurethatthecontrollermanagerconffilepermissionsaresetto600ormorerestrictive.json ├── C-0109-ensurethatthecontrollermanagerconffileownershipissettorootroot.json ├── C-0110-ensurethatthekubernetespkidirectoryandfileownershipissettorootroot.json ├── C-0111-ensurethatthekubernetespkicertificatefilepermissionsaresetto600ormorerestrictive.json ├── C-0112-ensurethatthekubernetespkikeyfilepermissionsaresetto600.json ├── C-0113-ensurethattheapiserveranonymousauthargumentissettofalse.json ├── C-0114-ensurethattheapiservertokenauthfileparameterisnotset.json ├── C-0115-ensurethattheapiserverdenyserviceexternalipsisnotset.json ├── C-0116-ensurethattheapiserverkubeletclientcertificateandkubeletclientkeyargumentsaresetasappropriate.json ├── C-0117-ensurethattheapiserverkubeletcertificateauthorityargumentissetasappropriate.json ├── C-0118-ensurethattheapiserverauthorizationmodeargumentisnotsettoalwaysallow.json ├── C-0119-ensurethattheapiserverauthorizationmodeargumentincludesnode.json ├── C-0120-ensurethattheapiserverauthorizationmodeargumentincludesrbac.json ├── C-0121-ensurethattheadmissioncontrolplugineventratelimitisset.json ├── C-0122-ensurethattheadmissioncontrolpluginalwaysadmitisnotset.json ├── C-0123-ensurethattheadmissioncontrolpluginalwayspullimagesisset.json ├── C-0124-ensurethattheadmissioncontrolpluginsecuritycontextdenyissetifpodsecuritypolicyisnotused.json ├── C-0125-ensurethattheadmissioncontrolpluginserviceaccountisset.json ├── C-0126-ensurethattheadmissioncontrolpluginnamespacelifecycleisset.json ├── C-0127-ensurethattheadmissioncontrolpluginnoderestrictionisset.json ├── C-0128-ensurethattheapiserversecureportargumentisnotsetto0.json ├── C-0129-ensurethattheapiserverprofilingargumentissettofalse.json ├── C-0130-ensurethattheapiserverauditlogpathargumentisset.json ├── C-0131-ensurethattheapiserverauditlogmaxageargumentissetto30orasappropriate.json ├── C-0132-ensurethattheapiserverauditlogmaxbackupargumentissetto10orasappropriate.json ├── C-0133-ensurethattheapiserverauditlogmaxsizeargumentissetto100orasappropriate.json ├── C-0134-ensurethattheapiserverrequesttimeoutargumentissetasappropriate.json ├── C-0135-ensurethattheapiserverserviceaccountlookupargumentissettotrue.json ├── C-0136-ensurethattheapiserverserviceaccountkeyfileargumentissetasappropriate.json ├── C-0137-ensurethattheapiserveretcdcertfileandetcdkeyfileargumentsaresetasappropriate.json ├── C-0138-ensurethattheapiservertlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json ├── C-0139-ensurethattheapiserverclientcafileargumentissetasappropriate.json ├── C-0140-ensurethattheapiserveretcdcafileargumentissetasappropriate.json ├── C-0141-ensurethattheapiserverencryptionproviderconfigargumentissetasappropriate.json ├── C-0142-ensurethatencryptionprovidersareappropriatelyconfigured.json ├── C-0143-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers.json ├── C-0144-ensurethatthecontrollermanagerterminatedpodgcthresholdargumentissetasappropriate.json ├── C-0145-ensurethatthecontrollermanagerprofilingargumentissettofalse.json ├── C-0146-ensurethatthecontrollermanageruseserviceaccountcredentialsargumentissettotrue.json ├── C-0147-ensurethatthecontrollermanagerserviceaccountprivatekeyfileargumentissetasappropriate.json ├── C-0148-ensurethatthecontrollermanagerrootcafileargumentissetasappropriate.json ├── C-0149-ensurethatthecontrollermanagerrotatekubeletservercertificateargumentissettotrue.json ├── C-0150-ensurethatthecontrollermanagerbindaddressargumentissetto127001.json ├── C-0151-ensurethattheschedulerprofilingargumentissettofalse.json ├── C-0152-ensurethattheschedulerbindaddressargumentissetto127001.json ├── C-0153-ensurethatthecertfileandkeyfileargumentsaresetasappropriate.json ├── C-0154-ensurethattheclientcertauthargumentissettotrue.json ├── C-0155-ensurethattheautotlsargumentisnotsettotrue.json ├── C-0156-ensurethatthepeercertfileandpeerkeyfileargumentsaresetasappropriate.json ├── C-0157-ensurethatthepeerclientcertauthargumentissettotrue.json ├── C-0158-ensurethatthepeerautotlsargumentisnotsettotrue.json ├── C-0159-ensurethatauniquecertificateauthorityisusedforetcd.json ├── C-0160-ensurethataminimalauditpolicyiscreated.json ├── C-0161-ensurethattheauditpolicycoverskeysecurityconcerns.json ├── C-0162-ensurethatthekubeletservicefilepermissionsaresetto600ormorerestrictive.json ├── C-0163-ensurethatthekubeletservicefileownershipissettorootroot.json ├── C-0164-ifproxykubeconfigfileexistsensurepermissionsaresetto600ormorerestrictive.json ├── C-0165-ifproxykubeconfigfileexistsensureownershipissettorootroot.json ├── C-0166-ensurethatthekubeconfigkubeletconffilepermissionsaresetto600ormorerestrictive.json ├── C-0167-ensurethatthekubeconfigkubeletconffileownershipissettorootroot.json ├── C-0168-ensurethatthecertificateauthoritiesfilepermissionsaresetto600ormorerestrictive.json ├── C-0169-ensurethattheclientcertificateauthoritiesfileownershipissettorootroot.json ├── C-0170-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatepermissionssetto600ormorerestrictive.json ├── C-0171-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatefileownershipissettorootroot.json ├── C-0172-ensurethattheanonymousauthargumentissettofalse.json ├── C-0173-ensurethattheauthorizationmodeargumentisnotsettoalwaysallow.json ├── C-0174-ensurethattheclientcafileargumentissetasappropriate.json ├── C-0175-verifythatthereadonlyportargumentissetto0.json ├── C-0176-ensurethatthestreamingconnectionidletimeoutargumentisnotsetto0.json ├── C-0177-ensurethattheprotectkerneldefaultsargumentissettotrue.json ├── C-0178-ensurethatthemakeiptablesutilchainsargumentissettotrue.json ├── C-0179-ensurethatthehostnameoverrideargumentisnotset.json ├── C-0180-ensurethattheeventqpsargumentissetto0oralevelwhichensuresappropriateeventcapture.json ├── C-0181-ensurethatthetlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json ├── C-0182-ensurethattherotatecertificatesargumentisnotsettofalse.json ├── C-0183-verifythattherotatekubeletservercertificateargumentissettotrue.json ├── C-0184-ensurethatthekubeletonlymakesuseofstrongcryptographicciphers.json ├── C-0185-ensurethattheclusteradminroleisonlyusedwhererequired.json ├── C-0186-minimizeaccesstosecrets.json ├── C-0187-minimizewildcarduseinrolesandclusterroles.json ├── C-0188-minimizeaccesstocreatepods.json ├── C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json ├── C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json ├── C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json ├── C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json ├── C-0193-minimizetheadmissionofprivilegedcontainers.json ├── C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json ├── C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json ├── C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json ├── C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json ├── C-0198-minimizetheadmissionofrootcontainers.json ├── C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json ├── C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json ├── C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json ├── C-0202-minimizetheadmissionofwindowshostprocesscontainers.json ├── C-0203-minimizetheadmissionofhostpathvolumes.json ├── C-0204-minimizetheadmissionofcontainerswhichusehostports.json ├── C-0205-ensurethatthecniinusesupportsnetworkpolicies.json ├── C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json ├── C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json ├── C-0208-considerexternalsecretstorage.json ├── C-0209-createadministrativeboundariesbetweenresourcesusingnamespaces.json ├── C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json ├── C-0211-applysecuritycontexttoyourpodsandcontainers.json ├── C-0212-thedefaultnamespaceshouldnotbeused.json ├── C-0213-minimizetheadmissionofprivilegedcontainers.json ├── C-0214-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json ├── C-0215-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json ├── C-0216-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json ├── C-0217-minimizetheadmissionofcontainerswithallowprivilegeescalation.json ├── C-0218-minimizetheadmissionofrootcontainers.json ├── C-0219-minimizetheadmissionofcontainerswithaddedcapabilities.json ├── C-0220-minimizetheadmissionofcontainerswithcapabilitiesassigned.json ├── C-0221-ensureimagevulnerabilityscanningusingamazonecrimagescanningorathirdpartyprovider.json ├── C-0222-minimizeuseraccesstoamazonecr.json ├── C-0223-minimizeclusteraccesstoreadonlyforamazonecr.json ├── C-0225-preferusingdedicatedeksserviceaccounts.json ├── C-0226-preferusingacontaineroptimizedoswhenpossible.json ├── C-0227-restrictaccesstothecontrolplaneendpoint.json ├── C-0228-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json ├── C-0229-ensureclustersarecreatedwithprivatenodes.json ├── C-0230-ensurenetworkpolicyisenabledandsetasappropriate.json ├── C-0231-encrypttraffictohttpsloadbalancerswithtlscertificates.json ├── C-0232-managekubernetesrbacuserswithawsiamauthenticatorforkubernetesorupgradetoawscliv116156.json ├── C-0233-considerfargateforrunninguntrustedworkloads.json ├── C-0234-considerexternalsecretstorage.json ├── C-0235-ensurethatthekubeletconfigurationfilehaspermissionssetto644ormorerestrictive.json ├── C-0236-verifyimagesignature.json ├── C-0237-hasimagesignature.json ├── C-0238-ensurethatthekubeconfigfilepermissionsaresetto644ormorerestrictive.json ├── C-0239-preferusingdedicatedaksserviceaccounts.json ├── C-0240-ensurenetworkpolicyisenabledandsetasappropriate.json ├── C-0241-useazurerbacforkubernetesauthorization.json ├── C-0242-hostilemultitenantworkloads.json ├── C-0243-ensureimagevulnerabilityscanningusingazuredefenderimagescanningorathirdpartyprovider.json ├── C-0244-ensurekubernetessecretsareencrypted.json ├── C-0245-encrypttraffictohttpsloadbalancerswithtlscertificates.json ├── C-0246-avoiduseofsystemmastersgroup.json ├── C-0247-restrictaccesstothecontrolplaneendpoint.json ├── C-0248-ensureclustersarecreatedwithprivatenodes.json ├── C-0249-restrictuntrustedworkloads.json ├── C-0250-minimizeclusteraccesstoreadonlyforazurecontainerregistryacr.json ├── C-0251-minimizeuseraccesstoazurecontainerregistryacr.json ├── C-0252-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json ├── C-0253-deprecated-k8s-registry.json ├── C-0254-enableauditlogs.json ├── C-0255-workloadwithsecretaccess.json ├── C-0256-exposuretointernet.json ├── C-0257-pvcaccess.json ├── C-0258-configmapaccess.json ├── C-0259-workloadwithcredentialaccess.json ├── C-0260-missingnetworkpolicy.json ├── C-0261-satokenmounted.json ├── C-0262-anonymousaccessisenabled.json ├── C-0263-ingress-tls.json ├── C-0264-pv-encrypted.json ├── C-0265-authenticateduserhasrbac.json ├── C-0266-exposuretointernet-gateway.json ├── C-0267-workloadwithclustertakeoverroles.json ├── C-0268-ensurecpurequestsareset.json ├── C-0269-ensurememoryrequestsareset.json ├── C-0270-ensurecpulimitsareset.json ├── C-0271-ensurememorylimitsareset.json ├── C-0272-workloadwithadministrativeroles.json ├── C-0273-outdatedk8sversion.json ├── C-0274-unauthenticatedservice.json ├── C-0275-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json ├── C-0276-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json ├── C-0277-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers-new.json ├── C-0278-minimizeaccesstocreatepv.json ├── C-0279-minimizeaccesstonodeproxy.json ├── C-0280-minimizeaccesstocertsigningreq.json ├── C-0281-minimizeaccesstoadmissionwebhook.json ├── C-0282-minimizeaccesstoserviceaccountcreate.json ├── C-0283-ensurethattheapiserverdenyserviceexternalipsisset.json ├── C-0284-ensurethatthekubeletconfiguredtolimitpodpids.json ├── C-0285-clusteraccessmanagerapitostreamlineandenhancethemanagementofaccesscontrolswithineksclusters.json ├── C-0286-clientcertificateauthenticationshouldnotbeusedforusers.json ├── C-0287-serviceaccounttokenauthenticationshouldnotbeusedforusers.json ├── C-0288-bootstraptokenauthenticationshouldnotbeusedforusers.json ├── C-0289-configureimageprovenanceusingimagepolicywebhookadmissioncontroller.json └── examples │ ├── allowprivilegeescalation.yaml │ ├── c001.yaml │ ├── c002.yaml │ ├── c004.yaml │ ├── c006.yaml │ ├── c007.yaml │ ├── c008.yaml │ ├── c009.yaml │ ├── c011.yaml │ ├── c013.yaml │ ├── c015.yaml │ ├── c017.yaml │ ├── c018.yaml │ ├── c019.yaml │ ├── c028.yaml │ ├── c030.yaml │ ├── c031.yaml │ ├── c034.yaml │ ├── c038.yaml │ ├── c041.yaml │ ├── c044.yaml │ ├── c045.yaml │ ├── c046.yaml │ ├── c049.yaml │ ├── c050.yaml │ ├── c056.yaml │ ├── c061.yaml │ ├── c062.yaml │ ├── c063.yaml │ ├── c065.yaml │ ├── c073.yaml │ ├── c074.yaml │ ├── c075.yaml │ ├── c076.yaml │ ├── c077.yaml │ ├── c087.yaml │ └── rename.sh ├── default-config-inputs.json ├── exceptions ├── aks.json ├── default-namespace.json ├── eks.json ├── gke.json ├── kube-apiserver.json ├── kubescap-v13.json ├── kubescape-prometheus.json ├── kubescape.json └── minikube.json ├── frameworks ├── __YAMLscan.json ├── allcontrols.json ├── armobest.json ├── cis-aks-t1.2.0.json ├── cis-eks-t1.7.0.json ├── cis-v1.10.0.json ├── clusterscan.json ├── devopsbest.json ├── mitre.json ├── nsaframework.json ├── security.json ├── soc2.json └── workloadscan.json ├── gitregostore ├── datastructures.go ├── gitstoremethods.go ├── gitstoremethods_test.go ├── gitstoreutils.go └── gitstoreutils_test.go ├── go.mod ├── go.sum ├── go.work.sum ├── rules ├── .regal │ └── config.yaml ├── CVE-2021-25741 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── node.json │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── node.json │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ └── node.json ├── CVE-2021-25742 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── deployment-bad-image-name │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── deployment-config-map │ │ ├── expected.json │ │ └── input │ │ ├── configmap.yaml │ │ └── deployment.yaml ├── CVE-2022-0185 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test_azure_fail │ │ ├── expected.json │ │ └── input │ │ │ ├── kernelvars.json │ │ │ └── node.json │ │ ├── test_azure_pass │ │ ├── expected.json │ │ └── input │ │ │ ├── kernelvars.json │ │ │ └── node.json │ │ ├── test_generic_fail │ │ ├── expected.json │ │ └── input │ │ │ ├── kernelvars.json │ │ │ └── node.json │ │ └── test_generic_pass │ │ ├── expected.json │ │ └── input │ │ ├── kernelvars.json │ │ └── node.json ├── CVE-2022-23648 │ ├── raw.rego │ └── rule.metadata.json ├── CVE-2022-24348 │ ├── filter.rego │ ├── raw.rego │ └── rule.metadata.json ├── CVE-2022-3172 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── api_version.yaml │ │ │ └── service.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── api_version.yaml ├── CVE-2022-39328 │ ├── filter.rego │ ├── raw.rego │ └── rule.metadata.json ├── CVE-2022-47633 │ ├── filter.rego │ ├── raw.rego │ └── rule.metadata.json ├── Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── access-container-service-account-v1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── alert-any-hostpath │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── deployment │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── deployment.yaml │ │ └── pod │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── alert-container-optimized-os-not-in-use │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── node-os-not-optimize.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── node-bottlerocket-eks.json ├── alert-fargate-not-in-use │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── node_not_fargate.json │ │ ├── success │ │ ├── expected.json │ │ └── input │ │ │ └── node_fargate.json │ │ └── success_one_fargate_other_no │ │ ├── expected.json │ │ └── input │ │ ├── node_fargate.json │ │ └── node_not_fargate.json ├── alert-mount-potential-credentials-paths │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── deployment_eks_failed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── deployment.yaml │ │ ├── deployment_no_cloud_provider_pass │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── deployment.yaml │ │ ├── pod_eks_failed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── pod_eks_passed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── alert-rw-hostpath │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── deployment │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── anonymous-access-enabled │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ └── clusterrolebinding.yaml │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── rolebinding.yaml ├── anonymous-requests-to-kubelet-updated │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── invalid-cli-argument │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── invalid-config-no-value │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── invalid-config-value │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── no-cli-params │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── valid-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── valid-config │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── audit-policy-content │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed-many-rules-for-one-resources │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ ├── failed-missing-argument │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ ├── failed-missing-one │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ ├── pass-many-rules-for-one-resources │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── pass │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── automount-default-service-account │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── both-mount-default │ │ ├── expected.json │ │ └── input │ │ │ └── serviceaccount.json │ │ ├── both-mount │ │ ├── expected.json │ │ └── input │ │ │ └── sa.json │ │ ├── pod-mount │ │ ├── expected.json │ │ └── input │ │ │ └── serviceaccount.json │ │ └── sa-mount │ │ ├── expected.json │ │ └── input │ │ └── serviceaccount.json ├── automount-service-account │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── both-mount-default │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── serviceaccount.json │ │ ├── both-mount │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── sa.json │ │ ├── pod-mount │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── serviceaccount.json │ │ └── sa-mount │ │ ├── expected.json │ │ └── input │ │ ├── file.yaml │ │ └── serviceaccount.json ├── cluster-access-manager-api-eks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── eks.json ├── cluster-admin-role │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ ├── clusterrolebinding.yaml │ │ └── role.yaml ├── configmap-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── configmap │ │ ├── expected.json │ │ └── input │ │ └── configmap.yaml ├── configured-liveness-probe │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── deployment-fail │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── deployment-pass │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── configured-readiness-probe │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── deployment │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── container-hostPort │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ └── pod │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── container-image-repository-v1 │ ├── raw.rego │ └── rule.metadata.json ├── container-image-repository │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob-failed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-failed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-pass-docker-image │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-passed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload-failed │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── containers-mounting-docker-socket │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob-containerd │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── cronjob-crio │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-containerd │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-crio │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workloads-containerd │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ ├── workloads-crio │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── csistoragecapacity-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── csistoragecapacity │ │ ├── expected.json │ │ └── input │ │ └── csistoragecapacity.yaml ├── drop-capability-netraw │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── encrypt-traffic-to-https-load-balancers-with-tls-certificates │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_ingress_annotation_value │ │ ├── expected.json │ │ └── input │ │ │ ├── ingress.yaml │ │ │ └── svc.yaml │ │ ├── failed_ingress_tls_not_set │ │ ├── expected.json │ │ └── input │ │ │ ├── ingress.yaml │ │ │ └── svc.yaml │ │ ├── failed_no_svc_loadbalancer │ │ ├── expected.json │ │ └── input │ │ │ └── svc.yaml │ │ ├── failed_svc_annotation │ │ ├── expected.json │ │ └── input │ │ │ └── svc.yaml │ │ ├── failed_svc_annotation_value │ │ ├── expected.json │ │ └── input │ │ │ └── svc.yaml │ │ └── success │ │ ├── expected.json │ │ └── input │ │ ├── ingress.yaml │ │ └── svc.yaml ├── endpoints-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── endpoints │ │ ├── expected.json │ │ └── input │ │ └── endpoints.yaml ├── endpointslice-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── endpointslice │ │ ├── expected.json │ │ └── input │ │ └── endpointslice.yaml ├── enforce-kubelet-client-tls-authentication-updated │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-config-argument-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-config-only │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-config-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-cmd-only │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-config │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── ensure-aws-policies-are-present │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── fail │ │ ├── expected.json │ │ └── input │ │ └── PolicyVersion.json ├── ensure-azure-rbac-is-set │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── ClusterDescribe.json │ │ ├── failed_with_aadProfile_null │ │ ├── expected.json │ │ └── input │ │ │ └── ClusterDescribe.json │ │ ├── failed_with_enableAzureRbac_null │ │ ├── expected.json │ │ └── input │ │ │ └── ClusterDescribe.