2 Service Accounts
3 Workloads
28 Bindings
2 Critical
1 High
1 Medium
24 Low
Description
SonarQube is a self-managed, automatic code review tool that systematically helps you deliver clean code. As a core element of our Sonar solution, SonarQube integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. The tool analyses 30+ different programming languages and integrates into your CI pipeline and DevOps platform to ensure that your code meets high-quality standards.
- https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube
- https://github.com/SonarSource/docker-sonarqube
- https://github.com/SonarSource/sonarqube
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
sonarqube-ingress-nginx | default | ✅ | — | 26 | 1 | Critical |
sonarqube-ingress-nginx-admission | default | ✅ | — | 2 | 2 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 sonarqube-ingress-nginx
Namespace: default | Automount: ✅
🔑 Permissions (26)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole sonarqube-ingress-nginx | core/secrets | list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role sonarqube-ingress-nginx | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole sonarqube-ingress-nginx | core/configmaps | list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role sonarqube-ingress-nginx | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole sonarqube-ingress-nginx | core/endpoints | list · watch | Low | |
Role sonarqube-ingress-nginx | core/endpoints | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | discovery.k8s.io/endpointslices | get · list · watch | Low | |
Role sonarqube-ingress-nginx | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | core/events | create · patch | Low | |
Role sonarqube-ingress-nginx | core/events | create · patch | Low | |
ClusterRole sonarqube-ingress-nginx | networking.k8s.io/ingressclasses | get · list · watch | Low | |
Role sonarqube-ingress-nginx | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | networking.k8s.io/ingresses | get · list · watch | Low | |
Role sonarqube-ingress-nginx | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | networking.k8s.io/ingresses/status | update | Low | |
Role sonarqube-ingress-nginx | networking.k8s.io/ingresses/status | update | Low | |
ClusterRole sonarqube-ingress-nginx | coordination.k8s.io/leases | list · watch | Low | |
Role sonarqube-ingress-nginx | coordination.k8s.io/leases | create | Low | |
ClusterRole sonarqube-ingress-nginx | core/namespaces | list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
Role sonarqube-ingress-nginx | core/namespaces | get | Low | |
ClusterRole sonarqube-ingress-nginx | core/nodes | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | core/pods | list · watch | Low | |
Role sonarqube-ingress-nginx | core/pods | get · list · watch | Low | |
ClusterRole sonarqube-ingress-nginx | core/services | get · list · watch | Low | |
Role sonarqube-ingress-nginx | core/services | get · list · watch | Low | |
Role sonarqube-ingress-nginx | coordination.k8s.io/leases (restricted to: sonarqube-ingress-nginx-leader) | get · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | sonarqube-ingress-nginx-controller | controller | registry.k8s.io/ingress-nginx/controller:v1.14.1@sha256:f95a79b85fb93ac3de752c71a5c27d5ceae10a18b61904dec224c1c6a4581e47 |
🤖 sonarqube-ingress-nginx-admission
Namespace: default | Automount: ✅
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role sonarqube-ingress-nginx-admission | core/secrets | create · get | Low | |
ClusterRole sonarqube-ingress-nginx-admission | admissionregistration.k8s.io/validatingwebhookconfigurations | get · update | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | sonarqube-ingress-nginx-admission-create | create | registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285 |
| Job | sonarqube-ingress-nginx-admission-patch | patch | registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285 |