Audit rules reference

This is the reference for every rule chant audit can report. Each finding in a report links to its rule here.

Each rule is tagged with its tier — merge-worthy (a security or correctness issue worth a PR) or report-only (hygiene) — and its fix kind — deterministic (a safe mechanical fix the report can apply as a diff) or guidance (needs a judgement call).

GitHub Actions (GHA)

Also applied to Forgejo workflows, which are GitHub-dialect.

GHA006

Duplicate workflow name — report-only · guidance

Give each workflow a unique name:.

GHA009

Empty matrix dimension — merge-worthy · guidance

Remove the empty matrix axis or give it values; an empty axis produces zero jobs.

GHA011

needs references a non-existent job — merge-worthy · guidance

Fix the needs: target to name a real job.

GHA013

Missing job permissions on a sensitive trigger — merge-worthy · guidance

Add an explicit least-privilege permissions: block to jobs under pull_request_target/workflow_dispatch.

Authority: OSSF Scorecard — Token-Permissions · GitHub — Automatic token authentication

GHA017

No explicit permissions block — merge-worthy · deterministic

Add a top-level permissions: { contents: read } and widen only where a job needs it.

Authority: OSSF Scorecard — Token-Permissions · GitHub — Automatic token authentication

GHA018

pull_request_target checks out untrusted code — merge-worthy · guidance

Don’t check out / run PR head code under pull_request_target; split into a privileged + unprivileged workflow.

Authority: GitHub Security Lab — Preventing pwn requests

GHA019

Circular needs chain — merge-worthy · guidance

Break the cycle in the job dependency graph.

GHA021

actions/checkout not pinned to a SHA — merge-worthy · deterministic

Pin actions/checkout to a full 40-char commit SHA.

Authority: OSSF Scorecard — Pinned-Dependencies · GitHub — Using third-party actions

GHA022

Job without timeout-minutes — report-only · guidance

Add timeout-minutes: to bound runaway jobs.

GHA023

Deprecated ::set-output — report-only · guidance

Replace ::set-output with $GITHUB_OUTPUT.

GHA024

Missing concurrency block — report-only · guidance

Add a concurrency: group to deploy workflows.

GHA025

Unrestricted pull_request_target — merge-worthy · guidance

Gate pull_request_target jobs and avoid running untrusted code with elevated scope.

Authority: GitHub Security Lab — Preventing pwn requests

GHA026

Secret used without environment protection — report-only · guidance

Move secret-consuming jobs behind a protected environment:.

GHA027

Cleanup step without if: always() — report-only · guidance

Add if: always() to cleanup steps.

GHA028

Workflow with no triggers — merge-worthy · guidance

Add an on: trigger; the workflow never runs without one.

GHA029

Action not pinned to a commit SHA — merge-worthy · deterministic

Pin the action to a full commit SHA instead of a tag/branch.

Authority: OSSF Scorecard — Pinned-Dependencies · GitHub — Using third-party actions

GHA030

Container image not pinned to a digest — merge-worthy · deterministic

Pin the image to an immutable @sha256: digest.

Authority: OSSF Scorecard — Pinned-Dependencies

GHA031

Possible action impersonation — merge-worthy · guidance

Verify the action owner/slug; it resembles a well-known action.

Authority: OSSF Scorecard — Pinned-Dependencies

GHA032

Archived/abandoned or vulnerable action — merge-worthy · guidance

Replace the archived action or one with a disclosed security issue.

GHA033

Blanket write-all permissions — merge-worthy · deterministic

Replace write-all with the specific scopes the jobs need (default contents: read).

Authority: OSSF Scorecard — Token-Permissions · GitHub — Automatic token authentication

GHA034

Write permissions granted workflow-wide — merge-worthy · guidance

Move write scopes to the single job that needs them; keep the workflow least-privilege.

Authority: OSSF Scorecard — Token-Permissions · GitHub — Automatic token authentication

GHA035

Elevated token on an untrusted-code trigger — merge-worthy · guidance

Drop the elevated permissions: on triggers that can run untrusted code.

Authority: GitHub Security Lab — Preventing pwn requests · OSSF Scorecard — Token-Permissions

GHA036

Untrusted input interpolated into run: — merge-worthy · guidance

Pass untrusted ${{ }} values via an env: var and reference "$VAR", never inline in the script.

Authority: GitHub — Understanding the risk of script injections

GHA037

Untrusted input written to GITHUB_ENV/GITHUB_PATH — merge-worthy · guidance

Don’t write untrusted input to $GITHUB_ENV/$GITHUB_PATH; sanitize or avoid.

Authority: GitHub — Understanding the risk of script injections

GHA038

workflow_run checks out untrusted code in a privileged context — merge-worthy · guidance

Avoid checking out untrusted code under workflow_run; treat it as privileged.

Authority: GitHub Security Lab — Preventing pwn requests

GHA039

Auth gate on a spoofable author field — merge-worthy · guidance

Gate on a non-spoofable identity, not a commit-author field.

Authority: GitHub Security Lab — Preventing pwn requests

GHA040

Self-hosted runner on an untrusted-code trigger — merge-worthy · guidance

Don’t run untrusted-code triggers on self-hosted runners.

Authority: GitHub Security Lab — Preventing pwn requests

GHA041

Blanket secrets: inherit — merge-worthy · guidance

Pass only the specific secrets the reusable workflow needs.

Authority: GitHub — Using secrets in GitHub Actions

GHA042

Entire secrets context passed — merge-worthy · guidance

Pass named secrets instead of the whole secrets context.

Authority: GitHub — Using secrets in GitHub Actions

GHA043

Secret consumed without an environment gate — merge-worthy · guidance

Put secret-consuming jobs behind a protected environment.

Authority: GitHub — Using secrets in GitHub Actions

GHA044

Hardcoded registry/container credential — merge-worthy · guidance

Remove the hardcoded credential, move it to a secret, and rotate it (responsible disclosure first).

Authority: GitHub — Using secrets in GitHub Actions

GHA045

Secret interpolated into run: — merge-worthy · guidance

Reference secrets via env:, not inline in the shell command.

Authority: GitHub — Understanding the risk of script injections · GitHub — Using secrets in GitHub Actions

GHA046

Constant/unsound guard condition — merge-worthy · guidance

Fix the always-true/false if: — it may neutralize a security gate.

GHA047

Ineffective contains() guard (reversed args) — merge-worthy · guidance

Swap the contains() arguments so the guard actually filters.

GHA048

Obfuscated guard condition — merge-worthy · guidance

Simplify the indirect if: so its effect is reviewable.

GHA049

Persisted checkout credentials reachable by an artifact — merge-worthy · guidance

Use persist-credentials: false or exclude .git from uploaded artifacts.

Authority: GitHub — Using secrets in GitHub Actions

GHA050

Cache populated in a privileged context — merge-worthy · guidance

Don’t populate caches from untrusted code paths (poisoning risk).

Authority: GitHub Security Lab — Preventing pwn requests

GHA051

Long-lived token instead of OIDC — report-only · guidance

Migrate publish/release to OIDC short-lived credentials.

GHA052

Software piped to a shell without verification — merge-worthy · guidance

Verify a checksum/signature before executing fetched scripts.

Authority: OSSF Scorecard — Pinned-Dependencies

GHA053

Re-enables unsafe set-env/add-path — merge-worthy · guidance

Remove ACTIONS_ALLOW_UNSECURE_COMMANDS; use $GITHUB_ENV/$GITHUB_PATH.

Authority: GitHub — Understanding the risk of script injections

GHA054

Feature with a known security footgun — merge-worthy · guidance

Replace the flagged feature with the safe alternative.

GHA055

Runtime install of a tool already on the runner — report-only · guidance

Drop the redundant install to save time.