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── ClusterDescribe.json ├── ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── aks.json ├── ensure-clusters-are-created-with-private-nodes │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── aks.json ├── ensure-default-service-accounts-has-only-default-roles │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ └── clusterrolebinding.json │ │ ├── failed_clusterrolebinding_boots_none_default │ │ ├── expected.json │ │ └── input │ │ │ └── clusterrolebinding.json │ │ ├── pass_rolebinding_two_subjects │ │ ├── expected.json │ │ └── input │ │ │ └── rolebinding.yaml │ │ ├── passed_clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ └── clusterrolebinding.yaml │ │ └── passed_rolebinding_one_subject │ │ ├── expected.json │ │ └── input │ │ └── rolebinding.yaml ├── ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_private_disabled │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── failed_public_enabled │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── failed_public_enabled_private_disabled │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── eks.json ├── ensure-endpointprivateaccess-is-enabled │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── eks.json ├── ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── eks.json ├── ensure-external-secrets-storage-is-in-use │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── failed_deployment │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── deployment.yaml │ │ ├── failed_pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── ensure-https-loadbalancers-encrypted-with-tls-aws │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_https_loadbalancer_without_tls │ │ ├── expected.json │ │ └── input │ │ │ └── loadbalancer.yaml │ │ ├── failed_multiple_loadbalancers │ │ ├── expected.json │ │ └── input │ │ │ ├── loadbalancer_failed.yaml │ │ │ └── loadbalancer_success.yaml │ │ ├── success_https_load_balancer_with_tls │ │ ├── expected.json │ │ └── input │ │ │ └── loadbalancer.yaml │ │ └── success_none_https_loadbalancer │ │ ├── expected.json │ │ └── input │ │ └── service.yaml ├── ensure-image-scanning-enabled-cloud │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed-no-scan-all │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── failed-no-scan-on-push │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── failed-no-scan │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── eks.json ├── ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── ClusterDescribe.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── ClusterDescribe.json ├── ensure-network-policy-is-enabled-eks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_aws │ │ ├── expected.json │ │ └── input │ │ │ └── CNIInfo.json │ │ └── pass_calico │ │ ├── expected.json │ │ └── input │ │ └── CNIInfo.json ├── ensure-service-principle-has-read-only-permissions │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ ├── ListEntitiesForPolicies.json │ │ │ └── PolicyVersion.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ ├── ListEntitiesForPolicies.json │ │ └── PolicyVersion.json ├── ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers-cis1-10 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── 2.yaml │ │ │ └── 3.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── 2.yaml │ │ │ └── 3.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── CNIInfo.json ├── ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── CNIInfo.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── CNIInfo.json ├── ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-admin.conf-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-admin.conf-file-permissions-are-set-to-600 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-admission-control-plugin-EventRateLimit-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── 2.yaml ├── ensure-that-the-admission-control-plugin-NodeRestriction-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── 2.yaml ├── ensure-that-the-admission-control-plugin-ServiceAccount-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── 2.yaml ├── ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-DenyServiceExternalIPs-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── 2.yaml ├── ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ └── expected.json ├── ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ └── expected.json ├── ensure-that-the-api-server-audit-log-path-argument-is-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-authorization-mode-argument-includes-Node │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-authorization-mode-argument-includes-RBAC │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ ├── 1.yaml │ │ └── control_plane_info.json ├── ensure-that-the-api-server-encryption-providers-are-appropriately-configured │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── 2.yaml │ │ │ └── 3.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── 2.yaml │ │ │ └── 3.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-profiling-argument-is-set-to-false │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-secure-port-argument-is-not-set-to-0 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ └── rule.metadata.json ├── ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ ├── 2.yaml │ │ │ └── 3.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-api-server-token-auth-file-parameter-is-not-set │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-cni-in-use-supports-network-policies │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_aws │ │ ├── expected.json │ │ └── input │ │ │ └── CNIInfo.json │ │ ├── failed_flannel │ │ ├── expected.json │ │ └── input │ │ │ └── CNIInfo.json │ │ ├── pass_flannel_and_calico │ │ ├── expected.json │ │ └── input │ │ │ └── CNIInfo.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── CNIInfo.json ├── ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-controller-manager-profiling-argument-is-set-to-false │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── 1.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ └── expected.json ├── ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-scheduler-profiling-argument-is-set-to-false │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── 1.yaml │ │ │ └── 2.yaml │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── 1.yaml ├── ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── ensure_network_policy_configured_in_labels │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_cronjob_no_matched_label │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── network_policy.yaml │ │ ├── failed_deployment_no_matched_label │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ └── network_policy.yaml │ │ ├── failed_pod_cilium_no_matched_label │ │ ├── expected.json │ │ └── input │ │ │ ├── cilium_network_policy.yaml │ │ │ └── pod.yaml │ │ ├── failed_pod_no_matched_label │ │ ├── expected.json │ │ └── input │ │ │ ├── network_policy.yaml │ │ │ ├── network_policy2.yaml │ │ │ └── pod.yaml │ │ ├── failed_pod_no_networkpolicy │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── success_cronjob_label_match │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ └── network_policy.yaml │ │ ├── success_deployment_label_match │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ └── network_policy.yaml │ │ ├── success_pod_cilium_label_match │ │ ├── expected.json │ │ └── input │ │ │ ├── cilium_network_policy.yaml │ │ │ └── pod.yaml │ │ ├── success_pod_label_match │ │ ├── expected.json │ │ └── input │ │ │ ├── network_policy.yaml │ │ │ └── pod.yaml │ │ ├── success_pod_no_pod_selector │ │ ├── expected.json │ │ └── input │ │ │ ├── network_policy.yaml │ │ │ └── pod.yaml │ │ └── success_pod_no_pod_selector_ns │ │ ├── expected.json │ │ └── input │ │ ├── network_policy.yaml │ │ └── pod.yaml ├── ensure_nodeinstancerole_has_right_permissions_for_ecr │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ ├── ListEntitiesForPolicies.json │ │ │ └── PolicyVersion.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ ├── ListEntitiesForPolicies.json │ │ └── PolicyVersion.json ├── etcd-auto-tls-disabled │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-argument-set-to-true │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ ├── pass-argument-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ └── pass-argument-set-to-false │ │ ├── expected.json │ │ └── input │ │ └── etcdpod.yaml ├── etcd-client-auth-cert │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-argument-set-to-false │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ ├── fail-missing-argument │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── etcdpod.yaml ├── etcd-encryption-native │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test-failed │ │ ├── expected.json │ │ └── input │ │ │ └── apiserverpod.json │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── apiserverpod.json ├── etcd-peer-auto-tls-disabled │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-argument-set-to-true │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ ├── pass-argument-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ └── pass-argument-set-to-false │ │ ├── expected.json │ │ └── input │ │ └── etcdpod.yaml ├── etcd-peer-client-auth-cert │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-argument-set-false │ │ ├── expected.json │ │ └── input │ │ │ └── false-argument.yaml │ │ ├── fail-missing-argument │ │ ├── expected.json │ │ └── input │ │ │ └── no-argument.yaml │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── agument-true.yaml ├── etcd-peer-tls-enabled │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-missing-cert-argument │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ ├── fail-missing-key-argument │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── etcdpod.yaml ├── etcd-tls-enabled │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-missing-cert-argument │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ ├── fail-missing-key-argument │ │ ├── expected.json │ │ └── input │ │ │ └── etcdpod.yaml │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── etcdpod.yaml ├── etcd-unique-ca │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-same-key-file │ │ ├── expected.json │ │ └── input │ │ │ ├── apiserverpod.yaml │ │ │ └── etcdpod.yaml │ │ └── pass-different-key-files │ │ ├── expected.json │ │ └── input │ │ ├── apiserverpod.yaml │ │ └── etcdpod.yaml ├── excessive_amount_of_vulnerabilities_pods │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test-failed │ │ ├── expected.json │ │ └── input │ │ ├── pod.yaml │ │ └── resource.json ├── exec-into-container-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ └── role │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── exposed-critical-pods │ ├── filter.rego │ ├── raw.rego │ └── rule.metadata.json ├── exposed-rce-pods │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test-failed │ │ ├── expected.json │ │ └── input │ │ ├── pod.yaml │ │ ├── resource.json │ │ └── service.yaml ├── exposed-sensitive-interfaces-v1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── pod.yaml │ │ │ └── service.yaml │ │ ├── workloads │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ └── service.yaml │ │ └── workloads2 │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ └── service.yaml ├── exposure-to-internet-via-gateway-api │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_with_httproute-istio │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ ├── httproute.yaml │ │ │ └── service.yaml │ │ ├── failed_with_httproute │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ ├── httproute.yaml │ │ │ └── service.yaml │ │ └── failed_with_httproute_multiservice │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ ├── httproute.yaml │ │ ├── service.yaml │ │ └── service2.yaml ├── exposure-to-internet-via-istio-ingress │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_with_beta │ │ ├── expected.json │ │ ├── gateway.yaml │ │ ├── input │ │ │ ├── deployment.yaml │ │ │ ├── gateway.yaml │ │ │ ├── istio-gw.yaml │ │ │ ├── service.yaml │ │ │ └── vs.yaml │ │ ├── service.yaml │ │ └── vs.yaml │ │ ├── failed_with_beta_multiservice │ │ ├── expected.json │ │ ├── gateway.yaml │ │ ├── input │ │ │ ├── deployment.yaml │ │ │ ├── gateway.yaml │ │ │ ├── istio-gw.yaml │ │ │ ├── service.yaml │ │ │ └── vs.yaml │ │ ├── service.yaml │ │ ├── service2.yaml │ │ └── vs.yaml │ │ └── failed_with_istiogw │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ ├── gw.yaml │ │ ├── istio-gw.yaml │ │ ├── service.yaml │ │ └── vs.yaml ├── exposure-to-internet │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_with_ingress │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ ├── ingress.yaml │ │ │ └── service.yaml │ │ ├── failed_with_service_loadbalancer │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ └── service.yaml │ │ ├── failed_with_service_nodeport │ │ ├── expected.json │ │ └── input │ │ │ ├── deployment.yaml │ │ │ ├── service.yaml │ │ │ └── service2.yaml │ │ └── success_with_ingress │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ └── service.yaml ├── external-secret-storage │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed-no-good-kms │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ ├── failed-no-kms │ │ ├── expected.json │ │ └── input │ │ │ └── control_plane_info.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── control_plane_info.json ├── has-image-signature │ ├── raw.rego │ └── rule.metadata.json ├── horizontalpodautoscaler-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── horizontalpodautoscaler │ │ ├── expected.json │ │ └── input │ │ └── horizontalpodautoscaler.yaml ├── host-ipc-privileges │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── host-network-access │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── host-pid-ipc-privileges │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── host-pid-privileges │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── group.json │ │ │ └── user.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubeproxy.json ├── if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubeproxy.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubeproxy.json ├── if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── kubelet.json ├── image-pull-policy-is-not-set-to-always │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── immutable-container-filesystem │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── ingress-and-egress-blocked │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── default-policy │ │ ├── expected.json │ │ └── input │ │ │ ├── networkpolicy.yaml │ │ │ └── pod.yaml │ │ ├── only-egress-policy │ │ ├── expected.json │ │ └── input │ │ │ ├── networkpolicy.yaml │ │ │ └── pod.yaml │ │ └── pod │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── ingress-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── ingress │ │ ├── expected.json │ │ └── input │ │ └── ingress.yaml ├── ingress-no-tls │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_with_ingress │ │ ├── expected.json │ │ └── input │ │ │ └── ingress.yaml │ │ └── success_with_ingress │ │ ├── expected.json │ │ └── input │ │ └── ingress.yaml ├── insecure-capabilities │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── insecure-port-flag │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── instance-metadata-api-access │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── cloud_provider_info_failed.json │ │ │ └── cloud_provider_info_pass.json │ │ └── passed │ │ ├── expected.json │ │ └── input │ │ └── cloud_provider_info.json ├── internal-networking │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── namespace-failed │ │ ├── expected.json │ │ └── input │ │ │ ├── namespace.yml │ │ │ └── networkpolicy.yml │ │ └── namespace-passed │ │ ├── expected.json │ │ └── input │ │ ├── namespace.yml │ │ └── networkpolicy.yml ├── k8s-audit-logs-enabled-cloud │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── eks-fail1 │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── eks-fail2 │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── eks-pass1 │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ ├── eks-pass2 │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── gke │ │ ├── expected.json │ │ └── input │ │ └── gke.json ├── k8s-audit-logs-enabled-native-cis │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test-failed │ │ ├── expected.json │ │ └── input │ │ │ └── apiserverpod.json │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── apiserverpod.json ├── k8s-audit-logs-enabled-native │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test-failed │ │ ├── expected.json │ │ └── input │ │ │ └── apiserverpod.json │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── apiserverpod.json ├── k8s-common-labels-usage │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload-fail │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── kubelet-authorization-mode-alwaysAllow │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-no-cli-and-config │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── invalid-cli-argument │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── invalid-config-value │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── valid-cli-argument │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── valid-config-value │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-event-qps │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-eventRecordQPS=0-config │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-argument-and-config-not-present │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-event-qps-via-command │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-eventRecordQPS=3-config │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-hostname-override │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-contains-command-argument │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-argument-not-set │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-ip-tables │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-set-via-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-set-via-config │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-set-true-via-config │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-set-via-cli │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-protect-kernel-defaults │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── deny-config-file-false │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-no-config-and-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-set-via-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-set-via-cli │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-rotate-certificates │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-cli-argument-set-false │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-set-false-via-config-file │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-cli-argument-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-not-present-in-config-file │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-rotate-kubelet-server-certificate │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-cli-argument-set-false │ │ ├── expected.json │ │ └── input │ │ │ └── input.json │ │ └── pass-cli-argument-set-true │ │ ├── expected.json │ │ └── input │ │ └── input.json ├── kubelet-set-pod-limit │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-command-argument-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-argument-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-config-set │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-streaming-connection-idle-timeout │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-config-file │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-sensor-failed │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-set-via-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-config-file │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-set-via-cli │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── kubelet-strong-cryptography-ciphers │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-cli-and-config-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubeletcmd.json │ │ ├── fail-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubeletcmd.json │ │ ├── fail-config-not-supported-value │ │ ├── expected.json │ │ └── input │ │ │ └── kubeletcmd.json │ │ ├── pass-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubeletcmd.json │ │ ├── pass-config-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubeletcmd.json │ │ └── pass-config-supported-value │ │ ├── expected.json │ │ └── input │ │ └── kubeletcmd.json ├── label-usage-for-resources │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload-fail │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── lease-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── lease │ │ ├── expected.json │ │ └── input │ │ └── lease.yaml ├── linux-hardening │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── passed │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob.yaml │ │ │ ├── deployment.yaml │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── list-all-mutating-webhooks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── mutatingwebhook2.yaml ├── list-all-namespaces │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── namespace-failed │ │ ├── expected.json │ │ └── input │ │ └── namespace.yml ├── list-all-validating-webhooks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── mutatingwebhook2.yaml ├── list-role-definitions-in-acr │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── fail │ │ ├── expected.json │ │ └── input │ │ └── ListEntitiesForPolicies.json ├── naked-pods │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ └── pod.yaml ├── namespace-without-service-account │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ ├── namespace.json │ │ ├── namespace2.json │ │ ├── serviceaccount.json │ │ └── serviceaccount2.json ├── non-root-containers │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob-runasuser │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── deployment-fail │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ ├── deployment-pass │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── pod │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── outdated-k8s-version │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ └── node.json │ │ ├── fail2 │ │ ├── expected.json │ │ └── input │ │ │ └── node.json │ │ └── pass │ │ ├── expected.json │ │ └── input │ │ └── node.json ├── persistentvolumeclaim-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── persistentvolumeclaim │ │ ├── expected.json │ │ └── input │ │ └── persistentvolumeclaim.yaml ├── pod-security-admission-applied-1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ ├── namespace.yaml │ │ ├── namespace2.yaml │ │ └── validatingwebhook.yaml ├── pod-security-admission-applied-2 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test │ │ ├── expected.json │ │ └── input │ │ │ ├── mutatingwebhook.yaml │ │ │ └── namespace.yaml │ │ └── test3 │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── namespace.yaml ├── pod-security-admission-baseline-applied-1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test │ │ ├── expected.json │ │ └── input │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── namespace.yaml │ │ │ └── validatingwebhook.yaml │ │ ├── test2 │ │ ├── expected.json │ │ └── input │ │ │ ├── namespace.yaml │ │ │ ├── namespace2.yaml │ │ │ ├── namespace3.yaml │ │ │ └── validatingwebhook.yaml │ │ └── test3 │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── namespace.yaml ├── pod-security-admission-baseline-applied-2 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test │ │ ├── expected.json │ │ └── input │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── namespace.yaml │ │ │ └── validatingwebhook.yaml │ │ ├── test2 │ │ ├── expected.json │ │ └── input │ │ │ ├── namespace.yaml │ │ │ ├── namespace2.yaml │ │ │ ├── namespace3.yaml │ │ │ └── validatingwebhook.yaml │ │ └── test3 │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── namespace.yaml ├── pod-security-admission-restricted-applied-1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test │ │ ├── expected.json │ │ └── input │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── namespace.yaml │ │ │ └── validatingwebhook.yaml │ │ ├── test2 │ │ ├── expected.json │ │ └── input │ │ │ ├── namespace.yaml │ │ │ ├── namespace2.yaml │ │ │ └── validatingwebhook.yaml │ │ └── test3 │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── namespace.yaml ├── pod-security-admission-restricted-applied-2 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test │ │ ├── expected.json │ │ └── input │ │ │ ├── mutatingwebhook.yaml │ │ │ ├── namespace.yaml │ │ │ └── validatingwebhook.yaml │ │ ├── test2 │ │ ├── expected.json │ │ └── input │ │ │ ├── namespace.yaml │ │ │ ├── namespace2.yaml │ │ │ └── validatingwebhook.yaml │ │ └── test3 │ │ ├── expected.json │ │ └── input │ │ ├── mutatingwebhook.yaml │ │ └── namespace.yaml ├── poddisruptionbudget-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── poddisruptionbudget │ │ ├── expected.json │ │ └── input │ │ └── poddisruptionbudget.yaml ├── pods-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ ├── deployment1.yaml │ │ └── deployment2.yaml ├── podtemplate-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── podtemplate │ │ ├── expected.json │ │ └── input │ │ └── podtemplate.yaml ├── psp-deny-allowed-capabilities │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-allowprivilegeescalation │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-hostipc │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-hostnetwork │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-hostpid │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-privileged-container │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-deny-root-container │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── psp-enabled-cloud │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── gke │ │ ├── expected.json │ │ └── input │ │ └── gke.json ├── psp-enabled-native │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test-failed │ │ ├── expected.json │ │ └── input │ │ │ └── apiserverpod.json │ │ └── test-passed │ │ ├── expected.json │ │ └── input │ │ └── apiserverpod.json ├── psp-required-drop-capabilities │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-many-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp-true.yaml │ │ │ └── psp-true2.yaml │ │ ├── fail-only-one-true │ │ ├── expected.json │ │ └── input │ │ │ └── psp.yaml │ │ ├── pass-no-true │ │ ├── expected.json │ │ └── input │ │ │ ├── psp.yaml │ │ │ └── psp2.yaml │ │ └── pass-one-true-one-false │ │ ├── expected.json │ │ └── input │ │ ├── psp-false.yaml │ │ └── psp.yaml ├── pv-without-encryption │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── aks │ │ ├── expected.json │ │ └── input │ │ │ ├── pv.yaml │ │ │ └── sc.yaml │ │ ├── eks │ │ ├── expected.json │ │ └── input │ │ │ ├── pv.yaml │ │ │ └── sc.yaml │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ ├── pv.yaml │ │ │ └── sc.yaml │ │ └── gke │ │ ├── expected.json │ │ └── input │ │ ├── pv.yaml │ │ └── sc.yaml ├── rbac-enabled-cloud │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── aks.json ├── rbac-enabled-native │ ├── raw.rego │ └── rule.metadata.json ├── read-only-port-enabled-updated │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cli-fail │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── cli-pass │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── config-fail │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── config-pass │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── replicationcontroller-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── replicationcontroller │ │ ├── expected.json │ │ └── input │ │ └── replicationcontroller.yaml ├── resource-policies │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── resources-cpu-limit-and-request │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-limits │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-only-requests │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload-exceeded │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── resources-cpu-limits │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-limits │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── resources-cpu-requests │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-requests │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── resources-memory-limit-and-request │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-limits │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-only-requests │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod_pass │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload-exceeded │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ ├── workload │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload_passed │ │ ├── deployment1.yaml │ │ └── expected.json ├── resources-memory-limits │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-limits │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod_pass │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload_passed │ │ ├── deployment1.yaml │ │ └── expected.json ├── resources-memory-requests │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod-only-requests │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod_pass │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── workload │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ └── workload_passed │ │ ├── deployment1.yaml │ │ └── expected.json ├── resources-secret-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── configmap │ │ ├── expected.json │ │ └── input │ │ └── configmap.yaml ├── restrict-access-to-the-control-plane-endpoint │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── aks.json ├── review-roles-with-aws-iam-authenticator │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── failed │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── role1.yaml ├── role-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── role │ │ ├── expected.json │ │ └── input │ │ └── role.yaml ├── rolebinding-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── rolebinding │ │ ├── expected.json │ │ └── input │ │ └── rolebinding.yaml ├── rule-access-dashboard-subject-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-access-dashboard-wl-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-allow-privilege-escalation │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-can-access-proxy-subresource │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-approve-certsigningreq │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-bind-escalate │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-create-pod │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-create-pv │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-create-service-account-token │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-delete-k8s-events-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-impersonate-users-groups-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-list-get-secrets-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-modify-admission-webhooks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-portforward-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-can-ssh-to-pod-v1 │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── pod.yaml │ │ │ └── service.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ ├── deployment.yaml │ │ └── service.yaml ├── rule-can-update-configmap-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-cni-enabled-aks │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── aks-azure-azure-pass │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ ├── aks-calico-azure-pass │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ ├── aks-calico-kubenet-pass │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ ├── aks-empty-fail │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ └── aks-kubenet-null-fail │ │ ├── expected.json │ │ └── input │ │ └── aks.json ├── rule-credentials-configmap │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── test-allowed-values-keys │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── configmap.yaml │ │ ├── test-base64 │ │ ├── expected.json │ │ └── input │ │ │ └── configmap.yaml │ │ └── test │ │ ├── expected.json │ │ └── input │ │ └── configmap.yaml ├── rule-credentials-in-env-var │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── deployment │ │ ├── expected.json │ │ └── input │ │ │ └── deployment.yaml │ │ ├── pod-allowed-values-keys │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-deny-cronjobs │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── test │ │ ├── expected.json │ │ └── input │ │ └── cronjob.yaml ├── rule-excessive-delete-rights-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-hostile-multitenant-workloads │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── failed │ │ └── expected.json ├── rule-identify-blocklisted-image-registries-v1 │ ├── raw.rego │ └── rule.metadata.json ├── rule-identify-blocklisted-image-registries │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── data.json │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-identify-old-k8s-registry │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-list-all-cluster-admins-v1 │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── clusterrole-clusterrolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ ├── clusterrole-rolebinding │ │ ├── expected.json │ │ └── input │ │ │ ├── cluterrole.yaml │ │ │ └── rolebinding.yaml │ │ └── role-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── role.yaml │ │ └── rolebinding.yaml ├── rule-manual │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── failed │ │ └── expected.json ├── rule-privileged-container │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── rule-secrets-in-env-var │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── secret-etcd-encryption-cloud │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── aks │ │ ├── expected.json │ │ └── input │ │ │ └── aks.json │ │ ├── eks │ │ ├── expected.json │ │ └── input │ │ │ └── eks.json │ │ └── gke │ │ ├── expected.json │ │ └── input │ │ └── gke.json ├── service-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── service │ │ ├── expected.json │ │ └── input │ │ └── service.yaml ├── serviceaccount-in-default-namespace │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ └── serviceaccount │ │ ├── expected.json │ │ └── input │ │ └── serviceaccount.yaml ├── serviceaccount-token-mount │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── both-mount-default │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── serviceaccount.json │ │ ├── both-mount │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── sa.json │ │ ├── pod-mount-and-rb-bind │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ ├── rolebinding.yaml │ │ │ └── serviceaccount.json │ │ ├── pod-mount │ │ ├── expected.json │ │ └── input │ │ │ ├── file.yaml │ │ │ └── serviceaccount.json │ │ └── sa-mount │ │ ├── expected.json │ │ └── input │ │ ├── file.yaml │ │ └── serviceaccount.json ├── set-fsgroup-value │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob1.yaml │ │ │ └── cronjob2.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── pod1.yaml │ │ │ └── pod2.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ ├── deployment1.yaml │ │ └── deployment2.yaml ├── set-fsgroupchangepolicy-value │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ ├── cronjob1.yaml │ │ │ └── cronjob2.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── pod1.yaml │ │ │ └── pod2.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ ├── deployment1.yaml │ │ └── deployment2.yaml ├── set-procmount-default │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ ├── control_plane_info.json │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ ├── control_plane_info.json │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ ├── control_plane_info.json │ │ └── deployment.yaml ├── set-seLinuxOptions │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── set-seccomp-profile-RuntimeDefault │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── set-seccomp-profile │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── set-supplementalgroups-values │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── set-sysctls-params │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob1.yaml │ │ ├── pod-no-sysctls │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ ├── pod-pass │ │ ├── expected.json │ │ └── input │ │ │ └── pod1.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod1.yaml │ │ └── workload │ │ ├── expected.json │ │ └── input │ │ └── deployment1.yaml ├── sudo-in-container-entrypoint │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── cronjob │ │ ├── expected.json │ │ └── input │ │ │ └── cronjob.yaml │ │ ├── pod │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── workloads │ │ ├── expected.json │ │ └── input │ │ └── deployment.yaml ├── system-authenticated-allowed-to-take-over-cluster │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ └── clusterrolebinding.yaml │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── rolebinding.yaml ├── unauthenticated-service │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail_service │ │ ├── expected.json │ │ └── input │ │ │ ├── operator.yaml │ │ │ ├── operator2.yaml │ │ │ ├── pod.yaml │ │ │ ├── pod2.yaml │ │ │ ├── service.yaml │ │ │ └── service2.yaml │ │ └── pass │ │ ├── expected.json │ │ └── input │ │ ├── deploy.yaml │ │ ├── service.yaml │ │ └── service_result.yaml ├── validate-kubelet-tls-configuration-updated │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-arguments-not-set-via-cli │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── fail-config-file-not-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-1-cli-2-config │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ ├── pass-config-file-arguments-set │ │ ├── expected.json │ │ └── input │ │ │ └── kubelet-info.json │ │ └── pass-set-via-cli │ │ ├── expected.json │ │ └── input │ │ └── kubelet-info.json ├── verify-image-signature │ ├── raw.rego │ └── rule.metadata.json ├── workload-mounted-configmap │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_pod │ │ ├── expected.json │ │ └── input │ │ │ ├── configmap.yaml │ │ │ └── pod.yaml │ │ ├── success_different_namespaces │ │ ├── expected.json │ │ └── input │ │ │ ├── configmap.yaml │ │ │ └── pod.yaml │ │ └── success_no_configmap │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── workload-mounted-pvc │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed_pod_mounted │ │ ├── expected.json │ │ └── input │ │ │ ├── PVC.yaml │ │ │ └── pod.yaml │ │ ├── success_different_namespaces │ │ ├── expected.json │ │ └── input │ │ │ ├── PVC.yaml │ │ │ └── pod.yaml │ │ ├── success_no_PVC │ │ ├── expected.json │ │ └── input │ │ │ └── pod.yaml │ │ └── success_with_PVC_not_mounted │ │ ├── expected.json │ │ └── input │ │ ├── PVC.yaml │ │ └── pod.yaml ├── workload-mounted-secrets │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── failed │ │ ├── expected.json │ │ └── input │ │ │ ├── pod.yaml │ │ │ └── secret.yaml │ │ └── success │ │ ├── expected.json │ │ └── input │ │ └── pod.yaml ├── workload-with-administrative-roles │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ │ ├── fail-wl-creates-pod │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── file.yaml │ │ │ └── sa.json │ │ ├── pass-wl-limited-permissions │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── file.yaml │ │ │ └── sa.json │ │ ├── pass-wl-not-mount-sa-token │ │ ├── expected.json │ │ └── input │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── file.yaml │ │ │ └── sa.json │ │ └── pass-wl-rolebinding │ │ ├── expected.json │ │ └── input │ │ ├── cluterrole.yaml │ │ ├── file.yaml │ │ ├── rolebinding.yaml │ │ └── sa.json └── workload-with-cluster-takeover-roles │ ├── filter.rego │ ├── raw.rego │ ├── rule.metadata.json │ └── test │ ├── fail-wl-creates-pod │ ├── expected.json │ └── input │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── file.yaml │ │ └── sa.json │ ├── fail-wl-gets-secrets │ ├── expected.json │ └── input │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── file.yaml │ │ └── sa.json │ ├── pass-wl-limited-permissions │ ├── expected.json │ └── input │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── file.yaml │ │ └── sa.json │ ├── pass-wl-not-mount-sa-token │ ├── expected.json │ └── input │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── file.yaml │ │ └── sa.json │ └── pass-wl-rolebinding │ ├── expected.json │ └── input │ ├── cluterrole.yaml │ ├── file.yaml │ ├── rolebinding.yaml │ └── sa.json ├── scripts ├── add_control_to_framework.py ├── add_mult_controls.py ├── bundle.py ├── export.py ├── generate_id.sh ├── generate_subsections_ids.py ├── init-rule.py ├── mark-controls.py ├── mk-generator.py ├── upload-readme.py └── validations.py └── testrunner ├── Makefile ├── README.md ├── go.mod ├── go.sum ├── opaprocessor ├── processorhandler.go └── processorutils.go ├── rego_test.go └── test-single-rego └── input └── deployment.yaml /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.gitattributes -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/ISSUE_TEMPLATE/bug_report.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/ISSUE_TEMPLATE/feature_request.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/PULL_REQUEST_TEMPLATE.md -------------------------------------------------------------------------------- /.github/sync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/sync.yml -------------------------------------------------------------------------------- /.github/workflows/create-release-v2.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/create-release-v2.yaml -------------------------------------------------------------------------------- /.github/workflows/ks-check.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/ks-check.yaml -------------------------------------------------------------------------------- /.github/workflows/pr-comments.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/pr-comments.yaml -------------------------------------------------------------------------------- /.github/workflows/pr-tests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/pr-tests.yaml -------------------------------------------------------------------------------- /.github/workflows/push-releasedev-updates.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/push-releasedev-updates.yaml -------------------------------------------------------------------------------- /.github/workflows/scorecard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/scorecard.yml -------------------------------------------------------------------------------- /.github/workflows/sync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.github/workflows/sync.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.gitignore -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.gitmodules -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/.golangci.yml -------------------------------------------------------------------------------- /ADOPTERS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/ADOPTERS.md -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/CODE_OF_CONDUCT.md -------------------------------------------------------------------------------- /COMMUNITY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/COMMUNITY.md -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /ControlID_RuleName.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/ControlID_RuleName.csv -------------------------------------------------------------------------------- /FWName_CID_CName.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/FWName_CID_CName.csv -------------------------------------------------------------------------------- /GOVERNANCE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/GOVERNANCE.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/LICENSE -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/MAINTAINERS.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/README.md -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/SECURITY.md -------------------------------------------------------------------------------- /attack-tracks/external-wl-unauthenticated.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/attack-tracks/external-wl-unauthenticated.json -------------------------------------------------------------------------------- /attack-tracks/service-destruction.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/attack-tracks/service-destruction.json -------------------------------------------------------------------------------- /attack-tracks/workload-external-track.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/attack-tracks/workload-external-track.json -------------------------------------------------------------------------------- /attack-tracks/workload-unauthenticated-service.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/attack-tracks/workload-unauthenticated-service.json -------------------------------------------------------------------------------- /categories/mapCategoryNameToID.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/categories/mapCategoryNameToID.json -------------------------------------------------------------------------------- /controlIDsmigration/newids.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controlIDsmigration/newids.json -------------------------------------------------------------------------------- /controls/C-0001-forbiddencontainerregistries.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0001-forbiddencontainerregistries.json -------------------------------------------------------------------------------- /controls/C-0002-execintocontainer.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0002-execintocontainer.json -------------------------------------------------------------------------------- /controls/C-0004-resourcesmemorylimitandrequest.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0004-resourcesmemorylimitandrequest.json -------------------------------------------------------------------------------- /controls/C-0005-apiserverinsecureportisenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0005-apiserverinsecureportisenabled.json -------------------------------------------------------------------------------- /controls/C-0007-datadestruction.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0007-datadestruction.json -------------------------------------------------------------------------------- /controls/C-0009-resourcelimits.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0009-resourcelimits.json -------------------------------------------------------------------------------- /controls/C-0013-nonrootcontainers.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0013-nonrootcontainers.json -------------------------------------------------------------------------------- /controls/C-0014-accesskubernetesdashboard.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0014-accesskubernetesdashboard.json -------------------------------------------------------------------------------- /controls/C-0015-listkubernetessecrets.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0015-listkubernetessecrets.json -------------------------------------------------------------------------------- /controls/C-0016-allowprivilegeescalation.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0016-allowprivilegeescalation.json -------------------------------------------------------------------------------- /controls/C-0017-immutablecontainerfilesystem.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0017-immutablecontainerfilesystem.json -------------------------------------------------------------------------------- /controls/C-0018-configuredreadinessprobe.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0018-configuredreadinessprobe.json -------------------------------------------------------------------------------- /controls/C-0020-mountserviceprincipal.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0020-mountserviceprincipal.json -------------------------------------------------------------------------------- /controls/C-0021-exposedsensitiveinterfaces.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0021-exposedsensitiveinterfaces.json -------------------------------------------------------------------------------- /controls/C-0026-kubernetescronjob.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0026-kubernetescronjob.json -------------------------------------------------------------------------------- /controls/C-0030-ingressandegressblocked.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0030-ingressandegressblocked.json -------------------------------------------------------------------------------- /controls/C-0031-deletekubernetesevents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0031-deletekubernetesevents.json -------------------------------------------------------------------------------- /controls/C-0034-automaticmappingofserviceaccount.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0034-automaticmappingofserviceaccount.json -------------------------------------------------------------------------------- /controls/C-0035-clusteradminbinding.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0035-clusteradminbinding.json -------------------------------------------------------------------------------- /controls/C-0037-corednspoisoning.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0037-corednspoisoning.json -------------------------------------------------------------------------------- /controls/C-0038-hostpidipcprivileges.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0038-hostpidipcprivileges.json -------------------------------------------------------------------------------- /controls/C-0041-hostnetworkaccess.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0041-hostnetworkaccess.json -------------------------------------------------------------------------------- /controls/C-0042-sshserverrunninginsidecontainer.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0042-sshserverrunninginsidecontainer.json -------------------------------------------------------------------------------- /controls/C-0044-containerhostport.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0044-containerhostport.json -------------------------------------------------------------------------------- /controls/C-0045-writablehostpathmount.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0045-writablehostpathmount.json -------------------------------------------------------------------------------- /controls/C-0046-insecurecapabilities.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0046-insecurecapabilities.json -------------------------------------------------------------------------------- /controls/C-0048-hostpathmount.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0048-hostpathmount.json -------------------------------------------------------------------------------- /controls/C-0049-networkmapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0049-networkmapping.json -------------------------------------------------------------------------------- /controls/C-0050-resourcescpulimitandrequest.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0050-resourcescpulimitandrequest.json -------------------------------------------------------------------------------- /controls/C-0052-instancemetadataapi.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0052-instancemetadataapi.json -------------------------------------------------------------------------------- /controls/C-0053-accesscontainerserviceaccount.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0053-accesscontainerserviceaccount.json -------------------------------------------------------------------------------- /controls/C-0054-clusterinternalnetworking.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0054-clusterinternalnetworking.json -------------------------------------------------------------------------------- /controls/C-0055-linuxhardening.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0055-linuxhardening.json -------------------------------------------------------------------------------- /controls/C-0056-configuredlivenessprobe.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0056-configuredlivenessprobe.json -------------------------------------------------------------------------------- /controls/C-0057-privilegedcontainer.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0057-privilegedcontainer.json -------------------------------------------------------------------------------- /controls/C-0061-podsindefaultnamespace.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0061-podsindefaultnamespace.json -------------------------------------------------------------------------------- /controls/C-0062-sudoincontainerentrypoint.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0062-sudoincontainerentrypoint.json -------------------------------------------------------------------------------- /controls/C-0063-portforwardingprivileges.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0063-portforwardingprivileges.json -------------------------------------------------------------------------------- /controls/C-0065-noimpersonation.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0065-noimpersonation.json -------------------------------------------------------------------------------- /controls/C-0066-secretetcdencryptionenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0066-secretetcdencryptionenabled.json -------------------------------------------------------------------------------- /controls/C-0067-auditlogsenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0067-auditlogsenabled.json -------------------------------------------------------------------------------- /controls/C-0068-pspenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0068-pspenabled.json -------------------------------------------------------------------------------- /controls/C-0073-nakedpods.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0073-nakedpods.json -------------------------------------------------------------------------------- /controls/C-0074-containersmountingdockersocket.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0074-containersmountingdockersocket.json -------------------------------------------------------------------------------- /controls/C-0075-imagepullpolicyonlatesttag.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0075-imagepullpolicyonlatesttag.json -------------------------------------------------------------------------------- /controls/C-0076-labelusageforresources.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0076-labelusageforresources.json -------------------------------------------------------------------------------- /controls/C-0077-k8scommonlabelsusage.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0077-k8scommonlabelsusage.json -------------------------------------------------------------------------------- /controls/C-0078-imagesfromallowedregistry.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0078-imagesfromallowedregistry.json -------------------------------------------------------------------------------- /controls/C-0081-cve202224348argocddirtraversal.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0081-cve202224348argocddirtraversal.json -------------------------------------------------------------------------------- /controls/C-0087-cve202223648containerdfsescape.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0087-cve202223648containerdfsescape.json -------------------------------------------------------------------------------- /controls/C-0088-rbacenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0088-rbacenabled.json -------------------------------------------------------------------------------- /controls/C-0090-cve202239328grafanaauthbypass.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0090-cve202239328grafanaauthbypass.json -------------------------------------------------------------------------------- /controls/C-0186-minimizeaccesstosecrets.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0186-minimizeaccesstosecrets.json -------------------------------------------------------------------------------- /controls/C-0188-minimizeaccesstocreatepods.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0188-minimizeaccesstocreatepods.json -------------------------------------------------------------------------------- /controls/C-0208-considerexternalsecretstorage.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0208-considerexternalsecretstorage.json -------------------------------------------------------------------------------- /controls/C-0222-minimizeuseraccesstoamazonecr.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0222-minimizeuseraccesstoamazonecr.json -------------------------------------------------------------------------------- /controls/C-0234-considerexternalsecretstorage.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0234-considerexternalsecretstorage.json -------------------------------------------------------------------------------- /controls/C-0236-verifyimagesignature.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0236-verifyimagesignature.json -------------------------------------------------------------------------------- /controls/C-0237-hasimagesignature.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0237-hasimagesignature.json -------------------------------------------------------------------------------- /controls/C-0242-hostilemultitenantworkloads.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0242-hostilemultitenantworkloads.json -------------------------------------------------------------------------------- /controls/C-0246-avoiduseofsystemmastersgroup.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0246-avoiduseofsystemmastersgroup.json -------------------------------------------------------------------------------- /controls/C-0249-restrictuntrustedworkloads.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0249-restrictuntrustedworkloads.json -------------------------------------------------------------------------------- /controls/C-0253-deprecated-k8s-registry.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0253-deprecated-k8s-registry.json -------------------------------------------------------------------------------- /controls/C-0254-enableauditlogs.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0254-enableauditlogs.json -------------------------------------------------------------------------------- /controls/C-0255-workloadwithsecretaccess.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0255-workloadwithsecretaccess.json -------------------------------------------------------------------------------- /controls/C-0256-exposuretointernet.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0256-exposuretointernet.json -------------------------------------------------------------------------------- /controls/C-0257-pvcaccess.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0257-pvcaccess.json -------------------------------------------------------------------------------- /controls/C-0258-configmapaccess.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0258-configmapaccess.json -------------------------------------------------------------------------------- /controls/C-0259-workloadwithcredentialaccess.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0259-workloadwithcredentialaccess.json -------------------------------------------------------------------------------- /controls/C-0260-missingnetworkpolicy.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0260-missingnetworkpolicy.json -------------------------------------------------------------------------------- /controls/C-0261-satokenmounted.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0261-satokenmounted.json -------------------------------------------------------------------------------- /controls/C-0262-anonymousaccessisenabled.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0262-anonymousaccessisenabled.json -------------------------------------------------------------------------------- /controls/C-0263-ingress-tls.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0263-ingress-tls.json -------------------------------------------------------------------------------- /controls/C-0264-pv-encrypted.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0264-pv-encrypted.json -------------------------------------------------------------------------------- /controls/C-0265-authenticateduserhasrbac.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0265-authenticateduserhasrbac.json -------------------------------------------------------------------------------- /controls/C-0266-exposuretointernet-gateway.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0266-exposuretointernet-gateway.json -------------------------------------------------------------------------------- /controls/C-0267-workloadwithclustertakeoverroles.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0267-workloadwithclustertakeoverroles.json -------------------------------------------------------------------------------- /controls/C-0268-ensurecpurequestsareset.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0268-ensurecpurequestsareset.json -------------------------------------------------------------------------------- /controls/C-0269-ensurememoryrequestsareset.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0269-ensurememoryrequestsareset.json -------------------------------------------------------------------------------- /controls/C-0270-ensurecpulimitsareset.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0270-ensurecpulimitsareset.json -------------------------------------------------------------------------------- /controls/C-0271-ensurememorylimitsareset.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0271-ensurememorylimitsareset.json -------------------------------------------------------------------------------- /controls/C-0272-workloadwithadministrativeroles.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0272-workloadwithadministrativeroles.json -------------------------------------------------------------------------------- /controls/C-0273-outdatedk8sversion.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0273-outdatedk8sversion.json -------------------------------------------------------------------------------- /controls/C-0274-unauthenticatedservice.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0274-unauthenticatedservice.json -------------------------------------------------------------------------------- /controls/C-0278-minimizeaccesstocreatepv.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0278-minimizeaccesstocreatepv.json -------------------------------------------------------------------------------- /controls/C-0279-minimizeaccesstonodeproxy.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0279-minimizeaccesstonodeproxy.json -------------------------------------------------------------------------------- /controls/C-0280-minimizeaccesstocertsigningreq.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0280-minimizeaccesstocertsigningreq.json -------------------------------------------------------------------------------- /controls/C-0281-minimizeaccesstoadmissionwebhook.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/C-0281-minimizeaccesstoadmissionwebhook.json -------------------------------------------------------------------------------- /controls/examples/allowprivilegeescalation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/allowprivilegeescalation.yaml -------------------------------------------------------------------------------- /controls/examples/c001.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c001.yaml -------------------------------------------------------------------------------- /controls/examples/c002.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c002.yaml -------------------------------------------------------------------------------- /controls/examples/c004.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c004.yaml -------------------------------------------------------------------------------- /controls/examples/c006.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c006.yaml -------------------------------------------------------------------------------- /controls/examples/c007.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c007.yaml -------------------------------------------------------------------------------- /controls/examples/c008.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c008.yaml -------------------------------------------------------------------------------- /controls/examples/c009.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c009.yaml -------------------------------------------------------------------------------- /controls/examples/c011.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c011.yaml -------------------------------------------------------------------------------- /controls/examples/c013.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c013.yaml -------------------------------------------------------------------------------- /controls/examples/c015.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c015.yaml -------------------------------------------------------------------------------- /controls/examples/c017.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c017.yaml -------------------------------------------------------------------------------- /controls/examples/c018.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c018.yaml -------------------------------------------------------------------------------- /controls/examples/c019.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /controls/examples/c028.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c028.yaml -------------------------------------------------------------------------------- /controls/examples/c030.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c030.yaml -------------------------------------------------------------------------------- /controls/examples/c031.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c031.yaml -------------------------------------------------------------------------------- /controls/examples/c034.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c034.yaml -------------------------------------------------------------------------------- /controls/examples/c038.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c038.yaml -------------------------------------------------------------------------------- /controls/examples/c041.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c041.yaml -------------------------------------------------------------------------------- /controls/examples/c044.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c044.yaml -------------------------------------------------------------------------------- /controls/examples/c045.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c045.yaml -------------------------------------------------------------------------------- /controls/examples/c046.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c046.yaml -------------------------------------------------------------------------------- /controls/examples/c049.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c049.yaml -------------------------------------------------------------------------------- /controls/examples/c050.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c050.yaml -------------------------------------------------------------------------------- /controls/examples/c056.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c056.yaml -------------------------------------------------------------------------------- /controls/examples/c061.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c061.yaml -------------------------------------------------------------------------------- /controls/examples/c062.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c062.yaml -------------------------------------------------------------------------------- /controls/examples/c063.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c063.yaml -------------------------------------------------------------------------------- /controls/examples/c065.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /controls/examples/c073.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c073.yaml -------------------------------------------------------------------------------- /controls/examples/c074.