Skip to content

Testing Insecure IaC Deployment #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sysdig-training-cicd wants to merge 1 commit into
base: main
Choose a base branch
from

feat: Add insecure files for testing

809232d
Select commit
Loading
Failed to load commit list.
Open

Testing Insecure IaC Deployment #10

feat: Add insecure files for testing
809232d
Select commit
Loading
Failed to load commit list.
sysdig-aws-us-2 / Sysdig check failed Apr 7, 2026 in 2m 1s

Sysdig Pull Request Policy Evaluation

Sysdig Secure evaluated the Infrastructure-as-Code files in the pull request and identified violations to the following policies and zones:

Policies: Sysdig Kubernetes

Zones: Entire Git • Posture ILT - Base Zone

View more details at Sysdig docs

Summary

Severity: 🔴 High 🟠 Medium 🟡 Low
Count: 2 9 12

Details

The following controls’ violations were identified:

Container with writable root file system | 🔴 High | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment readOnlyRootFilesystem in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment readOnlyRootFilesystem in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 1.2 - Immutable container filesystem [Sysdig Kubernetes]
Container using image without digest | 🟠 Medium | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment image in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment image in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 2.4 - Container image tag [Sysdig Kubernetes]
Container using latest image | 🟠 Medium | 1 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment image in container nginx
 /kspm/bad-deployment.yaml

Failed Requirements:

  • 2.4 - Container image tag [Sysdig Kubernetes]
Container with root group access | 🟠 Medium | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment runAsGroup in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment runAsGroup in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 1.6 - Container root group access [Sysdig Kubernetes]
Workload container default RunAsGroup root | 🟠 Medium | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment runAsGroup in workload
 /kspm/bad-deployment.yaml
security-playground Deployment runAsGroup in workload
 /kspm/deployment.yaml

Failed Requirements:

  • 1.1 - Workload Default SecurityContext [Sysdig Kubernetes]
Workload missing CPU limit | 🟠 Medium | 1 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment limits.cpu in container nginx
 /kspm/bad-deployment.yaml

Failed Requirements:

  • 2.2 - Missing container limits [Sysdig Kubernetes]
Workload missing memory limit | 🟠 Medium | 1 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment limits.memory in container nginx
 /kspm/bad-deployment.yaml

Failed Requirements:

  • 2.2 - Missing container limits [Sysdig Kubernetes]
Container uid is host range | 🟡 Low | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment runAsUser in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment runAsUser in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 3.2 - Container overlap host UID Range [Sysdig Kubernetes]
Container without liveness probe | 🟡 Low | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment livenessProbe in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment livenessProbe in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 2.5 - Container probes [Sysdig Kubernetes]
Container without readiness probe | 🟡 Low | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment readinessProbe in container nginx
 /kspm/bad-deployment.yaml
security-playground Deployment readinessProbe in container app
 /kspm/deployment.yaml

Failed Requirements:

  • 2.5 - Container probes [Sysdig Kubernetes]
Workload container default RunAsUser root | 🟡 Low | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment runAsUser in workload
 /kspm/bad-deployment.yaml
security-playground Deployment runAsUser in workload
 /kspm/deployment.yaml

Failed Requirements:

  • 1.1 - Workload Default SecurityContext [Sysdig Kubernetes]
Workload container default permits root | 🟡 Low | 2 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment runAsNonRoot in workload
 /kspm/bad-deployment.yaml
security-playground Deployment runAsNonRoot in workload
 /kspm/deployment.yaml

Failed Requirements:

  • 1.1 - Workload Default SecurityContext [Sysdig Kubernetes]
Workload missing CPU request | 🟡 Low | 1 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment requests.cpu in container nginx
 /kspm/bad-deployment.yaml

Failed Requirements:

  • 2.1 - Missing container requirements [Sysdig Kubernetes]
Workload missing memory request | 🟡 Low | 1 Occurrences
Failed Resource Kind Resource Location Source
insecure-nginx Deployment requests.memory in container nginx
 /kspm/bad-deployment.yaml

Failed Requirements:

  • 2.1 - Missing container requirements [Sysdig Kubernetes]
View more details on sysdig-aws-us-2