Description

SonarQube is a self-managed, automatic code review tool that systematically helps you deliver clean code. As a core element of our Sonar solution, SonarQube integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. The tool analyses 30+ different programming languages and integrates into your CI pipeline and DevOps platform to ensure that your code meets high-quality standards.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
sonarqube-ingress-nginxdefault251Critical
sonarqube-ingress-nginx-admissiondefault22Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 sonarqube-ingress-nginx

Namespace: default  |  Automount:

🔑 Permissions (25)

RoleResourceVerbsRiskTags
Role sonarqube-ingress-nginxcore/secretsget · list · watchCriticalCredentialAccess DataExposure InformationDisclosure SecretAccess
Role sonarqube-ingress-nginxcore/configmapsget · list · watchMediumConfigMapAccess DataExposure InformationDisclosure
ClusterRole sonarqube-ingress-nginxcore/configmapslist · watchLow
ClusterRole sonarqube-ingress-nginxcore/endpointslist · watchLow
Role sonarqube-ingress-nginxcore/endpointsget · list · watchLow
ClusterRole sonarqube-ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
Role sonarqube-ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
ClusterRole sonarqube-ingress-nginxcore/eventscreate · patchLow
Role sonarqube-ingress-nginxcore/eventscreate · patchLow
ClusterRole sonarqube-ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
Role sonarqube-ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
ClusterRole sonarqube-ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
Role sonarqube-ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
ClusterRole sonarqube-ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
Role sonarqube-ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
ClusterRole sonarqube-ingress-nginxcoordination.k8s.io/leaseslist · watchLow
Role sonarqube-ingress-nginxcoordination.k8s.io/leasescreate · get · updateLow
ClusterRole sonarqube-ingress-nginxcore/namespaceslist · watchLowClusterStructure InformationDisclosure Reconnaissance
Role sonarqube-ingress-nginxcore/namespacesgetLow
ClusterRole sonarqube-ingress-nginxcore/nodesget · list · watchLow
ClusterRole sonarqube-ingress-nginxcore/podslist · watchLow
Role sonarqube-ingress-nginxcore/podsget · list · watchLow
ClusterRole sonarqube-ingress-nginxcore/secretslist · watchLow
ClusterRole sonarqube-ingress-nginxcore/servicesget · list · watchLow
Role sonarqube-ingress-nginxcore/servicesget · list · watchLow

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentsonarqube-ingress-nginx-controllercontrollerregistry.k8s.io/ingress-nginx/controller:v1.12.1@sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b

🤖 sonarqube-ingress-nginx-admission

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role sonarqube-ingress-nginx-admissioncore/secretscreate · getLow
ClusterRole sonarqube-ingress-nginx-admissionadmissionregistration.k8s.io/validatingwebhookconfigurationsget · updateLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Jobsonarqube-ingress-nginx-admission-createcreateregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
Jobsonarqube-ingress-nginx-admission-patchpatchregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea