Security Checks Matrix
All 100+ security checks DeployPilot AI performs across Kubernetes, Terraform, AWS CloudFormation, Azure ARM, GCP, Docker, and CI/CD — mapped to industry compliance frameworks with automated fix suggestions.
Kubernetes Security
CIS Kubernetes Benchmark 1.8 22 checks| Severity | Check |
|---|---|
| CRITICAL | Container Running as Root |
| CRITICAL | Privileged Container Detected |
| CRITICAL | ClusterRoleBinding to cluster-admin |
| HIGH | Missing Resource Limits |
| HIGH | Privilege Escalation Not Disabled |
| HIGH | Host Network Enabled |
| HIGH | Host PID Namespace Shared |
| HIGH | Potential Secret in Plain Text |
| MEDIUM | Missing Liveness Probe |
| MEDIUM | Missing Readiness Probe |
| MEDIUM | Using :latest Image Tag |
| MEDIUM | No NetworkPolicy Defined |
| MEDIUM | Writable Root Filesystem |
| LOW | No Namespace Specified |
| LOW | No PodDisruptionBudget |
| MEDIUM | Service Account Token Auto-Mounted |
| MEDIUM | Using Default Service Account |
| LOW | Privileged Port Used |
| LOW | No Pod Anti-Affinity |
| LOW | No Startup Probe |
| HIGH | hostPath Volume Mount |
| MEDIUM | Linux Capabilities Not Dropped |
Terraform / AWS
AWS Well-Architected Framework 20 checks| Severity | Check |
|---|---|
| CRITICAL | Security Group Open to World |
| CRITICAL | Hardcoded Credentials Detected |
| HIGH | No Remote Backend Configured |
| HIGH | S3 Bucket Without Encryption |
| HIGH | S3 Backend Without State Locking |
| HIGH | RDS Without Deletion Protection |
| HIGH | RDS Without Encryption at Rest |
| MEDIUM | S3 Bucket Without Versioning |
| MEDIUM | Provider Without Version Constraint |
| MEDIUM | Sensitive Variable Not Marked |
| MEDIUM | Access Logging Not Enabled |
| LOW | Resource Missing Tags |
| MEDIUM | No CloudTrail Configuration |
| HIGH | EBS Volume Not Encrypted |
| LOW | Lambda Not in VPC |
| MEDIUM | No Lifecycle prevent_destroy |
| CRITICAL | IAM Policy with Wildcard Actions |
| CRITICAL | RDS Publicly Accessible |
| MEDIUM | No Backup Retention Period |
| HIGH | S3 Public Access Not Blocked |
AWS CloudFormation
AWS Well-Architected Framework 12 checks| Severity | Check |
|---|---|
| HIGH | CFN: S3 Bucket Without Encryption |
| HIGH | CFN: S3 Public Access Not Blocked |
| CRITICAL | CFN: Security Group Open to World |
| CRITICAL | CFN: IAM Policy with Wildcard Actions |
| HIGH | CFN: IAM Policy with Wildcard Resource |
| HIGH | CFN: No DeletionPolicy on Critical Resource |
| HIGH | CFN: RDS Without Encryption |
| CRITICAL | CFN: RDS Publicly Accessible |
| MEDIUM | CFN: No Logging Configuration |
| HIGH | CFN: EBS Volume Not Encrypted |
| LOW | CFN: Lambda Not in VPC |
| CRITICAL | CFN: Hardcoded Secret Detected |
Azure ARM Templates
Azure Security Benchmark 10 checks| Severity | Check |
|---|---|
| HIGH | ARM: Storage Account Without HTTPS Enforcement |
| HIGH | ARM: Storage Account Without Encryption |
| MEDIUM | ARM: Public IP Address Assigned |
| HIGH | ARM: No Network Security Group |
| CRITICAL | ARM: NSG Rule Open to World |
| MEDIUM | ARM: No Diagnostic Settings |
| MEDIUM | ARM: SQL Server Without Auditing |
| HIGH | ARM: SQL Server Public Network Access |
| HIGH | ARM: VM Without Disk Encryption |
| CRITICAL | ARM: Hardcoded Secret Detected |
GCP Infrastructure
GCP Security Best Practices 12 checks| Severity | Check |
|---|---|
| CRITICAL | GCP: Firewall Rule Open to World |
| CRITICAL | GCP: Bucket Publicly Accessible |
| CRITICAL | GCP: Cloud SQL Publicly Accessible |
| CRITICAL | GCP: Hardcoded Secret Detected |
| CRITICAL | GCP: Overly Permissive IAM Role |
| HIGH | GCP: Cloud SQL Without SSL |
| HIGH | GCP: GKE Cluster Without Private Nodes |
| MEDIUM | GCP: Instance with External IP |
| MEDIUM | GCP: Bucket Without Uniform Access |
| MEDIUM | GCP: No Audit Logging Configured |
| MEDIUM | GCP: GKE Without Network Policy |
| LOW | GCP: Resources Without Labels |
Dockerfile
Docker CIS Benchmark 12 checks| Severity | Check |
|---|---|
| CRITICAL | Secret Exposed in Dockerfile |
| HIGH | Container Runs as Root |
| MEDIUM | Broad COPY Statement |
| MEDIUM | Base Image Uses :latest Tag |
| MEDIUM | Base Image Without Version Tag |
| LOW | Use COPY Instead of ADD |
| LOW | No HEALTHCHECK Instruction |
| LOW | Consider Multi-Stage Build |
| LOW | Too Many Ports Exposed |
| LOW | apt-get Without --no-install-recommends |
| LOW | Ensure .dockerignore Exists |
| LOW | Downloaded Files Not Cleaned Up |
CI/CD Pipelines
CI/CD Security Best Practices 12 checks| Severity | Check |
|---|---|
| CRITICAL | Hardcoded Secret in Pipeline |
| HIGH | No Container Image Scanning |
| HIGH | No Environment Protection for Deployment |
| MEDIUM | No Test Step in Pipeline |
| MEDIUM | No Pull Request Trigger |
| MEDIUM | Unpinned GitHub Action |
| LOW | No Caching Configured |
| LOW | No Pipeline Timeout |
| MEDIUM | No Static Analysis (SAST/Lint) |
| HIGH | Auto-Deploy Without Approval |
| MEDIUM | Self-Hosted Runner Used |
| LOW | No Artifact Signing |
Run All 100+ Checks on Your Code
Supports Kubernetes, Terraform, AWS CloudFormation, Azure ARM, GCP Deployment Manager, Docker, and CI/CD pipelines — get results in seconds with fix suggestions.