AVD-KSV-0118 false positive (pod X using the default security context, which allows root privileges)

[huornlmj]

IDs

AVD-KSV-0118

Description

The following section of a K8s manifest file is throwing AVD-KSV-0118 which is a false positive in this scenario.

Output:

AVD-KSV-0118 (HIGH): pod planner in default namespace is using the default security context, which allows root privileges
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilit
ies to potential attacks that rely on privileged access.

See https://avd.aquasec.com/misconfig/ksv118
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 artefacts/deploy/manifest.yaml:199-257
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 199 ┌   serviceAccountName: planner-service-account
 200 │   containers:
 201 │     - name: planner
 202 │       image: 127.0.0.1:5000/planner:0.3.0
 203 │       ports:
 204 │         - containerPort: 33333
 205 │       imagePullPolicy: Always
 206 │       args: [ "-config", "/config/defaults.json", "-v", "2" ]
 207 └       securityContext:
 ...

K8s manifest file spec and securityContext section:

198 spec:
199   serviceAccountName: planner-service-account
200   containers:
201     - name: planner
202       image: 127.0.0.1:5000/planner:0.3.0
203       ports:
204         - containerPort: 33333
205       imagePullPolicy: Always
206       args: [ "-config", "/config/defaults.json", "-v", "2" ]
207       securityContext:
208         capabilities:
209           drop: [ 'ALL' ]
210         seccompProfile:
211           type: RuntimeDefault
212         allowPrivilegeEscalation: false
213         readOnlyRootFilesystem: true
214         runAsNonRoot: true
215         runAsUser: 10001
216         runAsGroup: 10001

Reproduction Steps

1. Scan https://github.com/intel/intent-driven-orchestration/blob/9f37fe0552245f1c8b41285aed61696c3b375ceb/artefacts/deploy/manifest.yaml
2. Observe the false positive appear repeatedly.

Target

Kubernetes

Scanner

Misconfiguration

Target OS

N/A

Debug Output

$ trivy config . --debug
2025-08-08T12:29:50+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-08T12:29:50+01:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-08-08T12:29:50+01:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-08-08T12:29:50+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-08T12:29:50+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-08-08T12:29:50+01:00       DEBUG   [notification] Running version check
2025-08-08T12:29:50+01:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-08-08T12:29:51+01:00       DEBUG   [notification] Version check completed  latest_version="0.65.0"
2025-08-08T12:29:51+01:00       DEBUG   [rego] Overriding filesystem for checks
2025-08-08T12:29:51+01:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-08-08T12:29:51+01:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-08-08T12:29:52+01:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-08-08T12:29:52+01:00       DEBUG   [rego] Overriding filesystem for data
2025-08-08T12:29:52+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-08-08T12:29:52+01:00       DEBUG   Initializing scan cache...      type="memory"
2025-08-08T12:29:52+01:00       DEBUG   [fs] Analyzing...       root="."
2025-08-08T12:29:52+01:00       DEBUG   [fs] Using the latest commit hash for calculating cache key     commit_hash="9f37fe0552245f1c8b41285aed61696c3b375ceb"
2025-08-08T12:29:52+01:00       DEBUG   Skipping path   path=".git"
2025-08-08T12:29:52+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2025-08-08T12:29:52+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Kubernetes"
2025-08-08T12:29:52+01:00       DEBUG   [kubernetes scanner] Scanning files...  count=31
2025-08-08T12:29:52+01:00       DEBUG   [rego] Scanning inputs  count=31
2025-08-08T12:29:53+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   [dockerfile scanner] Scanning files...  count=5
2025-08-08T12:29:53+01:00       DEBUG   [rego] Scanning inputs  count=5
2025-08-08T12:29:53+01:00       DEBUG   OS is not detected.
2025-08-08T12:29:53+01:00       INFO    Detected config files   num=14
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/cpu_scale/Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/cpu_scale/cpu-scale-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/rdt/Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/rdt/rdt-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/rm_pod/Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/rm_pod/rmpod-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/scale_out/Dockerfile"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="plugins/scale_out/scaleout-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="artefacts/deploy/manifest.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/default_profiles.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/example_deployment.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/example_intent.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Scanned config file     file_path="artefacts/intents_crds_v1alpha1.yaml"
2025-08-08T12:29:53+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-08-08T12:29:53+01:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

SNIP

AVD-KSV-0118 (HIGH): pod planner in default namespace is using the default security context, which allows root privileges
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.

See https://avd.aquasec.com/misconfig/ksv118
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 artefacts/deploy/manifest.yaml:199-257
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 199 ┌   serviceAccountName: planner-service-account
 200 │   containers:
 201 │     - name: planner
 202 │       image: 127.0.0.1:5000/planner:0.3.0
 203 │       ports:
 204 │         - containerPort: 33333
 205 │       imagePullPolicy: Always
 206 │       args: [ "-config", "/config/defaults.json", "-v", "2" ]
 207 └       securityContext:
 ...
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

SNIP

Version

$ trivy --version
Version: 0.64.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-07 06:28:58.287270346 +0000 UTC
  NextUpdate: 2025-08-08 06:28:58.287270005 +0000 UTC
  DownloadedAt: 2025-08-07 09:51:54.845313477 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-06 03:52:35.137443806 +0000 UTC
  NextUpdate: 2024-11-09 03:52:35.137443696 +0000 UTC
  DownloadedAt: 2024-11-06 12:34:58.556721347 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-08-08 11:23:24.612747178 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

thanks @huornlmj - this looks like a bug to me in the check. Track #9329