GHA056

Workflow without a name — report-only · guidance

Add a name: to the workflow.

GHA057

Dependency update can execute untrusted code — merge-worthy · guidance

Disable the option that lets dependency updates run external code.

Authority: GitHub Security Lab — Preventing pwn requests

GHA058

Dependency update has no cooldown window — report-only · guidance

Add a cooldown so new releases aren’t merged instantly.

GitLab CI (WGL)

WGL010

Job references an undefined stage — merge-worthy · guidance

Add the stage to stages: or fix the job’s stage:.

WGL011

Job rules always evaluate to never — merge-worthy · guidance

Fix the rules: so the job can run; it is currently unreachable.

WGL012

Deprecated property — report-only · guidance

Replace the deprecated GitLab CI property.

WGL013

Invalid needs target — merge-worthy · guidance

Fix the dangling/self needs: reference.

WGL014

Invalid extends target — merge-worthy · guidance

Point extends: at a template that exists in the pipeline.

WGL015

Circular needs chain — merge-worthy · guidance

Break the cycle in the job dependency graph.

WGL016

Hardcoded secret in variables — merge-worthy · guidance

Move the secret out of variables: into a masked/protected CI variable and rotate it.

Authority: GitHub — Using secrets in GitHub Actions

WGL017

Insecure (non-HTTPS) registry — merge-worthy · guidance

Use an HTTPS registry endpoint.

WGL018

Missing job timeout — report-only · guidance

Add a timeout: to bound long-running jobs.

WGL019

Missing retry on deploy job — report-only · guidance

Add a retry: strategy to deploy jobs.

WGL020

Duplicate job names — merge-worthy · guidance

Rename so each job resolves to a unique name.

WGL021

Unused global variable — report-only · guidance

Remove the unused global variables: entry.

WGL022

Missing artifacts expiry — report-only · guidance

Add expire_in: to artifacts to avoid disk bloat.

WGL023

Overly broad rules (when: always) — report-only · guidance

Add real conditions to the job’s rules:.

WGL024

Manual job without allow_failure — report-only · guidance

Add allow_failure: true so a manual job doesn’t block the pipeline.

WGL025

Cache without a key — report-only · guidance

Add a cache.key to avoid cross-job cache collisions.

WGL026

Privileged DinD service without TLS — merge-worthy · guidance

Set DOCKER_TLS_CERTDIR for privileged Docker-in-Docker services.

WGL027

Empty script — merge-worthy · guidance

Give the job a non-empty script:; it currently does nothing.

WGL028

Redundant needs — report-only · guidance

Drop needs: already implied by stage ordering.

WGL029

include/component resolved by a moving ref — merge-worthy · guidance

Pin include:project/component to a tag or commit SHA, not a branch.

Authority: OSSF Scorecard — Pinned-Dependencies

WGL030

Insecure or mutable include:remote — merge-worthy · guidance

Use HTTPS and pin the remote include to an immutable ref.

Authority: OSSF Scorecard — Pinned-Dependencies

WGL031

Container image not pinned to a digest — merge-worthy · deterministic

Pin the image to an immutable @sha256: digest.

Authority: OSSF Scorecard — Pinned-Dependencies

WGL032

Possible include/component impersonation — merge-worthy · guidance

Verify the include source; it resembles a well-known project.

Authority: OSSF Scorecard — Pinned-Dependencies

WGL033

OIDC id_token without a scoped audience — merge-worthy · guidance

Set a specific aud: on the OIDC id_token.

Authority: GitHub — Security hardening with OpenID Connect

WGL034

OIDC id_token mintable from a merge-request pipeline — merge-worthy · guidance

Restrict OIDC token minting to protected pipelines.

Authority: GitHub — Security hardening with OpenID Connect · GitHub Security Lab — Preventing pwn requests

WGL035

Untrusted CI variable interpolated into a script — merge-worthy · guidance

Pass untrusted variables via the environment and quote them; don’t inline.

