Skip to content

chore(deps): bump github/codeql-action from 3.24.9 to 3.25.3 (#19) #23

chore(deps): bump github/codeql-action from 3.24.9 to 3.25.3 (#19)

chore(deps): bump github/codeql-action from 3.24.9 to 3.25.3 (#19) #23

Triggered via push April 30, 2024 09:12
Status Failure
Total duration 57s
Billable time 1m
Artifacts

kics.yml

on: push
Fit to window
Zoom out
Zoom in

Annotations

1 error and 14 warnings
Analyze
Advanced Security must be enabled for this repository to use code scanning.
Analyze
Advanced Security must be enabled for this repository to use code scanning.
Analyze
This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: Advanced Security must be enabled for this repository to use code scanning.
Analyze
Advanced Security must be enabled for this repository to use code scanning.
Analyze
Advanced Security must be enabled for this repository to use code scanning.
[MEDIUM] Container Running With Low UID: charts/dim/templates/deployment.yaml#L39
Check if containers are running with low UID, which might cause conflicts with the host's user table.
[MEDIUM] Container Running With Low UID: charts/dim/templates/cronjob-processes.yaml#L37
Check if containers are running with low UID, which might cause conflicts with the host's user table.
[MEDIUM] Seccomp Profile Is Not Configured: charts/dim/templates/cronjob-processes.yaml#L37
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
[MEDIUM] Seccomp Profile Is Not Configured: charts/dim/templates/deployment.yaml#L39
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
[MEDIUM] Service Account Token Automount Not Disabled: charts/dim/templates/deployment.yaml#L38
Service Account Tokens are automatically mounted even if not necessary
[MEDIUM] Service Account Token Automount Not Disabled: charts/dim/templates/cronjob-processes.yaml#L35
Service Account Tokens are automatically mounted even if not necessary
[MEDIUM] Unpinned Actions Full Length Commit SHA: .github/workflows/release-please.yml#L36
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[MEDIUM] Unpinned Actions Full Length Commit SHA: .github/workflows/release.yml#L61
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[LOW] Container Requests Not Equal To It's Limits: charts/dim/templates/deployment.yaml#L143
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
[LOW] Container Requests Not Equal To It's Limits: charts/dim/templates/cronjob-processes.yaml#L135
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively