bug(checks): AVD-KSV-0118 false positive (pod X using the default security context, which allows root privileges) #9329
Description
Discussed in #9326
Originally posted by huornlmj August 8, 2025
IDs
AVD-KSV-0118
Description
The following section of a K8s manifest file is throwing AVD-KSV-0118 which is a false positive in this scenario.
Output:
AVD-KSV-0118 (HIGH): pod planner in default namespace is using the default security context, which allows root privileges
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilit
ies to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
artefacts/deploy/manifest.yaml:199-257
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
199 ┌ serviceAccountName: planner-service-account
200 │ containers:
201 │ - name: planner
202 │ image: 127.0.0.1:5000/planner:0.3.0
203 │ ports:
204 │ - containerPort: 33333
205 │ imagePullPolicy: Always
206 │ args: [ "-config", "/config/defaults.json", "-v", "2" ]
207 └ securityContext:
...
K8s manifest file spec and securityContext section:
198 spec:
199 serviceAccountName: planner-service-account
200 containers:
201 - name: planner
202 image: 127.0.0.1:5000/planner:0.3.0
203 ports:
204 - containerPort: 33333
205 imagePullPolicy: Always
206 args: [ "-config", "/config/defaults.json", "-v", "2" ]
207 securityContext:
208 capabilities:
209 drop: [ 'ALL' ]
210 seccompProfile:
211 type: RuntimeDefault
212 allowPrivilegeEscalation: false
213 readOnlyRootFilesystem: true
214 runAsNonRoot: true
215 runAsUser: 10001
216 runAsGroup: 10001
Reproduction Steps
1. Scan https://github.com/intel/intent-driven-orchestration/blob/9f37fe0552245f1c8b41285aed61696c3b375ceb/artefacts/deploy/manifest.yaml
2. Observe the false positive appear repeatedly.Target
Kubernetes
Scanner
Misconfiguration
Target OS
N/A
Debug Output
$ trivy config . --debug
2025-08-08T12:29:50+01:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-08T12:29:50+01:00 DEBUG Cache dir dir="/home/user/.cache/trivy"
2025-08-08T12:29:50+01:00 DEBUG Cache dir dir="/home/user/.cache/trivy"
2025-08-08T12:29:50+01:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-08T12:29:50+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-08-08T12:29:50+01:00 DEBUG [notification] Running version check
2025-08-08T12:29:50+01:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-08-08T12:29:51+01:00 DEBUG [notification] Version check completed latest_version="0.65.0"
2025-08-08T12:29:51+01:00 DEBUG [rego] Overriding filesystem for checks
2025-08-08T12:29:51+01:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-08-08T12:29:51+01:00 DEBUG [rego] Embedded checks are loaded count=519
2025-08-08T12:29:52+01:00 DEBUG [rego] Checks from disk are loaded count=536
2025-08-08T12:29:52+01:00 DEBUG [rego] Overriding filesystem for data
2025-08-08T12:29:52+01:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-08-08T12:29:52+01:00 DEBUG Initializing scan cache... type="memory"
2025-08-08T12:29:52+01:00 DEBUG [fs] Analyzing... root="."
2025-08-08T12:29:52+01:00 DEBUG [fs] Using the latest commit hash for calculating cache key commit_hash="9f37fe0552245f1c8b41285aed61696c3b375ceb"
2025-08-08T12:29:52+01:00 DEBUG Skipping path path=".git"
2025-08-08T12:29:52+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Helm"
2025-08-08T12:29:52+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Kubernetes"
2025-08-08T12:29:52+01:00 DEBUG [kubernetes scanner] Scanning files... count=31
2025-08-08T12:29:52+01:00 DEBUG [rego] Scanning inputs count=31
2025-08-08T12:29:53+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG [dockerfile scanner] Scanning files... count=5
2025-08-08T12:29:53+01:00 DEBUG [rego] Scanning inputs count=5
2025-08-08T12:29:53+01:00 DEBUG OS is not detected.
2025-08-08T12:29:53+01:00 INFO Detected config files num=14
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/cpu_scale/Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/cpu_scale/cpu-scale-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/rdt/Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/rdt/rdt-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/rm_pod/Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/rm_pod/rmpod-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/scale_out/Dockerfile"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="plugins/scale_out/scaleout-actuator-plugin.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="artefacts/deploy/manifest.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="artefacts/examples/default_profiles.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="artefacts/examples/example_deployment.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="artefacts/examples/example_intent.yaml"
2025-08-08T12:29:53+01:00 DEBUG Scanned config file file_path="artefacts/intents_crds_v1alpha1.yaml"
2025-08-08T12:29:53+01:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-08-08T12:29:53+01:00 DEBUG [vex] VEX filtering is disabled
Report Summary
SNIP
AVD-KSV-0118 (HIGH): pod planner in default namespace is using the default security context, which allows root privileges
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
artefacts/deploy/manifest.yaml:199-257
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
199 ┌ serviceAccountName: planner-service-account
200 │ containers:
201 │ - name: planner
202 │ image: 127.0.0.1:5000/planner:0.3.0
203 │ ports:
204 │ - containerPort: 33333
205 │ imagePullPolicy: Always
206 │ args: [ "-config", "/config/defaults.json", "-v", "2" ]
207 └ securityContext:
...
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
SNIPVersion
$ trivy --version
Version: 0.64.1
Vulnerability DB:
Version: 2
UpdatedAt: 2025-08-07 06:28:58.287270346 +0000 UTC
NextUpdate: 2025-08-08 06:28:58.287270005 +0000 UTC
DownloadedAt: 2025-08-07 09:51:54.845313477 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-11-06 03:52:35.137443806 +0000 UTC
NextUpdate: 2024-11-09 03:52:35.137443696 +0000 UTC
DownloadedAt: 2024-11-06 12:34:58.556721347 +0000 UTC
Check Bundle:
Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
DownloadedAt: 2025-08-08 11:23:24.612747178 +0000 UTCChecklist
- Read the documentation regarding wrong detection
- Ran Trivy with
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correct