False positives with KSV-022 #9824

jonkerj · 2025-11-19T20:09:18Z

jonkerj
Nov 19, 2025

Description

KSV-022 fires if spec.containers[*].securityContext.capabilities.add contains anything, while KSV-022 seems to claim that the capabilities should comply with some PodSecurityStandard (unclear which, it says "Capabilities", which is not a default PSS). Assuming this is restricted, NET_BIND_SERVICE should be allowed.

Desired Behavior

Do not fire if NET_BIND_SERVICE is added

Actual Behavior

KSV-022 fires

Reproduction Steps

1. Create a deployment with this securityContext:


capabilities:
  add:
  - NET_BIND_SERVICE
  drop:
  - ALL

Run trivy



### Target

Kubernetes

### Scanner

Misconfiguration

### Output Format

JSON

### Mode

Standalone

### Debug Output

```bash
If needed I can provide this, but from [the source code](https://github.com/aquasecurity/trivy-checks/blob/main/checks/kubernetes/specific_capabilities_added.rego) it seems very clear KSV-022 works this way.

Operating System

Talos Linux

Version

`Version: 0.60.0`

Checklist

Run trivy clean --all
Read the troubleshooting

nikpivkin · 2025-11-25T06:07:21Z

nikpivkin
Nov 25, 2025
Maintainer

Hi @jonkerj !

Thanks for the report. Track #9844

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

False positives with KSV-022 #9824

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

False positives with KSV-022 #9824

Uh oh!

jonkerj Nov 19, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

nikpivkin Nov 25, 2025 Maintainer

jonkerj
Nov 19, 2025

nikpivkin
Nov 25, 2025
Maintainer