Limit the use of git-sync to prevent code injection
Description
This policy checks for the use of the GITSYNC_GIT environment variable in Kubernetes container configurations, which has a potential for code injection. The GITSYNC_GIT variable is used by the git-sync tool, and its misuse can lead to security vulnerabilities. It is essential to limit the use of git-sync to prevent code injection attacks. By identifying and addressing this issue, you can help protect your Kubernetes environment from potential security threats.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: example
image: example
env:
# Remove the GITSYNC_GIT environment variable
# - name: GITSYNC_GIT
# value: "https://example.com"Remediation
Remove or restrict the use of the GITSYNC_GIT environment variable in container configurations to prevent code injection.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1191 |
| Severity | HIGH |
| IaC Type | Kubernetes |
| Frameworks | CronJob, DaemonSet, Deployment, DeploymentConfig, Job, Pod, PodTemplate, ReplicaSet, ReplicationController, StatefulSet, kubernetes_deployment, kubernetes_deployment_v1, kubernetes_pod, kubernetes_pod_v1 |
| Checkov ID | CKV_K8S_159 |