Authority: GitHub — Understanding the risk of script injections

WGL036

Privileged service reachable from merge-request pipelines — merge-worthy · guidance

Block privileged/DinD services on merge-request pipelines.

Authority: GitHub Security Lab — Preventing pwn requests

WGL037

Security gate on an untrusted ref regex — merge-worthy · guidance

Don’t gate security decisions on a regex over an untrusted ref variable.

Authority: GitHub Security Lab — Preventing pwn requests

WGL038

Secret reachable from a merge-request pipeline — merge-worthy · guidance

Scope secret-like variables to protected branches/pipelines.

Authority: GitHub — Using secrets in GitHub Actions · GitHub Security Lab — Preventing pwn requests

WGL039

Secret printed to job logs — merge-worthy · guidance

Stop echoing the secret-like variable; mask it.

Authority: GitHub — Using secrets in GitHub Actions

WGL040

Hardcoded credential in a registry login — merge-worthy · guidance

Move the credential to a masked CI variable and rotate it.

Authority: GitHub — Using secrets in GitHub Actions

WGL041

Tautological rules:if condition — merge-worthy · guidance

Fix the always-true rules:if; it may neutralize a gate.

WGL042

Unreachable rules after an unconditional match — report-only · guidance

Remove the dead rules: entries after the catch-all.

WGL043

Match-anything regex gate in rules:if — merge-worthy · guidance

Tighten the regex; a match-anything gate is no gate.

Authority: GitHub Security Lab — Preventing pwn requests

WGL044

Public artifacts expose build output — merge-worthy · guidance

Mark sensitive artifacts non-public (public: false).

WGL045

Artifact path may capture a credential file — merge-worthy · guidance

Narrow the artifact path so it can’t capture credential files.

Authority: GitHub — Using secrets in GitHub Actions

WGL046

Cache populated in a merge-request pipeline — merge-worthy · guidance

Don’t populate caches from merge-request pipelines (poisoning risk).

Authority: GitHub Security Lab — Preventing pwn requests

WGL047

Software piped to a shell without verification — merge-worthy · guidance

Verify a checksum/signature before executing fetched scripts.

Authority: OSSF Scorecard — Pinned-Dependencies

WGL048

Pipeline without workflow:name — report-only · guidance

Add a workflow:name for clearer pipeline naming.

Forgejo (WFJ)

WFJ010

Unresolved action reference on Forgejo — merge-worthy · guidance

Use an action reference Forgejo can resolve (full URL or a mirrored action).

WFJ011

GitHub-hosted runner label with no Forgejo equivalent — merge-worthy · guidance

Use a runner label your Forgejo instance provides.

Kubernetes (WK8 / ARGO)

Run against Kubernetes manifests.

ARGO002

Argo Application references an undeclared AppProject — merge-worthy · guidance

Declare the named AppProject or reference an existing project.

ARGO003

Argo Application targets an unregistered cluster — merge-worthy · guidance

Point spec.destination at a registered cluster or the in-cluster target.

ARGO005

Argo source.path may not resolve — report-only · guidance

Ensure the source path exists under the build root.

WK8005

Hardcoded secret in env var — merge-worthy · guidance

Use a secretKeyRef instead of a literal value, and rotate the secret.

Authority: Kubernetes — Good practices for Secrets

WK8006

Image uses :latest or no tag — merge-worthy · guidance

Pin the image to an explicit version tag (ideally a digest).

Authority: OSSF Scorecard — Pinned-Dependencies

WK8041

Hardcoded API key in env var — merge-worthy · guidance

Move the key to a Secret and rotate it.

Authority: Kubernetes — Good practices for Secrets

WK8042

Private key stored in a ConfigMap — merge-worthy · guidance

Store private keys in a Secret, not a ConfigMap.

Authority: Kubernetes — Good practices for Secrets

WK8101

Deployment selector does not match template labels — merge-worthy · guidance

Align spec.selector with the pod template labels.

