Skill Being Reviewed
Skill name: container-security
Skill path: skills/cloud/container-security/SKILL.md
False Positive Analysis
Benign code/configuration that can be over-flagged:
kubectl debug pod/api --image=busybox --target=api
# allowed only to break-glass group, admission logs retained, namespace isolated
Why this is a false positive:
kubectl debug pod/api --image=busybox --target=api can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
ephemeralContainers:
- name: debugger
image: nicolaka/netshoot
securityContext: { privileged: true, capabilities: { add: ["SYS_ADMIN"] } }
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
apiVersion: v1
kind: Pod
spec:
shareProcessNamespace: true
hostPID: true
containers: [{ name: app, image: app:latest }]
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
Ephemeral containers are often excluded from normal deployment manifests, so IaC-only review can miss runtime debugging privileges. Some clusters allow kubectl debug even when baseline Pods look restricted.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| kube-score |
Partial |
Reviews manifests, but may not see runtime debug RBAC. |
| Kubescape |
Partial |
Can flag Pod security posture, less direct on ephemeral debug workflows. |
| Admission controllers |
Partial |
Can enforce, but review must require policy and audit evidence. |
Overall Assessment
Strengths:
The skill already maps well to CIS Docker/Kubernetes hardening concerns.
Needs improvement:
Runtime debug/ephemeral container controls are a gap because they bypass the deployment artifact reviewed by many scanners.
Priority recommendations:
- Add a Kubernetes debug-container section covering ephemeralContainers RBAC and admission.
- Require audit evidence for kubectl debug and break-glass approvals.
- Score privileged debug sessions higher when hostPID, hostNetwork, or broad capabilities are allowed.
Bounty Info
Skill Being Reviewed
Skill name: container-security
Skill path:
skills/cloud/container-security/SKILL.mdFalse Positive Analysis
Benign code/configuration that can be over-flagged:
Why this is a false positive:
kubectl debug pod/api --image=busybox --target=api can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
Ephemeral containers are often excluded from normal deployment manifests, so IaC-only review can miss runtime debugging privileges. Some clusters allow kubectl debug even when baseline Pods look restricted.
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
The skill already maps well to CIS Docker/Kubernetes hardening concerns.
Needs improvement:
Runtime debug/ephemeral container controls are a gap because they bypass the deployment artifact reviewed by many scanners.
Priority recommendations:
Bounty Info