# YAML Security Rules

20 detection rules for YAML

- Total rules: 20
- CRITICAL: 5
- HIGH: 5
- MEDIUM: 7
- LOW: 3

## Frameworks

- kubernetes

## Rules by CWE

### CWE-250 (CWE-250)

- **Privilege Escalation Allowed** [HIGH]: Detects containers with privilege escalation explicitly enabled.
- **Dangerous Linux Capabilities Added** [CRITICAL]: Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.
- **Host Namespace Access Enabled** [CRITICAL]: Detects pods configured to access host namespaces (network, PID, or IPC).
- **Missing Capability Restrictions** [MEDIUM]: Detects containers that do not drop unnecessary Linux capabilities.
- **Missing allowPrivilegeEscalation Setting** [MEDIUM]: Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.
- **Missing Container Security Context** [HIGH]: Detects containers without securityContext configuration.
- **Privileged Container Detected** [CRITICAL]: Detects containers running with privileged security context.
- **Container Running as Root User** [HIGH]: Detects containers configured to run as root user (UID 0).

### CWE-319 (CWE-319)

- **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration.
- **Insecure TLS Verification Disabled** [HIGH]: Detects when TLS certificate verification is disabled in Kubernetes configurations.

### CWE-668 (CWE-668)

- **HostPath Volume Mounted** [CRITICAL]: Detects HostPath volumes that mount directories from the host filesystem into pods.
- **NodePort Service Exposes Application** [MEDIUM]: Detects services using NodePort type which exposes the application on all cluster nodes.

### CWE-732 (CWE-732)

- **Service Account Token Auto-Mounted** [LOW]: Detects pods with service account token auto-mounting enabled.
- **Writable Root Filesystem** [MEDIUM]: Detects containers that allow writes to the root filesystem.

### CWE-1188 (CWE-1188)

- **Using Default Namespace** [LOW]: Detects resources deployed to the default namespace.
- **Missing Health Probes** [LOW]: Detects containers missing liveness and/or readiness probes.

### Improper Access Control (CWE-284)

- **Missing Network Policy** [MEDIUM]: Detects Kubernetes deployments without associated NetworkPolicy resources.

### Resource Exhaustion (CWE-400)

- **Missing Resource Limits** [MEDIUM]: Detects containers missing resource limits.

### Hardcoded Credentials (CWE-798)

- **Hardcoded Secrets in Manifest** [CRITICAL]: Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests.

### Inclusion of Untrusted Functionality (CWE-829)

- **Container Using Latest Tag** [MEDIUM]: Detects container images using 'latest' tag or no tag.