WK8102

Resource missing metadata labels — report-only · guidance

Add metadata labels for filtering and tooling.

WK8103

Container missing name — merge-worthy · guidance

Add the required container name.

WK8104

Container ports not named — report-only · guidance

Name ports for clearer Service/NetworkPolicy config.

WK8105

imagePullPolicy not explicit — report-only · guidance

Set imagePullPolicy explicitly to avoid surprising defaults.

WK8201

Container missing resource limits — report-only · guidance

Set CPU and memory limits.

WK8202

Privileged container — merge-worthy · guidance

Remove privileged: true; grant only the specific capabilities needed.

Authority: Kubernetes — Pod Security Standards

WK8203

Root filesystem is writable — merge-worthy · guidance

Set readOnlyRootFilesystem: true.

Authority: Kubernetes — Pod Security Standards

WK8204

Container may run as root — merge-worthy · guidance

Set runAsNonRoot: true (and a non-zero runAsUser).

Authority: Kubernetes — Pod Security Standards

WK8205

Capabilities not dropped — merge-worthy · guidance

drop: [ALL] and add back only what is required.

Authority: Kubernetes — Pod Security Standards

WK8207

Pod uses host network — merge-worthy · guidance

Remove hostNetwork; it bypasses network isolation.

Authority: Kubernetes — Pod Security Standards

WK8208

Pod shares host PID namespace — merge-worthy · guidance

Remove hostPID.

Authority: Kubernetes — Pod Security Standards

WK8209

Pod shares host IPC namespace — merge-worthy · guidance

Remove hostIPC.

Authority: Kubernetes — Pod Security Standards

WK8301

Container missing probes — report-only · guidance

Add liveness and readiness probes.

WK8302

Deployment has a single replica — report-only · guidance

Use replicas >= 2 for availability.

WK8303

No PodDisruptionBudget for an HA Deployment — report-only · guidance

Add a PDB to protect availability during disruptions.

WK8304

SSL redirect without a certificate — report-only · guidance

Provide a certificate and HTTPS listen-ports for the ssl-redirect annotation.

WK8305

Ingress backend port does not match the Service — merge-worthy · guidance

Point the Ingress backend at a declared Service port.

WK8306

Container command starts with a flag — merge-worthy · guidance

The first command element should be a binary, not a flag.

WK8401

shmSize exceeds the container memory limit — merge-worthy · guidance

Lower shmSize or raise the memory limit so the pod can schedule.

WK8402

RayCluster missing spec.rayVersion — report-only · guidance

Set spec.rayVersion so KubeRay picks the right autoscaler image.

WK8403

rayVersion does not match the head image tag — report-only · guidance

Align spec.rayVersion with the Ray version in the head container image.

Docker (DKRD)

Run against Dockerfiles and Compose files.

DKRD001

Service uses :latest or untagged image — merge-worthy · guidance

Pin the image to an explicit version tag (ideally a digest).

Authority: OSSF Scorecard — Pinned-Dependencies

DKRD002

Named volume declared but unused — report-only · guidance

Remove the unused volume or mount it in a service.

DKRD003

Service exposes SSH (port 22) — merge-worthy · guidance

Don’t expose SSH from a container; use exec/ephemeral access instead.

Authority: Docker — Security best practices

DKRD010

apt-get install without —no-install-recommends — report-only · guidance

Add —no-install-recommends to keep images small.

DKRD011

ADD used where COPY would do — report-only · guidance

Prefer COPY unless fetching a URL or extracting an archive.

DKRD012

No USER instruction — container runs as root — merge-worthy · guidance

Add a non-root USER instruction.

Authority: Docker — Security best practices

AWS CloudFormation (WAW / COR / EXT)

Run against CloudFormation templates (JSON or YAML).

COR020

Circular resource dependency — merge-worthy · guidance

Break the dependency cycle between resources.

EXT001

Extension constraint violation — merge-worthy · guidance

Fix the cross-property constraint flagged by the cfn-lint extension schema.