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c074.yaml -------------------------------------------------------------------------------- /controls/examples/c075.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c075.yaml -------------------------------------------------------------------------------- /controls/examples/c076.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c076.yaml -------------------------------------------------------------------------------- /controls/examples/c077.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c077.yaml -------------------------------------------------------------------------------- /controls/examples/c087.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/c087.yaml -------------------------------------------------------------------------------- /controls/examples/rename.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/controls/examples/rename.sh -------------------------------------------------------------------------------- /default-config-inputs.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/default-config-inputs.json -------------------------------------------------------------------------------- /exceptions/aks.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/aks.json -------------------------------------------------------------------------------- /exceptions/default-namespace.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/default-namespace.json -------------------------------------------------------------------------------- /exceptions/eks.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/eks.json -------------------------------------------------------------------------------- /exceptions/gke.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/gke.json -------------------------------------------------------------------------------- /exceptions/kube-apiserver.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/kube-apiserver.json -------------------------------------------------------------------------------- /exceptions/kubescap-v13.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/kubescap-v13.json -------------------------------------------------------------------------------- /exceptions/kubescape-prometheus.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/kubescape-prometheus.json -------------------------------------------------------------------------------- /exceptions/kubescape.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/kubescape.json -------------------------------------------------------------------------------- /exceptions/minikube.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/exceptions/minikube.json -------------------------------------------------------------------------------- /frameworks/__YAMLscan.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/__YAMLscan.json -------------------------------------------------------------------------------- /frameworks/allcontrols.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/allcontrols.json -------------------------------------------------------------------------------- /frameworks/armobest.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/armobest.json -------------------------------------------------------------------------------- /frameworks/cis-aks-t1.2.0.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/cis-aks-t1.2.0.json -------------------------------------------------------------------------------- /frameworks/cis-eks-t1.7.0.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/cis-eks-t1.7.0.json -------------------------------------------------------------------------------- /frameworks/cis-v1.10.0.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/cis-v1.10.0.json -------------------------------------------------------------------------------- /frameworks/clusterscan.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/clusterscan.json -------------------------------------------------------------------------------- /frameworks/devopsbest.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/devopsbest.json -------------------------------------------------------------------------------- /frameworks/mitre.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/mitre.json -------------------------------------------------------------------------------- /frameworks/nsaframework.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/nsaframework.json -------------------------------------------------------------------------------- /frameworks/security.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/security.json -------------------------------------------------------------------------------- /frameworks/soc2.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/soc2.json -------------------------------------------------------------------------------- /frameworks/workloadscan.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/frameworks/workloadscan.json -------------------------------------------------------------------------------- /gitregostore/datastructures.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/gitregostore/datastructures.go -------------------------------------------------------------------------------- /gitregostore/gitstoremethods.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/gitregostore/gitstoremethods.go -------------------------------------------------------------------------------- /gitregostore/gitstoremethods_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/gitregostore/gitstoremethods_test.go -------------------------------------------------------------------------------- /gitregostore/gitstoreutils.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/gitregostore/gitstoreutils.go -------------------------------------------------------------------------------- /gitregostore/gitstoreutils_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/gitregostore/gitstoreutils_test.go -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/go.mod -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/go.sum -------------------------------------------------------------------------------- /go.work.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/go.work.sum -------------------------------------------------------------------------------- /rules/.regal/config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/.regal/config.yaml -------------------------------------------------------------------------------- /rules/CVE-2021-25741/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2021-25741/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2021-25741/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/cronjob/input/cronjob.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/cronjob/input/cronjob.yaml -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/cronjob/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/cronjob/input/node.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/pod/expected.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/pod/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/pod/input/node.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/workloads/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/workloads/expected.json -------------------------------------------------------------------------------- /rules/CVE-2021-25741/test/workloads/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25741/test/workloads/input/node.json -------------------------------------------------------------------------------- /rules/CVE-2021-25742/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25742/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2021-25742/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25742/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2021-25742/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2021-25742/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-0185/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-0185/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2022-0185/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-0185/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-0185/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-0185/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-0185/test/test_azure_pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/CVE-2022-0185/test/test_generic_pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/CVE-2022-23648/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-23648/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-23648/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-23648/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-24348/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-24348/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2022-24348/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-24348/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-24348/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-24348/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-3172/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2022-3172/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-3172/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-3172/test/failed/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/test/failed/expected.json -------------------------------------------------------------------------------- /rules/CVE-2022-3172/test/failed/input/1.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/test/failed/input/1.yaml -------------------------------------------------------------------------------- /rules/CVE-2022-3172/test/failed/input/service.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/test/failed/input/service.yaml -------------------------------------------------------------------------------- /rules/CVE-2022-3172/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/CVE-2022-3172/test/passed/input/1.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-3172/test/passed/input/1.yaml -------------------------------------------------------------------------------- /rules/CVE-2022-39328/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-39328/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2022-39328/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-39328/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-39328/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-39328/rule.metadata.json -------------------------------------------------------------------------------- /rules/CVE-2022-47633/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-47633/filter.rego -------------------------------------------------------------------------------- /rules/CVE-2022-47633/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-47633/raw.rego -------------------------------------------------------------------------------- /rules/CVE-2022-47633/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/CVE-2022-47633/rule.metadata.json -------------------------------------------------------------------------------- /rules/Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/access-container-service-account-v1/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/access-container-service-account-v1/filter.rego -------------------------------------------------------------------------------- /rules/access-container-service-account-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/access-container-service-account-v1/raw.rego -------------------------------------------------------------------------------- /rules/access-container-service-account-v1/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/alert-any-hostpath/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-any-hostpath/raw.rego -------------------------------------------------------------------------------- /rules/alert-any-hostpath/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-any-hostpath/rule.metadata.json -------------------------------------------------------------------------------- /rules/alert-any-hostpath/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-any-hostpath/test/pod/expected.json -------------------------------------------------------------------------------- /rules/alert-any-hostpath/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-any-hostpath/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/alert-container-optimized-os-not-in-use/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/alert-fargate-not-in-use/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-fargate-not-in-use/raw.rego -------------------------------------------------------------------------------- /rules/alert-fargate-not-in-use/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-fargate-not-in-use/rule.metadata.json -------------------------------------------------------------------------------- /rules/alert-fargate-not-in-use/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/alert-fargate-not-in-use/test/success_one_fargate_other_no/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/alert-mount-potential-credentials-paths/test/deployment_no_cloud_provider_pass/expected.json: -------------------------------------------------------------------------------- 1 | [ 2 | ] -------------------------------------------------------------------------------- /rules/alert-mount-potential-credentials-paths/test/pod_eks_passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/alert-rw-hostpath/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-rw-hostpath/raw.rego -------------------------------------------------------------------------------- /rules/alert-rw-hostpath/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-rw-hostpath/rule.metadata.json -------------------------------------------------------------------------------- /rules/alert-rw-hostpath/test/deployment/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/alert-rw-hostpath/test/deployment/expected.json -------------------------------------------------------------------------------- /rules/anonymous-access-enabled/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/anonymous-access-enabled/raw.rego -------------------------------------------------------------------------------- /rules/anonymous-access-enabled/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/anonymous-access-enabled/rule.metadata.json -------------------------------------------------------------------------------- /rules/anonymous-access-enabled/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/anonymous-requests-to-kubelet-updated/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/anonymous-requests-to-kubelet-updated/raw.rego -------------------------------------------------------------------------------- /rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/anonymous-requests-to-kubelet-updated/test/valid-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/anonymous-requests-to-kubelet-updated/test/valid-config/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/audit-policy-content/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/audit-policy-content/raw.rego -------------------------------------------------------------------------------- /rules/audit-policy-content/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/audit-policy-content/rule.metadata.json -------------------------------------------------------------------------------- /rules/audit-policy-content/test/pass-many-rules-for-one-resources/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/audit-policy-content/test/pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/automount-default-service-account/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/automount-default-service-account/filter.rego -------------------------------------------------------------------------------- /rules/automount-default-service-account/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/automount-default-service-account/raw.rego -------------------------------------------------------------------------------- /rules/automount-default-service-account/test/pod-mount/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/automount-service-account/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/automount-service-account/raw.rego -------------------------------------------------------------------------------- /rules/automount-service-account/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/automount-service-account/rule.metadata.json -------------------------------------------------------------------------------- /rules/automount-service-account/test/pod-mount/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/cluster-access-manager-api-eks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/cluster-access-manager-api-eks/raw.rego -------------------------------------------------------------------------------- /rules/cluster-access-manager-api-eks/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/cluster-admin-role/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/cluster-admin-role/raw.rego -------------------------------------------------------------------------------- /rules/cluster-admin-role/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/cluster-admin-role/rule.metadata.json -------------------------------------------------------------------------------- /rules/cluster-admin-role/test/clusterrole-rolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/cluster-admin-role/test/role-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/configmap-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/configmap-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/configured-liveness-probe/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/configured-liveness-probe/raw.rego -------------------------------------------------------------------------------- /rules/configured-liveness-probe/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/configured-liveness-probe/rule.metadata.json -------------------------------------------------------------------------------- /rules/configured-liveness-probe/test/deployment-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/configured-readiness-probe/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/configured-readiness-probe/raw.rego -------------------------------------------------------------------------------- /rules/configured-readiness-probe/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/configured-readiness-probe/rule.metadata.json -------------------------------------------------------------------------------- /rules/container-hostPort/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-hostPort/raw.rego -------------------------------------------------------------------------------- /rules/container-hostPort/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-hostPort/rule.metadata.json -------------------------------------------------------------------------------- /rules/container-hostPort/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-hostPort/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/container-hostPort/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-hostPort/test/pod/expected.json -------------------------------------------------------------------------------- /rules/container-hostPort/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-hostPort/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/container-image-repository-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-image-repository-v1/raw.rego -------------------------------------------------------------------------------- /rules/container-image-repository/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-image-repository/raw.rego -------------------------------------------------------------------------------- /rules/container-image-repository/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/container-image-repository/rule.metadata.json -------------------------------------------------------------------------------- /rules/container-image-repository/test/pod-pass-docker-image/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/container-image-repository/test/pod-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/containers-mounting-docker-socket/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/containers-mounting-docker-socket/raw.rego -------------------------------------------------------------------------------- /rules/drop-capability-netraw/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/drop-capability-netraw/raw.rego -------------------------------------------------------------------------------- /rules/drop-capability-netraw/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/drop-capability-netraw/rule.metadata.json -------------------------------------------------------------------------------- /rules/drop-capability-netraw/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/drop-capability-netraw/test/pod/expected.json -------------------------------------------------------------------------------- /rules/drop-capability-netraw/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/drop-capability-netraw/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/endpoints-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/endpoints-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/endpointslice-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/endpointslice-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/enforce-kubelet-client-tls-authentication-updated/test/pass-cmd-only/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/enforce-kubelet-client-tls-authentication-updated/test/pass-config/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-aws-policies-are-present/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ensure-aws-policies-are-present/raw.rego -------------------------------------------------------------------------------- /rules/ensure-azure-rbac-is-set/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ensure-azure-rbac-is-set/raw.rego -------------------------------------------------------------------------------- /rules/ensure-azure-rbac-is-set/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ensure-azure-rbac-is-set/rule.metadata.json -------------------------------------------------------------------------------- /rules/ensure-azure-rbac-is-set/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-clusters-are-created-with-private-nodes/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-default-service-accounts-has-only-default-roles/test/pass_rolebinding_two_subjects/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-default-service-accounts-has-only-default-roles/test/passed_clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-default-service-accounts-has-only-default-roles/test/passed_rolebinding_one_subject/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-endpointprivateaccess-is-enabled/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-external-secrets-storage-is-in-use/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-https-loadbalancers-encrypted-with-tls-aws/test/success_https_load_balancer_with_tls/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-https-loadbalancers-encrypted-with-tls-aws/test/success_none_https_loadbalancer/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-image-scanning-enabled-cloud/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ensure-image-scanning-enabled-cloud/raw.rego -------------------------------------------------------------------------------- /rules/ensure-image-scanning-enabled-cloud/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-network-policy-is-enabled-eks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ensure-network-policy-is-enabled-eks/raw.rego -------------------------------------------------------------------------------- /rules/ensure-network-policy-is-enabled-eks/test/pass_calico/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-service-principle-has-read-only-permissions/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers-cis1-10/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admin.conf-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admin.conf-file-permissions-are-set-to-600/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-audit-log-path-argument-is-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-encryption-providers-are-appropriately-configured/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-cni-in-use-supports-network-policies/test/pass_flannel_and_calico/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure-that-the-cni-in-use-supports-network-policies/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_cronjob_label_match/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_deployment_label_match/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_pod_cilium_label_match/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_pod_label_match/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_pod_no_pod_selector/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure_network_policy_configured_in_labels/test/success_pod_no_pod_selector_ns/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-auto-tls-disabled/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-auto-tls-disabled/filter.rego -------------------------------------------------------------------------------- /rules/etcd-auto-tls-disabled/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-auto-tls-disabled/raw.rego -------------------------------------------------------------------------------- /rules/etcd-auto-tls-disabled/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-auto-tls-disabled/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-auto-tls-disabled/test/pass-argument-not-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-auto-tls-disabled/test/pass-argument-set-to-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-client-auth-cert/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-client-auth-cert/filter.rego -------------------------------------------------------------------------------- /rules/etcd-client-auth-cert/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-client-auth-cert/raw.rego -------------------------------------------------------------------------------- /rules/etcd-client-auth-cert/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-client-auth-cert/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-client-auth-cert/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-encryption-native/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-encryption-native/raw.rego -------------------------------------------------------------------------------- /rules/etcd-encryption-native/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-encryption-native/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-encryption-native/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-peer-auto-tls-disabled/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-auto-tls-disabled/filter.rego -------------------------------------------------------------------------------- /rules/etcd-peer-auto-tls-disabled/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-auto-tls-disabled/raw.rego -------------------------------------------------------------------------------- /rules/etcd-peer-auto-tls-disabled/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-auto-tls-disabled/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-peer-auto-tls-disabled/test/pass-argument-not-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-peer-auto-tls-disabled/test/pass-argument-set-to-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-peer-client-auth-cert/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-client-auth-cert/filter.rego -------------------------------------------------------------------------------- /rules/etcd-peer-client-auth-cert/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-client-auth-cert/raw.rego -------------------------------------------------------------------------------- /rules/etcd-peer-client-auth-cert/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-client-auth-cert/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-peer-client-auth-cert/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-peer-tls-enabled/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-tls-enabled/filter.rego -------------------------------------------------------------------------------- /rules/etcd-peer-tls-enabled/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-tls-enabled/raw.rego -------------------------------------------------------------------------------- /rules/etcd-peer-tls-enabled/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-peer-tls-enabled/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-peer-tls-enabled/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-tls-enabled/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-tls-enabled/filter.rego -------------------------------------------------------------------------------- /rules/etcd-tls-enabled/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-tls-enabled/raw.rego -------------------------------------------------------------------------------- /rules/etcd-tls-enabled/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-tls-enabled/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-tls-enabled/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/etcd-unique-ca/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-unique-ca/raw.rego -------------------------------------------------------------------------------- /rules/etcd-unique-ca/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/etcd-unique-ca/rule.metadata.json -------------------------------------------------------------------------------- /rules/etcd-unique-ca/test/pass-different-key-files/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/exec-into-container-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exec-into-container-v1/raw.rego -------------------------------------------------------------------------------- /rules/exec-into-container-v1/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exec-into-container-v1/rule.metadata.json -------------------------------------------------------------------------------- /rules/exec-into-container-v1/test/role/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exec-into-container-v1/test/role/expected.json -------------------------------------------------------------------------------- /rules/exposed-critical-pods/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-critical-pods/filter.rego -------------------------------------------------------------------------------- /rules/exposed-critical-pods/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-critical-pods/raw.rego -------------------------------------------------------------------------------- /rules/exposed-critical-pods/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-critical-pods/rule.metadata.json -------------------------------------------------------------------------------- /rules/exposed-rce-pods/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-rce-pods/filter.rego -------------------------------------------------------------------------------- /rules/exposed-rce-pods/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-rce-pods/raw.rego -------------------------------------------------------------------------------- /rules/exposed-rce-pods/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-rce-pods/rule.metadata.json -------------------------------------------------------------------------------- /rules/exposed-rce-pods/test/test-failed/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-rce-pods/test/test-failed/expected.json -------------------------------------------------------------------------------- /rules/exposed-sensitive-interfaces-v1/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-sensitive-interfaces-v1/filter.rego -------------------------------------------------------------------------------- /rules/exposed-sensitive-interfaces-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposed-sensitive-interfaces-v1/raw.rego -------------------------------------------------------------------------------- /rules/exposure-to-internet-via-gateway-api/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposure-to-internet-via-gateway-api/raw.rego -------------------------------------------------------------------------------- /rules/exposure-to-internet-via-istio-ingress/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposure-to-internet-via-istio-ingress/raw.rego -------------------------------------------------------------------------------- /rules/exposure-to-internet/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposure-to-internet/raw.rego -------------------------------------------------------------------------------- /rules/exposure-to-internet/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/exposure-to-internet/rule.metadata.json -------------------------------------------------------------------------------- /rules/exposure-to-internet/test/success_with_ingress/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/external-secret-storage/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/external-secret-storage/raw.rego -------------------------------------------------------------------------------- /rules/external-secret-storage/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/external-secret-storage/rule.metadata.json -------------------------------------------------------------------------------- /rules/external-secret-storage/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/has-image-signature/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/has-image-signature/raw.rego -------------------------------------------------------------------------------- /rules/has-image-signature/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/has-image-signature/rule.metadata.json -------------------------------------------------------------------------------- /rules/host-ipc-privileges/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/raw.rego -------------------------------------------------------------------------------- /rules/host-ipc-privileges/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/rule.metadata.json -------------------------------------------------------------------------------- /rules/host-ipc-privileges/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/host-ipc-privileges/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/test/pod/expected.json -------------------------------------------------------------------------------- /rules/host-ipc-privileges/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/host-ipc-privileges/test/workload/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-ipc-privileges/test/workload/expected.json -------------------------------------------------------------------------------- /rules/host-network-access/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-network-access/raw.rego -------------------------------------------------------------------------------- /rules/host-network-access/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-network-access/rule.metadata.json -------------------------------------------------------------------------------- /rules/host-network-access/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-network-access/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/host-network-access/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-network-access/test/pod/expected.json -------------------------------------------------------------------------------- /rules/host-network-access/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-network-access/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/host-pid-ipc-privileges/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-ipc-privileges/raw.rego -------------------------------------------------------------------------------- /rules/host-pid-ipc-privileges/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-ipc-privileges/rule.metadata.json -------------------------------------------------------------------------------- /rules/host-pid-ipc-privileges/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-ipc-privileges/test/pod/expected.json -------------------------------------------------------------------------------- /rules/host-pid-ipc-privileges/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-ipc-privileges/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/host-pid-privileges/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/raw.rego -------------------------------------------------------------------------------- /rules/host-pid-privileges/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/rule.metadata.json -------------------------------------------------------------------------------- /rules/host-pid-privileges/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/host-pid-privileges/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/test/pod/expected.json -------------------------------------------------------------------------------- /rules/host-pid-privileges/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/host-pid-privileges/test/workload/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/host-pid-privileges/test/workload/expected.json -------------------------------------------------------------------------------- /rules/if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/image-pull-policy-is-not-set-to-always/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/image-pull-policy-is-not-set-to-always/raw.rego -------------------------------------------------------------------------------- /rules/immutable-container-filesystem/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/immutable-container-filesystem/raw.rego -------------------------------------------------------------------------------- /rules/ingress-and-egress-blocked/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-and-egress-blocked/raw.rego -------------------------------------------------------------------------------- /rules/ingress-and-egress-blocked/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-and-egress-blocked/rule.metadata.json -------------------------------------------------------------------------------- /rules/ingress-and-egress-blocked/test/default-policy/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ingress-and-egress-blocked/test/only-egress-policy/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/ingress-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/ingress-in-default-namespace/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-in-default-namespace/rule.metadata.json -------------------------------------------------------------------------------- /rules/ingress-no-tls/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-no-tls/raw.rego -------------------------------------------------------------------------------- /rules/ingress-no-tls/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/ingress-no-tls/rule.metadata.json -------------------------------------------------------------------------------- /rules/ingress-no-tls/test/success_with_ingress/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/insecure-capabilities/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-capabilities/raw.rego -------------------------------------------------------------------------------- /rules/insecure-capabilities/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-capabilities/rule.metadata.json -------------------------------------------------------------------------------- /rules/insecure-capabilities/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-capabilities/test/pod/expected.json -------------------------------------------------------------------------------- /rules/insecure-capabilities/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-capabilities/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/insecure-port-flag/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-port-flag/filter.rego -------------------------------------------------------------------------------- /rules/insecure-port-flag/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-port-flag/raw.rego -------------------------------------------------------------------------------- /rules/insecure-port-flag/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-port-flag/rule.metadata.json -------------------------------------------------------------------------------- /rules/insecure-port-flag/test/test/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-port-flag/test/test/expected.json -------------------------------------------------------------------------------- /rules/insecure-port-flag/test/test/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/insecure-port-flag/test/test/input/pod.yaml -------------------------------------------------------------------------------- /rules/instance-metadata-api-access/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/instance-metadata-api-access/raw.rego -------------------------------------------------------------------------------- /rules/instance-metadata-api-access/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/instance-metadata-api-access/rule.metadata.json -------------------------------------------------------------------------------- /rules/instance-metadata-api-access/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/internal-networking/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/internal-networking/filter.rego -------------------------------------------------------------------------------- /rules/internal-networking/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/internal-networking/raw.rego -------------------------------------------------------------------------------- /rules/internal-networking/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/internal-networking/rule.metadata.json -------------------------------------------------------------------------------- /rules/internal-networking/test/namespace-failed/input/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /rules/internal-networking/test/namespace-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/internal-networking/test/namespace-passed/input/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-cloud/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-audit-logs-enabled-cloud/raw.rego -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-cloud/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-audit-logs-enabled-cloud/rule.metadata.json -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-cloud/test/eks-pass1/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-cloud/test/eks-pass2/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-native-cis/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-audit-logs-enabled-native-cis/filter.rego -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-native-cis/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-audit-logs-enabled-native-cis/raw.rego -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-native-cis/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-native/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-audit-logs-enabled-native/raw.rego -------------------------------------------------------------------------------- /rules/k8s-audit-logs-enabled-native/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/raw.rego -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/rule.metadata.json -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/test/cronjob/data.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/test/cronjob/data.json -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/test/pod/data.