37 Security Rules Available

Security Rules

Discover and deploy CEL-based security policies for Kubernetes. Protect your infrastructure with community-driven rules.

Contribute Rule Documentation
37 Rules
8 Categories
4 Severity Levels
37 rules found

RBAC Roles Allow Privilege Escalation

spotter-access-001

🔴 CRITICAL
🔑 Access Control & IAM
v1.0.0 access
View Details

Anonymous Auth Is Not Set To False

spotter-access-002

🔴 CRITICAL
🔑 Access Control & IAM
v1.0.0 access
View Details

Cluster Admin Rolebinding With Superuser Permissions

spotter-access-003

🔴 CRITICAL
🔑 Access Control & IAM
v1.0.0 access
View Details

Audit Policy Not Cover Key Security Concerns

spotter-audit-001

🟠 HIGH
📊 Audit, Logging & Compliance
v1.0.0 audit
View Details

Readiness Probe Not Set

spotter-config-001

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Liveness Probe Not Set

spotter-config-002

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

CPU Limits Not Set

spotter-config-003

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

CPU Requests Not Set

spotter-config-004

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Memory Limits Not Defined

spotter-config-005

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Memory Requests Not Defined

spotter-config-006

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

CronJob Deadline Not Configured

spotter-config-007

🟡 MEDIUM
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Metadata Label Is Invalid

spotter-config-008

🟢 LOW
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Incorrect Volume Claim Access Mode ReadWriteOnce

spotter-config-009

🟢 LOW
⚙️ Configuration & Resource Hygiene
v1.0.0 config
View Details

Using Kubernetes Native Secret Management

spotter-data-001

🟢 LOW
🔒 Secrets & Data Security
v1.0.0 data
View Details

Secret Exposed as Environment Variable

spotter-data-002

🟠 HIGH
🔒 Secrets & Data Security
v1.0.0 data
View Details

Service Exposed via NodePort

service-type-is-nodeport

🟡 MEDIUM
🌐 Network & Traffic Security
v1.0.0 network
View Details

Service With External Load Balancer

spotter-network-002

🔴 CRITICAL
🌐 Network & Traffic Security
v1.0.0 network
View Details

Kubelet HTTPS Set To False

spotter-platform-001

🔴 CRITICAL
🏗️ Platform & Infrastructure Security
v1.0.0 platform
View Details

Insecure Bind Address Set

spotter-platform-002

🔴 CRITICAL
🏗️ Platform & Infrastructure Security
v1.0.0 platform
View Details

Invalid Image Tag

spotter-supply-001

🟡 MEDIUM
📦 Supply Chain & Image Security
v1.0.0 supply
View Details

Image Without Digest

spotter-supply-002

🟠 HIGH
📦 Supply Chain & Image Security
v1.0.0 supply
View Details

Image Pull Policy Missing

spotter-supply-003

🟡 MEDIUM
📦 Supply Chain & Image Security
v1.0.0 supply
View Details

Always Pull Images Admission Control Plugin Not Set

spotter-supply-004

🟠 HIGH
📦 Supply Chain & Image Security
v1.0.0 supply
View Details

Container Is Privileged

spotter-workload-001

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Pod Uses Host Network

spotter-workload-002

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Shared Host IPC Namespace

spotter-workload-003

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Shared Host PID Namespace

spotter-workload-004

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Containers With Sys Admin Capabilities

spotter-workload-005

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Containers With Added Capabilities

spotter-workload-006

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

NET_RAW Capabilities Not Being Dropped

spotter-workload-007

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

No Drop Capabilities for Containers

spotter-workload-008

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Volume Mount With OS Directory Write Permissions

spotter-workload-009

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

HostPorts Enabled on Containers

spotter-workload-010

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Missing AppArmor Profile

spotter-workload-011

🟡 MEDIUM
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Pod Without Seccomp Profile

spotter-workload-012

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

Workload Mounting With Sensitive OS Directory

spotter-workload-013

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details

HostPath Volume enabled on Containers

spotter-workload-014

🔴 CRITICAL
🛡️ Workload & Runtime Security
v1.0.0 workload
View Details