bridgecrewio · tsmithv11 · Jun 23, 2024 · Jun 16, 2024 · Jun 17, 2024 · Jun 17, 2024
diff --git a/checkov/kubernetes/checks/resource/k8s/Seccomp.py b/checkov/kubernetes/checks/resource/k8s/Seccomp.py
@@ -52,6 +52,26 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
             if security_profile:
                 return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
 
+            if "spec" in conf and isinstance(conf["spec"], dict):
+                template_spec = conf["spec"].get("template", {})
+                if isinstance(template_spec, dict):
+                    template_spec = template_spec.get("spec", {})
+                    if isinstance(template_spec, dict):
+                        containers = template_spec.get("containers")
+                        if containers:
+                            containers = force_list(containers)
+                            num_containers = len(containers)
+                            passed_containers = 0
+                            for container in containers:
+                                security_profile = find_in_dict(container, "securityContext/seccompProfile/type")
+                                if security_profile:
+                                    if security_profile == "RuntimeDefault":
+                                        passed_containers += 1
+                                    else:
+                                        return CheckResult.FAILED
+                            if passed_containers == num_containers:
+                                return CheckResult.PASSED
+
             metadata = find_in_dict(input_dict=conf, key_path="spec/template/metadata")
             if not metadata and "metadata" in conf:
                 metadata = conf["metadata"]

diff --git a/tests/kubernetes/checks/example_Seccomp/template.yaml b/tests/kubernetes/checks/example_Seccomp/template.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: fdn-svc
+  name: fdn-svc
+  namespace: aws-dev
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: fdn-svc
+  template:
+    metadata:
+      annotations:
+        checksum/config: 9730118d75e24d06bac70b575dc49f6a75dd23c617198e4346fd6ed449362502
+      labels:
+        app.kubernetes.io/name: fdn-svc
+    spec:
+      containers:
+        - env:
+            - name: APP_PORT
+              value: ''
+            - name: SSU
+              value: ''
+            - name: client_id
+              value: fdn-svc
+            - name: cache
+              value: disabled
+            - name: cache_ttl
+              value: '60'
+            - name: Filter_Attribute_value_separator
+              value: '#'
+            - name: NEW_RELIC_APP_NAME
+              value: ''
+            - name: NEW_RELIC_LICENSE_KEY
+              value: ''
+            - name: PREEMPTIVE_LICENSE_KEY
+              value: ''
+            - name: PREEMPTIVE_USER_EMAIL
+              value: ''
+            - name: DEPENDENCY_CHECK
+              value: 'false'
+            - name: authorization_type
+              value: close
+            - name: RBAC_Support
+              value: enabled
+            - name: TENANT_FILE_PATH
+              value: /secrets
+          image: ''
+          imagePullPolicy: Always
+          name: fdn-svc
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /secrets
+              name: tenant-config-volume
+              readOnly: true
+      imagePullSecrets:
+        - name: bn-image-pullcreds
+      securityContext:
+        runAsUser: 65532
+      serviceAccountName: fdn-svc
+      volumes:
+        - name: tenant-config-volume
+          secret:
+            secretName: fdn-svc-secret
diff --git a/tests/kubernetes/checks/test_Seccomp.py b/tests/kubernetes/checks/test_Seccomp.py
@@ -19,7 +19,7 @@ def test_summary(self):
         passed_resources = [check.resource for check in report.passed_checks]
         failed_resources = [check.resource for check in report.failed_checks]
 
-        self.assertEqual(summary["passed"], 9)
+        self.assertEqual(summary["passed"], 10)
         self.assertEqual(summary["failed"], 3)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
@@ -34,6 +34,7 @@ def test_summary(self):
             "Pod.default.seccomp-passed-security-context",
             "StatefulSet.default.RELEASE-NAME",
             "Pod.default.my-secure-pod",
+            "Deployment.aws-dev.fdn-svc",
         ]
         expected_failed_resources = [
             "Deployment.infra.app-cert-manager",