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/test/pod/data.json -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/test/pod/expected.json -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/k8s-common-labels-usage/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/k8s-common-labels-usage/test/workload/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-authorization-mode-alwaysAllow/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-authorization-mode-alwaysAllow/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-authorization-mode-alwaysAllow/test/valid-cli-argument/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-authorization-mode-alwaysAllow/test/valid-config-value/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-event-qps/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-event-qps/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-event-qps/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-event-qps/rule.metadata.json -------------------------------------------------------------------------------- /rules/kubelet-event-qps/test/pass-argument-and-config-not-present/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-event-qps/test/pass-event-qps-via-command/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-event-qps/test/pass-eventRecordQPS=3-config/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-hostname-override/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-hostname-override/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-hostname-override/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-hostname-override/rule.metadata.json -------------------------------------------------------------------------------- /rules/kubelet-hostname-override/test/pass-argument-not-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-ip-tables/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-ip-tables/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-ip-tables/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-ip-tables/rule.metadata.json -------------------------------------------------------------------------------- /rules/kubelet-ip-tables/test/pass-set-true-via-config/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-ip-tables/test/pass-set-via-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-protect-kernel-defaults/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-protect-kernel-defaults/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-protect-kernel-defaults/test/pass-set-via-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-rotate-certificates/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-rotate-certificates/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-rotate-certificates/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-rotate-certificates/rule.metadata.json -------------------------------------------------------------------------------- /rules/kubelet-rotate-certificates/test/pass-cli-argument-not-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-rotate-certificates/test/pass-not-present-in-config-file/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-rotate-kubelet-server-certificate/test/pass-cli-argument-set-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-set-pod-limit/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-set-pod-limit/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-set-pod-limit/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-set-pod-limit/rule.metadata.json -------------------------------------------------------------------------------- /rules/kubelet-set-pod-limit/test/pass-argument-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-set-pod-limit/test/pass-config-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-streaming-connection-idle-timeout/test/pass-config-file/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-streaming-connection-idle-timeout/test/pass-set-via-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-strong-cryptography-ciphers/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/kubelet-strong-cryptography-ciphers/raw.rego -------------------------------------------------------------------------------- /rules/kubelet-strong-cryptography-ciphers/test/pass-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-strong-cryptography-ciphers/test/pass-config-not-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/kubelet-strong-cryptography-ciphers/test/pass-config-supported-value/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/label-usage-for-resources/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/label-usage-for-resources/raw.rego -------------------------------------------------------------------------------- /rules/label-usage-for-resources/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/label-usage-for-resources/rule.metadata.json -------------------------------------------------------------------------------- /rules/label-usage-for-resources/test/pod/data.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/label-usage-for-resources/test/pod/data.json -------------------------------------------------------------------------------- /rules/label-usage-for-resources/test/workload/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/lease-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/lease-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/lease-in-default-namespace/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/lease-in-default-namespace/rule.metadata.json -------------------------------------------------------------------------------- /rules/linux-hardening/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/raw.rego -------------------------------------------------------------------------------- /rules/linux-hardening/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/rule.metadata.json -------------------------------------------------------------------------------- /rules/linux-hardening/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/linux-hardening/test/cronjob/input/cronjob.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/cronjob/input/cronjob.yaml -------------------------------------------------------------------------------- /rules/linux-hardening/test/passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/linux-hardening/test/passed/input/cronjob.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/passed/input/cronjob.yaml -------------------------------------------------------------------------------- /rules/linux-hardening/test/passed/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/passed/input/pod.yaml -------------------------------------------------------------------------------- /rules/linux-hardening/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/pod/expected.json -------------------------------------------------------------------------------- /rules/linux-hardening/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/linux-hardening/test/workloads/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/linux-hardening/test/workloads/expected.json -------------------------------------------------------------------------------- /rules/list-all-mutating-webhooks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-mutating-webhooks/raw.rego -------------------------------------------------------------------------------- /rules/list-all-mutating-webhooks/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-mutating-webhooks/rule.metadata.json -------------------------------------------------------------------------------- /rules/list-all-namespaces/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-namespaces/raw.rego -------------------------------------------------------------------------------- /rules/list-all-namespaces/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-namespaces/rule.metadata.json -------------------------------------------------------------------------------- /rules/list-all-namespaces/test/namespace-failed/input/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /rules/list-all-validating-webhooks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-validating-webhooks/raw.rego -------------------------------------------------------------------------------- /rules/list-all-validating-webhooks/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-all-validating-webhooks/rule.metadata.json -------------------------------------------------------------------------------- /rules/list-role-definitions-in-acr/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-role-definitions-in-acr/raw.rego -------------------------------------------------------------------------------- /rules/list-role-definitions-in-acr/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/list-role-definitions-in-acr/rule.metadata.json -------------------------------------------------------------------------------- /rules/naked-pods/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/naked-pods/raw.rego -------------------------------------------------------------------------------- /rules/naked-pods/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/naked-pods/rule.metadata.json -------------------------------------------------------------------------------- /rules/naked-pods/test/test/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/naked-pods/test/test/expected.json -------------------------------------------------------------------------------- /rules/naked-pods/test/test/input/deployment.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/naked-pods/test/test/input/deployment.yaml -------------------------------------------------------------------------------- /rules/naked-pods/test/test/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/naked-pods/test/test/input/pod.yaml -------------------------------------------------------------------------------- /rules/namespace-without-service-account/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/namespace-without-service-account/filter.rego -------------------------------------------------------------------------------- /rules/namespace-without-service-account/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/namespace-without-service-account/raw.rego -------------------------------------------------------------------------------- /rules/non-root-containers/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/non-root-containers/raw.rego -------------------------------------------------------------------------------- /rules/non-root-containers/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/non-root-containers/rule.metadata.json -------------------------------------------------------------------------------- /rules/non-root-containers/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/non-root-containers/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/non-root-containers/test/deployment-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/non-root-containers/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/non-root-containers/test/pod/expected.json -------------------------------------------------------------------------------- /rules/non-root-containers/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/non-root-containers/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/outdated-k8s-version/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/raw.rego -------------------------------------------------------------------------------- /rules/outdated-k8s-version/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/rule.metadata.json -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/fail/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/test/fail/expected.json -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/fail/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/test/fail/input/node.json -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/fail2/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/test/fail2/expected.json -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/fail2/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/test/fail2/input/node.json -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/outdated-k8s-version/test/pass/input/node.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/outdated-k8s-version/test/pass/input/node.json -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-1/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pod-security-admission-applied-1/filter.rego -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pod-security-admission-applied-1/raw.rego -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-2/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pod-security-admission-applied-2/filter.rego -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-2/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pod-security-admission-applied-2/raw.rego -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-2/test/test/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pod-security-admission-applied-2/test/test3/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pod-security-admission-baseline-applied-1/test/test3/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pod-security-admission-baseline-applied-2/test/test3/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pod-security-admission-restricted-applied-1/test/test3/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pod-security-admission-restricted-applied-2/test/test3/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pods-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pods-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/pods-in-default-namespace/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pods-in-default-namespace/rule.metadata.json -------------------------------------------------------------------------------- /rules/podtemplate-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/podtemplate-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-allowed-capabilities/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-allowed-capabilities/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-allowed-capabilities/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-allowed-capabilities/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-allowprivilegeescalation/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-allowprivilegeescalation/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-allowprivilegeescalation/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-allowprivilegeescalation/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostipc/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostipc/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-hostipc/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostipc/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-deny-hostipc/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostipc/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostnetwork/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostnetwork/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-hostnetwork/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostnetwork/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-deny-hostnetwork/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostnetwork/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostpid/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostpid/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-hostpid/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-hostpid/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-deny-hostpid/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-hostpid/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-privileged-container/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-privileged-container/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-privileged-container/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-privileged-container/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-root-container/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-root-container/raw.rego -------------------------------------------------------------------------------- /rules/psp-deny-root-container/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-deny-root-container/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-deny-root-container/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-deny-root-container/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-enabled-cloud/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-cloud/raw.rego -------------------------------------------------------------------------------- /rules/psp-enabled-cloud/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-cloud/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-enabled-cloud/test/gke/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-cloud/test/gke/expected.json -------------------------------------------------------------------------------- /rules/psp-enabled-cloud/test/gke/input/gke.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-cloud/test/gke/input/gke.json -------------------------------------------------------------------------------- /rules/psp-enabled-native/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-native/raw.rego -------------------------------------------------------------------------------- /rules/psp-enabled-native/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-enabled-native/rule.metadata.json -------------------------------------------------------------------------------- /rules/psp-enabled-native/test/test-passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-required-drop-capabilities/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/psp-required-drop-capabilities/raw.rego -------------------------------------------------------------------------------- /rules/psp-required-drop-capabilities/test/pass-no-true/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/psp-required-drop-capabilities/test/pass-one-true-one-false/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pv-without-encryption/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/raw.rego -------------------------------------------------------------------------------- /rules/pv-without-encryption/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/rule.metadata.json -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/aks/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/aks/input/pv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/aks/input/pv.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/aks/input/sc.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/aks/input/sc.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/eks/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/eks/expected.json -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/eks/input/pv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/eks/input/pv.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/eks/input/sc.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/eks/input/sc.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/fail/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/fail/input/pv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/fail/input/pv.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/fail/input/sc.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/fail/input/sc.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/gke/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/gke/input/pv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/gke/input/pv.yaml -------------------------------------------------------------------------------- /rules/pv-without-encryption/test/gke/input/sc.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/pv-without-encryption/test/gke/input/sc.yaml -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-cloud/raw.rego -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-cloud/rule.metadata.json -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/test/failed/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-cloud/test/failed/expected.json -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/test/failed/input/aks.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-cloud/test/failed/input/aks.json -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/rbac-enabled-cloud/test/success/input/aks.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-cloud/test/success/input/aks.json -------------------------------------------------------------------------------- /rules/rbac-enabled-native/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-native/raw.rego -------------------------------------------------------------------------------- /rules/rbac-enabled-native/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rbac-enabled-native/rule.metadata.json -------------------------------------------------------------------------------- /rules/read-only-port-enabled-updated/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/read-only-port-enabled-updated/raw.rego -------------------------------------------------------------------------------- /rules/read-only-port-enabled-updated/test/cli-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/read-only-port-enabled-updated/test/config-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resource-policies/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/raw.rego -------------------------------------------------------------------------------- /rules/resource-policies/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/rule.metadata.json -------------------------------------------------------------------------------- /rules/resource-policies/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/resource-policies/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/test/pod/expected.json -------------------------------------------------------------------------------- /rules/resource-policies/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/resource-policies/test/workload/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resource-policies/test/workload/expected.json -------------------------------------------------------------------------------- /rules/resources-cpu-limit-and-request/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limit-and-request/raw.rego -------------------------------------------------------------------------------- /rules/resources-cpu-limits/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limits/raw.rego -------------------------------------------------------------------------------- /rules/resources-cpu-limits/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limits/rule.metadata.json -------------------------------------------------------------------------------- /rules/resources-cpu-limits/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limits/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/resources-cpu-limits/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limits/test/pod/expected.json -------------------------------------------------------------------------------- /rules/resources-cpu-limits/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-limits/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/resources-cpu-requests/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-requests/raw.rego -------------------------------------------------------------------------------- /rules/resources-cpu-requests/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-requests/rule.metadata.json -------------------------------------------------------------------------------- /rules/resources-cpu-requests/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-requests/test/pod/expected.json -------------------------------------------------------------------------------- /rules/resources-cpu-requests/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-cpu-requests/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/resources-memory-limit-and-request/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limit-and-request/raw.rego -------------------------------------------------------------------------------- /rules/resources-memory-limit-and-request/test/pod_pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-memory-limit-and-request/test/workload_passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-memory-limits/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limits/raw.rego -------------------------------------------------------------------------------- /rules/resources-memory-limits/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limits/rule.metadata.json -------------------------------------------------------------------------------- /rules/resources-memory-limits/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limits/test/pod/expected.json -------------------------------------------------------------------------------- /rules/resources-memory-limits/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limits/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/resources-memory-limits/test/pod_pass/data.