AVD-KSV-0118 runasnonroot - false positive #9780

si90 · 2025-11-11T09:00:20Z

si90
Nov 11, 2025

IDs

AVD-KSV-0118

Description

If i understand AVD-KSV-0118 correctly, a security context should be set.

However, trivy config --helm-values Chart.yaml . states, that the security context allows root privileges, which is literaly not the case as you can see runAsNonRoot: true:

AVD-KSV-0118 (HIGH): deployment example-deployment in default namespace is using the default security context, which allows root privileges
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.

See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/example-deployment.yaml:18-46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  18 ┌       imagePullSecrets:
  19 │       - name: docker-registry-secret
  20 │       containers:
  21 │       - name: example-container
  22 │         image: example.com/example-image:@IMPORT_TAG@
  23 │         imagePullPolicy: Always
  24 │         securityContext:
  25 │           allowPrivilegeEscalation: false
  26 └           runAsNonRoot: true                                                                                                                                                                                                                                                                                         
  ..

Reproduction Steps

run `trivy config --helm-values Chart.yaml .` on a local helm chart which contains the following section:


        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 10000
          capabilities:
            drop:
              - ALL



### Target

Filesystem

### Scanner

Misconfiguration

### Target OS

kali Linux                 kali 6.12.38+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.38-1kali1 (2025-08-12) x86_64 GNU/Linux

### Debug Output

```bash
$ trivy config --helm-values Chart.yaml . --debug
2025-11-11T09:40:20+01:00       DEBUG   No plugins loaded
2025-11-11T09:40:20+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-11-11T09:40:20+01:00       DEBUG   Cache dir       dir="/home/example/.cache/trivy"
2025-11-11T09:40:20+01:00       DEBUG   Cache dir       dir="/home/example/.cache/trivy"
2025-11-11T09:40:20+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-11-11T09:40:20+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-11-11T09:40:20+01:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-11-11T09:40:20+01:00       DEBUG   [notification] Running version check
2025-11-11T09:40:20+01:00       DEBUG   [notification] Version check completed  latest_version="0.67.2"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Overriding filesystem for checks
2025-11-11T09:40:21+01:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-11-11T09:40:21+01:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-11-11T09:40:21+01:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-11-11T09:40:21+01:00       DEBUG   [rego] Overriding filesystem for data
2025-11-11T09:40:21+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-11-11T09:40:21+01:00       DEBUG   Initializing scan cache...      type="memory"
2025-11-11T09:40:21+01:00       DEBUG   [fs] Analyzing...       root="."
2025-11-11T09:40:21+01:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-11527"
2025-11-11T09:40:21+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/secrets.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/configmap.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/rolebinding.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/service.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/service.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/example-deployment.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:21+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/example-deployment.yaml"
2025-11-11T09:40:21+01:00       DEBUG   [rego] Scanning inputs  count=1
2025-11-11T09:40:22+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/statefulset.yaml"
2025-11-11T09:40:22+01:00       DEBUG   [rego] Scanning inputs  count=1                                                                                                                                                                                                                                                     
2025-11-11T09:40:22+01:00       DEBUG   [helm scanner] Processing rendered chart file   file_path="templates/service.yaml"                                                                                                                                                                                                  
2025-11-11T09:40:22+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Kubernetes"                                                                                                                                                                                                        
2025-11-11T09:40:22+01:00       DEBUG   [kubernetes scanner] Scanning files...  count=2                                                                                                                                                                                                                                     
2025-11-11T09:40:22+01:00       DEBUG   [rego] Scanning inputs  count=2                                                                                                                                                                                                                                                     
2025-11-11T09:40:22+01:00       DEBUG   OS is not detected.                                                                                                                                                                                                                                                                 
2025-11-11T09:40:22+01:00       INFO    Detected config files   num=7                                                                                                                                                                                                                                                       
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/configmap.yaml"                                                                                                                                                                                                                        
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/example-deployment.yaml"                                                                                                                                                                                                           
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/example-deployment.yaml"                                                                                                                                                                                                               
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/rolebinding.yaml"                                                                                                                                                                                                                      
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/secrets.yaml"                                                                                                                                                                                                                          
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/service.yaml"                                                                                                                                                                                                                          
2025-11-11T09:40:22+01:00       DEBUG   Scanned config file     file_path="templates/statefulset.yaml"                                                                                                                                                                                                                      
2025-11-11T09:40:22+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"                                                                                                                                                                                                                         
2025-11-11T09:40:22+01:00       DEBUG   [vex] VEX filtering is disabled                                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                                                                            
Report Summary                                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                            
┌───────────────────────────────────────┬────────────┬───────────────────┐                                                                                                                                                                                                                                                  
│                Target                 │    Type    │ Misconfigurations │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤                                                                                                                                                                                                                                                  
│ templates/configmap.yaml              │ kubernetes │         0         │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤                                                                                                                                                                                                                                                  
│ templates/example-deployment.yaml │    helm    │         6         │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤                                                                                                                                                                                                                                                  
│ templates/example-deployment.yaml     │    helm    │         6         │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤                                                                                                                                                                                                                                                  
│ templates/rolebinding.yaml            │ kubernetes │         0         │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤                                                                                                                                                                                                                                                  
│ templates/secrets.yaml                │    helm    │         0         │                                                                                                                                                                                                                                                  
├───────────────────────────────────────┼────────────┼───────────────────┤
│ templates/service.yaml                │    helm    │         0         │
├───────────────────────────────────────┼────────────┼───────────────────┤
│ templates/statefulset.yaml            │    helm    │        15         │
└───────────────────────────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


templates/example-deployment.yaml (helm)

Tests: 95 (SUCCESSES: 89, FAILURES: 6)
Failures: 6 (UNKNOWN: 0, LOW: 3, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
[...]

Version

$ trivy --version
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-10 12:34:07.197285532 +0000 UTC
  NextUpdate: 2025-11-11 12:34:07.197285292 +0000 UTC
  DownloadedAt: 2025-11-10 16:43:53.833689118 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-11-10 16:48:21.457410277 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AVD-KSV-0118 runasnonroot - false positive #9780

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

AVD-KSV-0118 runasnonroot - false positive #9780

Uh oh!

si90 Nov 11, 2025

IDs

Description

Reproduction Steps

Version

Checklist

Replies: 0 comments

si90
Nov 11, 2025