Skip to main content

Security Considerations

Our code is continuously scanned using Checkov. The following security considerations are documented for transparency:

CheckDetailsReason
CKV_TF_1Ensure Terraform module sources use a commit hashFor easy experimentation, we set version of module instead of a commit hash. Consider implementing a commit hash in production. Read more
CKV2_K8S_6Minimize pods without NetworkPolicyAll Pod-to-Pod communication is allowed for experimentation. Amazon VPC CNI supports Kubernetes Network Policies for production.
CKV_K8S_8Liveness Probe Should be ConfiguredNo health checks for experimentation. Implement health checks in production.
CKV_K8S_9Readiness Probe Should be ConfiguredSame as above.
CKV_K8S_22Use read-only filesystem where possibleException for workloads requiring R/W. Configure read-only root.
CKV_K8S_23Minimize root containersDefault root containers for demo compatibility. For production, use runAsNonRoot: true.
CKV_K8S_37Minimize containers with capabilitiesException for workloads requiring added capability. See capabilities guidance.
CKV_K8S_40Run as high UIDPublic container images used as-is. See how to define UID.