WAW010

Redundant DependsOn — report-only · guidance

Remove DependsOn already implied by a Ref/GetAtt.

WAW011

Deprecated Lambda runtime — report-only · guidance

Upgrade to a supported Lambda runtime.

WAW013

Child stack exports nothing — merge-worthy · guidance

Add stackOutput() exports the parent can reference.

WAW014

Nested stack outputs never referenced — report-only · guidance

Reference the outputs or split into a separate build.

WAW015

Circular dependency between nested stacks — merge-worthy · guidance

Break the cycle between nested stacks.

WAW016

Deprecated property — report-only · guidance

Replace the deprecated CloudFormation property.

WAW017

Missing tags on a taggable resource — report-only · guidance

Add tags for cost allocation and compliance.

WAW018

S3 bucket missing public access block — merge-worthy · guidance

Add a PublicAccessBlockConfiguration blocking all public access.

Authority: AWS — Security Pillar (Well-Architected)

WAW019

Security group allows unrestricted ingress on a sensitive port — merge-worthy · guidance

Restrict the CIDR on SSH/RDP/database ports to known sources.

Authority: AWS — Security Pillar (Well-Architected)

WAW020

IAM policy uses a wildcard Action — merge-worthy · guidance

Scope the policy to specific actions (least privilege).

Authority: AWS — Security Pillar (Well-Architected)

WAW021

RDS storage not encrypted — merge-worthy · guidance

Enable StorageEncrypted for encryption at rest.

Authority: AWS — Security Pillar (Well-Architected)

WAW022

Lambda has no VpcConfig — report-only · guidance

Consider a VpcConfig for network isolation if the function needs VPC resources.

WAW023

CloudFront has no WAF web ACL — report-only · guidance

Consider attaching a WAF web ACL.

WAW024

ALB access logging disabled — report-only · guidance

Enable access logging for audit trails.

WAW025

SNS topic not encrypted — merge-worthy · guidance

Set KmsMasterKeyId for encryption at rest.

Authority: AWS — Security Pillar (Well-Architected)

WAW026

SQS queue not encrypted — merge-worthy · guidance

Enable SqsManagedSseEnabled or set KmsMasterKeyId.

Authority: AWS — Security Pillar (Well-Architected)

WAW027

DynamoDB point-in-time recovery disabled — report-only · guidance

Enable PITR for recovery.

WAW028

EBS volume not encrypted — merge-worthy · guidance

Enable encryption at rest.

Authority: AWS — Security Pillar (Well-Architected)

WAW029

Invalid DependsOn target — merge-worthy · guidance

Fix the dangling/self DependsOn reference.

WAW030

Missing DependsOn for a known ordering pattern — report-only · guidance

Add the DependsOn the pattern requires.

WAW031

EKS Addon missing ServiceAccountRoleArn — report-only · guidance

Set ServiceAccountRoleArn (IRSA) for addons that need it.

WAW032

EFS transit encryption disabled on Fargate — merge-worthy · guidance

Enable transit encryption for the EFS volume.

Authority: AWS — Security Pillar (Well-Architected)

WAW033

Solr heap exceeds Fargate task memory — merge-worthy · guidance

Lower SOLR_HEAP or raise task memory.

WAW034

Fargate Solr task under-provisioned — report-only · guidance

Allocate >= 2048MB for the Solr task.

WAW035

Solr container missing nofile ulimit — report-only · guidance

Set a nofile ulimit >= 65535.

WAW036

Non-ASCII characters in resource properties — merge-worthy · guidance

Remove non-ASCII characters rejected at changeset time.

WAW037

Null values in resource properties — merge-worthy · guidance

Fix the invalid AttrRef producing null property values.

Azure ARM (AZR)

Run against ARM deployment templates (JSON).

AZR010

Redundant dependsOn — report-only · guidance

Remove dependsOn already implied by reference()/resourceId().