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-limits/test/pod_pass/data.json -------------------------------------------------------------------------------- /rules/resources-memory-limits/test/pod_pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-memory-limits/test/workload_passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-memory-requests/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-requests/raw.rego -------------------------------------------------------------------------------- /rules/resources-memory-requests/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-memory-requests/rule.metadata.json -------------------------------------------------------------------------------- /rules/resources-memory-requests/test/pod_pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-memory-requests/test/workload_passed/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/resources-secret-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/resources-secret-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/restrict-access-to-the-control-plane-endpoint/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/role-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/role-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/role-in-default-namespace/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/role-in-default-namespace/rule.metadata.json -------------------------------------------------------------------------------- /rules/rolebinding-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rolebinding-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/rule-access-dashboard-subject-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-access-dashboard-subject-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-access-dashboard-wl-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-access-dashboard-wl-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-access-dashboard-wl-v1/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-access-dashboard-wl-v1/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-allow-privilege-escalation/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-allow-privilege-escalation/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-access-proxy-subresource/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-access-proxy-subresource/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-approve-certsigningreq/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-approve-certsigningreq/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-approve-certsigningreq/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-bind-escalate/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-bind-escalate/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-bind-escalate/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-bind-escalate/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-create-pod/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-create-pod/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-create-pod/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-create-pod/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-create-pod/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-create-pv/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-create-pv/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-create-pv/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-create-pv/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-create-pv/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-create-service-account-token/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-create-service-account-token/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-create-service-account-token/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-delete-k8s-events-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-delete-k8s-events-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-impersonate-users-groups-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-impersonate-users-groups-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-list-get-secrets-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-list-get-secrets-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-list-get-secrets-v1/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-list-get-secrets-v1/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-modify-admission-webhooks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-modify-admission-webhooks/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-modify-admission-webhooks/test/clusterrole-clusterrolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-can-portforward-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-portforward-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-portforward-v1/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-portforward-v1/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-ssh-to-pod-v1/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-ssh-to-pod-v1/filter.rego -------------------------------------------------------------------------------- /rules/rule-can-ssh-to-pod-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-ssh-to-pod-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-can-ssh-to-pod-v1/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-ssh-to-pod-v1/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-can-update-configmap-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-can-update-configmap-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-cni-enabled-aks/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-cni-enabled-aks/raw.rego -------------------------------------------------------------------------------- /rules/rule-cni-enabled-aks/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-cni-enabled-aks/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-cni-enabled-aks/test/aks-azure-azure-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-cni-enabled-aks/test/aks-calico-azure-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-cni-enabled-aks/test/aks-calico-kubenet-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-credentials-configmap/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-credentials-configmap/raw.rego -------------------------------------------------------------------------------- /rules/rule-credentials-in-env-var/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-credentials-in-env-var/raw.rego -------------------------------------------------------------------------------- /rules/rule-deny-cronjobs/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-deny-cronjobs/raw.rego -------------------------------------------------------------------------------- /rules/rule-deny-cronjobs/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-deny-cronjobs/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-deny-cronjobs/test/test/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-deny-cronjobs/test/test/expected.json -------------------------------------------------------------------------------- /rules/rule-excessive-delete-rights-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-excessive-delete-rights-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-hostile-multitenant-workloads/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-hostile-multitenant-workloads/raw.rego -------------------------------------------------------------------------------- /rules/rule-identify-blocklisted-image-registries/test/pod/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-identify-old-k8s-registry/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-identify-old-k8s-registry/filter.rego -------------------------------------------------------------------------------- /rules/rule-identify-old-k8s-registry/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-identify-old-k8s-registry/raw.rego -------------------------------------------------------------------------------- /rules/rule-identify-old-k8s-registry/test/pod/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/rule-list-all-cluster-admins-v1/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-list-all-cluster-admins-v1/raw.rego -------------------------------------------------------------------------------- /rules/rule-manual/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-manual/raw.rego -------------------------------------------------------------------------------- /rules/rule-manual/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-manual/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-manual/test/failed/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-manual/test/failed/expected.json -------------------------------------------------------------------------------- /rules/rule-privileged-container/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-privileged-container/raw.rego -------------------------------------------------------------------------------- /rules/rule-privileged-container/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-privileged-container/rule.metadata.json -------------------------------------------------------------------------------- /rules/rule-secrets-in-env-var/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-secrets-in-env-var/raw.rego -------------------------------------------------------------------------------- /rules/rule-secrets-in-env-var/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/rule-secrets-in-env-var/rule.metadata.json -------------------------------------------------------------------------------- /rules/secret-etcd-encryption-cloud/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/secret-etcd-encryption-cloud/raw.rego -------------------------------------------------------------------------------- /rules/service-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/service-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/serviceaccount-in-default-namespace/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/serviceaccount-in-default-namespace/raw.rego -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/filter.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/serviceaccount-token-mount/filter.rego -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/serviceaccount-token-mount/raw.rego -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/test/both-mount-default/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/test/both-mount/expected.json: -------------------------------------------------------------------------------- 1 | [ 2 | ] 3 | -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/test/pod-mount/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/serviceaccount-token-mount/test/sa-mount/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/set-fsgroup-value/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/raw.rego -------------------------------------------------------------------------------- /rules/set-fsgroup-value/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/rule.metadata.json -------------------------------------------------------------------------------- /rules/set-fsgroup-value/test/cronjob/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/test/cronjob/expected.json -------------------------------------------------------------------------------- /rules/set-fsgroup-value/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/test/pod/expected.json -------------------------------------------------------------------------------- /rules/set-fsgroup-value/test/pod/input/pod1.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/test/pod/input/pod1.yaml -------------------------------------------------------------------------------- /rules/set-fsgroup-value/test/pod/input/pod2.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroup-value/test/pod/input/pod2.yaml -------------------------------------------------------------------------------- /rules/set-fsgroupchangepolicy-value/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-fsgroupchangepolicy-value/raw.rego -------------------------------------------------------------------------------- /rules/set-procmount-default/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-procmount-default/raw.rego -------------------------------------------------------------------------------- /rules/set-procmount-default/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-procmount-default/rule.metadata.json -------------------------------------------------------------------------------- /rules/set-procmount-default/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-procmount-default/test/pod/expected.json -------------------------------------------------------------------------------- /rules/set-seLinuxOptions/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seLinuxOptions/raw.rego -------------------------------------------------------------------------------- /rules/set-seLinuxOptions/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seLinuxOptions/rule.metadata.json -------------------------------------------------------------------------------- /rules/set-seLinuxOptions/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seLinuxOptions/test/pod/expected.json -------------------------------------------------------------------------------- /rules/set-seLinuxOptions/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seLinuxOptions/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/set-seccomp-profile-RuntimeDefault/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seccomp-profile-RuntimeDefault/raw.rego -------------------------------------------------------------------------------- /rules/set-seccomp-profile/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seccomp-profile/raw.rego -------------------------------------------------------------------------------- /rules/set-seccomp-profile/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seccomp-profile/rule.metadata.json -------------------------------------------------------------------------------- /rules/set-seccomp-profile/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seccomp-profile/test/pod/expected.json -------------------------------------------------------------------------------- /rules/set-seccomp-profile/test/pod/input/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-seccomp-profile/test/pod/input/pod.yaml -------------------------------------------------------------------------------- /rules/set-supplementalgroups-values/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-supplementalgroups-values/raw.rego -------------------------------------------------------------------------------- /rules/set-sysctls-params/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-sysctls-params/raw.rego -------------------------------------------------------------------------------- /rules/set-sysctls-params/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-sysctls-params/rule.metadata.json -------------------------------------------------------------------------------- /rules/set-sysctls-params/test/pod-no-sysctls/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/set-sysctls-params/test/pod-pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/set-sysctls-params/test/pod/expected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-sysctls-params/test/pod/expected.json -------------------------------------------------------------------------------- /rules/set-sysctls-params/test/pod/input/pod1.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/set-sysctls-params/test/pod/input/pod1.yaml -------------------------------------------------------------------------------- /rules/sudo-in-container-entrypoint/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/sudo-in-container-entrypoint/raw.rego -------------------------------------------------------------------------------- /rules/sudo-in-container-entrypoint/test/cronjob/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/system-authenticated-allowed-to-take-over-cluster/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/unauthenticated-service/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/unauthenticated-service/raw.rego -------------------------------------------------------------------------------- /rules/unauthenticated-service/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/unauthenticated-service/rule.metadata.json -------------------------------------------------------------------------------- /rules/unauthenticated-service/test/pass/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/validate-kubelet-tls-configuration-updated/test/pass-1-cli-2-config/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/validate-kubelet-tls-configuration-updated/test/pass-config-file-arguments-set/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/validate-kubelet-tls-configuration-updated/test/pass-set-via-cli/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/verify-image-signature/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/verify-image-signature/raw.rego -------------------------------------------------------------------------------- /rules/verify-image-signature/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/verify-image-signature/rule.metadata.json -------------------------------------------------------------------------------- /rules/workload-mounted-configmap/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-mounted-configmap/raw.rego -------------------------------------------------------------------------------- /rules/workload-mounted-configmap/test/success_different_namespaces/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-mounted-configmap/test/success_no_configmap/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-mounted-pvc/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-mounted-pvc/raw.rego -------------------------------------------------------------------------------- /rules/workload-mounted-pvc/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-mounted-pvc/rule.metadata.json -------------------------------------------------------------------------------- /rules/workload-mounted-pvc/test/success_different_namespaces/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-mounted-pvc/test/success_no_PVC/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-mounted-pvc/test/success_with_PVC_not_mounted/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-mounted-secrets/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-mounted-secrets/raw.rego -------------------------------------------------------------------------------- /rules/workload-mounted-secrets/rule.metadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-mounted-secrets/rule.metadata.json -------------------------------------------------------------------------------- /rules/workload-mounted-secrets/test/success/expected.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /rules/workload-with-administrative-roles/raw.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/rules/workload-with-administrative-roles/raw.rego -------------------------------------------------------------------------------- /rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/expected.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /scripts/add_control_to_framework.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/add_control_to_framework.py -------------------------------------------------------------------------------- /scripts/add_mult_controls.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/add_mult_controls.py -------------------------------------------------------------------------------- /scripts/bundle.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/bundle.py -------------------------------------------------------------------------------- /scripts/export.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/export.py -------------------------------------------------------------------------------- /scripts/generate_id.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/generate_id.sh -------------------------------------------------------------------------------- /scripts/generate_subsections_ids.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/generate_subsections_ids.py -------------------------------------------------------------------------------- /scripts/init-rule.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/init-rule.py -------------------------------------------------------------------------------- /scripts/mark-controls.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/mark-controls.py -------------------------------------------------------------------------------- /scripts/mk-generator.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/mk-generator.py -------------------------------------------------------------------------------- /scripts/upload-readme.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/upload-readme.py -------------------------------------------------------------------------------- /scripts/validations.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/scripts/validations.py -------------------------------------------------------------------------------- /testrunner/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/Makefile -------------------------------------------------------------------------------- /testrunner/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/README.md -------------------------------------------------------------------------------- /testrunner/go.mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/go.mod -------------------------------------------------------------------------------- /testrunner/go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/go.sum -------------------------------------------------------------------------------- /testrunner/opaprocessor/processorhandler.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/opaprocessor/processorhandler.go -------------------------------------------------------------------------------- /testrunner/opaprocessor/processorutils.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/opaprocessor/processorutils.go -------------------------------------------------------------------------------- /testrunner/rego_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/rego_test.go -------------------------------------------------------------------------------- /testrunner/test-single-rego/input/deployment.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/regolibrary/HEAD/testrunner/test-single-rego/input/deployment.yaml --------------------------------------------------------------------------------