kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

bug(query): wrong query - volume mount with os directory write permissions

Open christian-sahlmann opened this issue 6 months ago • 1 comments

After looking into the details of Volume Mount With OS Directory Write Permissions, I came to the conclusion that this query is incorrect and does not make sense in its current form.

The query checks if the mountPath is at some location where sensitive host files could be located. The problem here is that the mountPath is the "path within the container at which the volume should be mounted" and not related to the location on the host at all.

The correct check would be to verify the hostPath.path.

As the hostPath check is already covered by Workload Mounting With Sensitive OS Directory, I believe that the best solution is to delete the incorrect rule without any replacement.

christian-sahlmann avatar Jul 15 '25 06:07 christian-sahlmann

+1

bbergstrom avatar Jul 28 '25 21:07 bbergstrom