AZR011

Missing or invalid apiVersion — merge-worthy · guidance

Set a valid YYYY-MM-DD apiVersion on every resource.

AZR012

Deprecated API version — report-only · guidance

Move to a current apiVersion.

AZR013

Resource missing location — merge-worthy · guidance

Add the required location property.

AZR014

Storage account allows public blob access — merge-worthy · guidance

Set allowBlobPublicAccess to false.

Authority: Microsoft Cloud Security Benchmark

AZR015

Storage account missing encryption — merge-worthy · guidance

Enable encryption services for data at rest.

Authority: Microsoft Cloud Security Benchmark

AZR016

Key Vault soft-delete not enabled — report-only · guidance

Enable soft-delete.

AZR017

Key Vault purge protection not enabled — report-only · guidance

Enable purge protection.

AZR018

SQL Server missing auditing — report-only · guidance

Enable auditing for compliance and threat detection.

AZR019

SQL database missing TDE — merge-worthy · guidance

Enable Transparent Data Encryption.

Authority: Microsoft Cloud Security Benchmark

AZR020

App Service missing managed identity — report-only · guidance

Enable a system- or user-assigned identity.

AZR021

App Service not HTTPS-only — merge-worthy · guidance

Set httpsOnly to true.

Authority: Microsoft Cloud Security Benchmark

AZR022

App Service min TLS below 1.2 — merge-worthy · guidance

Set minTlsVersion to 1.2+.

Authority: Microsoft Cloud Security Benchmark

AZR023

VM not using a managed disk — report-only · guidance

Use a managed disk.

AZR024

VM missing boot diagnostics — report-only · guidance

Enable boot diagnostics.

AZR025

AKS cluster missing RBAC — report-only · guidance

Enable Kubernetes RBAC.

AZR026

AKS cluster missing network policy — report-only · guidance

Configure a networkPolicy.

AZR027

Container Registry admin user enabled — merge-worthy · guidance

Disable the admin user; use Azure AD / service principals.

Authority: Microsoft Cloud Security Benchmark

AZR028

Network interface missing NSG — report-only · guidance

Associate an NSG to control traffic.

AZR029

Managed disk missing encryption — merge-worthy · guidance

Enable encryption for data at rest.

Authority: Microsoft Cloud Security Benchmark

GCP Config Connector (WGC)

Run against Config Connector (cnrm.cloud.google.com) manifests.

WGC101

Storage/SQL without encryption configuration — merge-worthy · guidance

Configure encryption (e.g. a CMEK key) for data at rest.

Authority: Google Cloud — Security best practices

WGC102

Public IAM member (allUsers/allAuthenticatedUsers) — merge-worthy · guidance

Remove allUsers/allAuthenticatedUsers bindings.

Authority: Google Cloud — Security best practices

WGC103

Missing project-id annotation — report-only · guidance

Add the cnrm.cloud.google.com/project-id annotation.

WGC104

Bucket without uniform bucket-level access — merge-worthy · guidance

Enable uniformBucketLevelAccess.

Authority: Google Cloud — Security best practices

WGC105

Cloud SQL open to 0.0.0.0/0 — merge-worthy · guidance

Restrict authorizedNetworks to known sources.

Authority: Google Cloud — Security best practices

WGC106

Missing deletion-policy annotation — report-only · guidance

Add the cnrm.cloud.google.com/deletion-policy annotation.

WGC107

Bucket versioning disabled — report-only · guidance

Enable object versioning.

WGC108

Cloud SQL backups disabled — report-only · guidance

Enable backup configuration.

WGC109

Firewall open to 0.0.0.0/0 — merge-worthy · guidance

Restrict sourceRanges to known sources.

Authority: Google Cloud — Security best practices

WGC110

KMS key without rotation — merge-worthy · guidance

Set a rotationPeriod on the CryptoKey.

Authority: Google Cloud — Security best practices

WGC111

Reference to an undefined resource — merge-worthy · guidance

Point the reference at a resource in the output.

