Skan search for 'deployment' readiness and liveness probes

[Yehoraz]

Describe the bug
Skan scan search for 'deployment' readiness and liveness probes while they exist only at pod level

To Reproduce
Steps to reproduce the behavior:
scan any template containing pod readiness and liveness probes

Expected behavior
check for pod readiness and liveness probes only

Desktop (please complete the following information):

• OS: linux
• Version 0.8.0

[gadinaor]

@Yehoraz can you share a resource example to make sure we are on the same page ?

[Yehoraz]

here is an example of deployment, you can see the live\read are on the container section, I searched the web and as far as I know and according to the data google searches provide there will never be live\read checks on deployment but only on pods

apiVersion: apps/v1
kind: Deployment
metadata:
name: example-nginx-deployment
labels:
app: example-nginx
spec:
replicas: 4
selector:
matchLabels:
app: example-nginx
template:
metadata:
labels:
app: example-nginx
env: dev
tier: devops
spec:
containers:
- name: example-nginx
image: docker.io/example/nginx-test:example
ports:
- containerPort: 80
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20

[gadinaor]

Would be useful if you paste your yaml formatted ... anyways - I used this :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: 'nginx:1.14.2'
          ports:
            - containerPort: 8080
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 15
            periodSeconds: 20

and skan generate the following:

<?xml version="1.0" encoding="UTF-8"?>

<testsuites>
	<testsuite tests="0" failures="2" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39;, is missing a CPU request or limits definitions" type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39;, is missing Memory request or limits definitions" type="Medium"></failure>
		</testcase>
	</testsuite>
	<testsuite tests="0" failures="1" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Workload Software Supply Chain | Image Registry Whitelist | Workload Software Supply Chain" time="0.001">
			<failure message="Verify that the container image(s) used by &#39;Deployment.apps nginx-deployment&#39; provisioned from whitelisted registries - &#39;nginx:1.14.2 in container nginx&#39;" type="High"></failure>
		</testcase>
	</testsuite>
	<testsuite tests="0" failures="5" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="Force Kubernetes to run containers as a non-root user to ensure least privilege - see container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="High"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="An immutable root filesystem can prevent malicious binaries being added or overwrite existing binaries  - container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="Set the user id to run the container process. This is the user id of the first process in the container   - container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39; - automountServiceAccountToken is not set to &#39;false&#39; in your Pod Spec. Consider reducing Kubernetes API Server access surface by disabling automount of service account. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace" type="High"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39; - &#39;In container(s) &#39;nginx&#39; capabilities that should be dropped &#39;AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,NET_BROADCAST,SETFCAP,SETGID,SETUID,SETPCAP,SYS_CHROOT,SYS_MODULE,SYS_BOOT,SYS_TIME,SYS_RESOURCE,IPC_LOCK,IPC_OWNER,SYS_PTRACE,BLOCK_SUSPEND&#39; or &#39;ALL&#39; and capabilities that one should avoid adding &#39;&#39; &#39;" type="High"></failure>
		</testcase>
	</testsuite>
</testsuites>

skan analyze the pod template within your deployment/daemonset/statefulset/cronjob/...

There are no findings on readiness or liveness probes - is there anything I am missing?