prowler-cloud/prowler

Missing documented workload checks in prowler kubernetes scan output

Open

#7,630 opened on Apr 29, 2025

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Python (8,957 stars) (1,322 forks)batch import
feature-requestgood first issue

Description

New feature motivation

Hi Prowler team 👋,

According to the official documentation on the Prowler website (Kubernetes Policy Index), there are several valuable workload-level checks listed, such as:

  • Ensure liveness probe is configured
  • Ensure readiness probe is configured
  • Ensure CPU request is set
  • Ensure CPU limits are set
  • Ensure memory requests are set
  • Ensure memory limits are set
  • Ensure image tag is set to Fixed – not Latest or Blank

However, when I run prowler kubernetes --list-checks using version v5.5.1, none of these checks appear in the output. Additionally, even after deploying intentionally misconfigured workloads (e.g., missing probes or resource limits), they do not show up in the scan results.

Solution Proposed

These are very important security and reliability best practices, especially for production Kubernetes environments, and it would be great to have them included by default in the scan.

Describe alternatives you've considered

Additional context

Environment:

Prowler version: v5.5.1 Mode: Kubernetes scan running in-cluster Platform: EKS

Would appreciate any clarification, and happy to help test if needed. Thanks for your great work on this project! 🙌

Contributor guide

Tech stack
python
Domain
securityclouddevops
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Understanding of Kubernetes workload configurationsFamiliarity with Prowler's check frameworkBasic Python
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
The issue requests adding Kubernetes workload checks for probes, resource limits, and image tags. The existing checks are documented on Prowler's website but missing in the scan output. To implement, examine the current check directory structure in `prowler/checks/kubernetes/` and follow the pattern of existing checks. The user has provided a clear list of missing checks, which can be prioritized based on maintainer feedback.