WGC112

Missing or invalid apiVersion — merge-worthy · guidance

Set a valid cnrm.cloud.google.com apiVersion.

WGC113

Alpha API version — report-only · guidance

Move to a beta/GA API version.

WGC201

Missing managed-by label — report-only · guidance

Add the app.kubernetes.io/managed-by label.

WGC202

Cluster without Workload Identity — merge-worthy · guidance

Enable Workload Identity on the ContainerCluster.

Authority: Google Cloud — Security best practices

WGC203

Node pool uses broad cloud-platform scope — merge-worthy · guidance

Use narrowly-scoped OAuth scopes instead of cloud-platform.

Authority: Google Cloud — Security best practices

WGC204

Compute instance without Shielded VM — report-only · guidance

Enable Shielded VM configuration.

WGC301

No IAMAuditConfig found — report-only · guidance

Configure audit logging via IAMAuditConfig.

WGC302

No Service (enabled APIs) found — report-only · guidance

Declare the GCP APIs you depend on.

WGC303

No VPC Service Controls perimeter — report-only · guidance

Consider an AccessContextManager ServicePerimeter.

WGC401

Unknown field in resource spec — merge-worthy · guidance

Remove the unknown spec field.

WGC402

Missing required spec field — merge-worthy · guidance

Add the required spec field.

WGC403

Spec field has wrong type/structure — merge-worthy · guidance

Fix the field’s type/structure.

Helm (WHM)

Run against Helm charts (Chart.yaml + templates).

WHM005

Sub-chart wrapper with no templates — report-only · guidance

Deploy the upstream chart directly instead of an empty wrapper.

WHM101

Chart.yaml missing required fields — merge-worthy · guidance

Set apiVersion (v2), name, and version in Chart.yaml.

WHM102

Missing values.schema.json — report-only · guidance

Add a values.schema.json to validate values.

WHM103

Invalid Go template syntax — merge-worthy · guidance

Fix the unbalanced template braces.

WHM104

Missing NOTES.txt — report-only · guidance

Add templates/NOTES.txt for application charts.

WHM105

Missing _helpers.tpl — report-only · guidance

Add templates/_helpers.tpl.

WHM201

Missing standard Helm labels — report-only · guidance

Add the recommended app.kubernetes.io labels.

WHM202

Hook weights undefined — report-only · guidance

Define hook weights when multiple hooks exist.

WHM203

Undocumented values — report-only · guidance

Document values via schema or comments.

WHM204

Dependencies pinned, not ranged — report-only · guidance

Use semver ranges for chart dependencies.

WHM301

No Helm test — report-only · guidance

Add at least one Helm test for application charts.

WHM302

Container resources not set — report-only · guidance

Set limits/requests via values or defaults.

WHM401

Container image uses :latest or no tag — merge-worthy · guidance

Pin the image to an explicit version tag.

Authority: OSSF Scorecard — Pinned-Dependencies

WHM402

Container may run as root — merge-worthy · guidance

Set runAsNonRoot in the security context.

Authority: Kubernetes — Pod Security Standards

WHM403

Root filesystem writable — merge-worthy · guidance

Set readOnlyRootFilesystem.

Authority: Kubernetes — Pod Security Standards

WHM404

Privileged container — merge-worthy · guidance

Remove privileged mode.

Authority: Kubernetes — Pod Security Standards

WHM405

Resource specs missing cpu/memory — report-only · guidance

Set cpu and memory in limits/requests.

WHM406

CRDs in crds/ are never upgraded — report-only · guidance

Manage CRD upgrades outside Helm or via a separate chart.

WHM407

Inline Secret data — merge-worthy · guidance

Use ExternalSecret/SealedSecret instead of inline Secret data.

Authority: Kubernetes — Good practices for Secrets

WHM501

Unused values key — report-only · guidance

Remove values defined but never referenced.

WHM502

Deprecated/invalid Kubernetes API version — merge-worthy · guidance

Update to a supported apiVersion.