Skip to content

feat: Ensure env-vars changes are always immediately applied #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aki-ks wants to merge 1 commit into
base: master
Choose a base branch
from

Ensure env-vars changes are always immediately applied by forcing rol…

1e24c79
Select commit
Loading
Failed to load commit list.
Open

feat: Ensure env-vars changes are always immediately applied #399

Ensure env-vars changes are always immediately applied by forcing rol…
1e24c79
Select commit
Loading
Failed to load commit list.
This check has been archived and is scheduled for deletion. Learn more about checks retention
GitHub Advanced Security / Trivy failed Apr 6, 2025 in 3s

29 new alerts including 3 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 3 high
  • 14 medium
  • 12 low

See annotations below for details.

View all branch alerts.

Annotations

Check warning on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Can elevate its own privileges Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001

Check notice on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop all Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV003
Severity: LOW
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003

Check warning on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs as root user Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should set 'securityContext.runAsNonRoot' to true
Link: KSV012

Check failure on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Root file system is not read-only High

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV014
Severity: HIGH
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should set 'securityContext.readOnlyRootFilesystem' to true
Link: KSV014

Check notice on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with UID <= 10000 Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV020
Severity: LOW
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should set 'securityContext.runAsUser' > 10000
Link: KSV020

Check notice on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with GID <= 10000 Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV021
Severity: LOW
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should set 'securityContext.runAsGroup' > 10000
Link: KSV021

Check notice on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runtime/Default Seccomp profile not set Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV030
Severity: LOW
Message: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Link: KSV030

Check notice on line 105 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Container capabilities must only include NET_BIND_SERVICE Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV106
Severity: LOW
Message: container should drop all
Link: KSV106

Check notice on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop any Low

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV004
Severity: LOW
Message: Container 'clamav' of 'statefulset' 'mailu-clamav' in '' namespace should set securityContext.capabilities.drop
Link: KSV004

Check warning on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

All container images must start with the *.azurecr.io domain Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV032
Severity: MEDIUM
Message: container clamav of statefulset mailu-clamav in namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'
Link: KSV032

Check warning on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

All container images must start with a GCR domain Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV033
Severity: MEDIUM
Message: container clamav of statefulset mailu-clamav in namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries
Link: KSV033

Check warning on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Container images from public registries used Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV034
Severity: MEDIUM
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should restrict container image to use private registries
Link: KSV034

Check warning on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

All container images must start with an ECR domain Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV035
Severity: MEDIUM
Message: Container 'clamav' of StatefulSet 'mailu-clamav' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html
Link: KSV035

Check warning on line 107 in mailu/templates/clamav/statefulset.yaml

See this annotation in the file changed.

Code scanning / Trivy

Seccomp policies disabled Medium

Artifact: mailu/templates/clamav/statefulset.yaml
Type: helm
Vulnerability KSV104
Severity: MEDIUM
Message: container "clamav" of statefulset "mailu-clamav" in "" namespace should specify a seccomp profile
Link: KSV104

Check warning on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Can elevate its own privileges Medium

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'front' of Deployment 'mailu-front' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001

Check notice on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop all Low

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV003
Severity: LOW
Message: Container 'front' of Deployment 'mailu-front' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003

Check notice on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop any Low

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV004
Severity: LOW
Message: Container 'front' of 'deployment' 'mailu-front' in '' namespace should set securityContext.capabilities.drop
Link: KSV004

Check warning on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs as root user Medium

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'front' of Deployment 'mailu-front' should set 'securityContext.runAsNonRoot' to true
Link: KSV012

Check failure on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Root file system is not read-only High

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV014
Severity: HIGH
Message: Container 'front' of Deployment 'mailu-front' should set 'securityContext.readOnlyRootFilesystem' to true
Link: KSV014

Check notice on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with UID <= 10000 Low

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV020
Severity: LOW
Message: Container 'front' of Deployment 'mailu-front' should set 'securityContext.runAsUser' > 10000
Link: KSV020

Check notice on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with GID <= 10000 Low

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV021
Severity: LOW
Message: Container 'front' of Deployment 'mailu-front' should set 'securityContext.runAsGroup' > 10000
Link: KSV021

Check failure on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Access to host ports High

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV024
Severity: HIGH
Message: Container 'front' of Deployment 'mailu-front' should not set host ports, 'ports[*].hostPort'
Link: KSV024

Check notice on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runtime/Default Seccomp profile not set Low

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV030
Severity: LOW
Message: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Link: KSV030

Check warning on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

All container images must start with the *.azurecr.io domain Medium

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV032
Severity: MEDIUM
Message: container front of deployment mailu-front in namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'
Link: KSV032

Check warning on line 147 in mailu/templates/front/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

All container images must start with a GCR domain Medium

Artifact: mailu/templates/front/deployment.yaml
Type: helm
Vulnerability KSV033
Severity: MEDIUM
Message: container front of deployment mailu-front in namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries
Link: KSV033