CriticalFile-scope Plug & play

Pods must run as non-root with read-only root filesystem

Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.

Why this matters

Reduces blast radius and prevents privileged writes if compromised.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

apiVersion: apps/v1
kind: Deployment
spec:
 template:
 spec:
 containers:
 - name: app
 image: app:1.0

Prefer

apiVersion: apps/v1
kind: Deployment
spec:
 template:
 spec:
 securityContext:
 runAsNonRoot: true
 containers:
 - name: app
 image: app:1.0
 securityContext:
 runAsUser: 1000
 readOnlyRootFilesystem: true

More snippets

Good

securityContext:
 runAsNonRoot: true
 runAsUser: 1000

Bad

securityContext:
 runAsUser: 0

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1
High
Default-deny NetworkPolicy required when adding a namespace
If a PR introduces workloads in a namespace that lacks a default-deny NetworkPolicy, add one plus explicit allow rules.
infra-as-codesecurity-hardening+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pulumi TS: secrets must use Config.requireSecret

Default-deny NetworkPolicy required when adding a namespace

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pulumi TS: secrets must use Config.requireSecret

Default-deny NetworkPolicy required when adding a namespace