Security Checks Matrix

All 100+ security checks DeployPilot AI performs across Kubernetes, Terraform, AWS CloudFormation, Azure ARM, GCP, Docker, and CI/CD — mapped to industry compliance frameworks with automated fix suggestions.

Kubernetes Security

CIS Kubernetes Benchmark 1.8 22 checks
Severity Check
CRITICAL Container Running as Root
CRITICAL Privileged Container Detected
CRITICAL ClusterRoleBinding to cluster-admin
HIGH Missing Resource Limits
HIGH Privilege Escalation Not Disabled
HIGH Host Network Enabled
HIGH Host PID Namespace Shared
HIGH Potential Secret in Plain Text
MEDIUM Missing Liveness Probe
MEDIUM Missing Readiness Probe
MEDIUM Using :latest Image Tag
MEDIUM No NetworkPolicy Defined
MEDIUM Writable Root Filesystem
LOW No Namespace Specified
LOW No PodDisruptionBudget
MEDIUM Service Account Token Auto-Mounted
MEDIUM Using Default Service Account
LOW Privileged Port Used
LOW No Pod Anti-Affinity
LOW No Startup Probe
HIGH hostPath Volume Mount
MEDIUM Linux Capabilities Not Dropped

Terraform / AWS

AWS Well-Architected Framework 20 checks
Severity Check
CRITICAL Security Group Open to World
CRITICAL Hardcoded Credentials Detected
HIGH No Remote Backend Configured
HIGH S3 Bucket Without Encryption
HIGH S3 Backend Without State Locking
HIGH RDS Without Deletion Protection
HIGH RDS Without Encryption at Rest
MEDIUM S3 Bucket Without Versioning
MEDIUM Provider Without Version Constraint
MEDIUM Sensitive Variable Not Marked
MEDIUM Access Logging Not Enabled
LOW Resource Missing Tags
MEDIUM No CloudTrail Configuration
HIGH EBS Volume Not Encrypted
LOW Lambda Not in VPC
MEDIUM No Lifecycle prevent_destroy
CRITICAL IAM Policy with Wildcard Actions
CRITICAL RDS Publicly Accessible
MEDIUM No Backup Retention Period
HIGH S3 Public Access Not Blocked

AWS CloudFormation

AWS Well-Architected Framework 12 checks
Severity Check
HIGH CFN: S3 Bucket Without Encryption
HIGH CFN: S3 Public Access Not Blocked
CRITICAL CFN: Security Group Open to World
CRITICAL CFN: IAM Policy with Wildcard Actions
HIGH CFN: IAM Policy with Wildcard Resource
HIGH CFN: No DeletionPolicy on Critical Resource
HIGH CFN: RDS Without Encryption
CRITICAL CFN: RDS Publicly Accessible
MEDIUM CFN: No Logging Configuration
HIGH CFN: EBS Volume Not Encrypted
LOW CFN: Lambda Not in VPC
CRITICAL CFN: Hardcoded Secret Detected

Azure ARM Templates

Azure Security Benchmark 10 checks
Severity Check
HIGH ARM: Storage Account Without HTTPS Enforcement
HIGH ARM: Storage Account Without Encryption
MEDIUM ARM: Public IP Address Assigned
HIGH ARM: No Network Security Group
CRITICAL ARM: NSG Rule Open to World
MEDIUM ARM: No Diagnostic Settings
MEDIUM ARM: SQL Server Without Auditing
HIGH ARM: SQL Server Public Network Access
HIGH ARM: VM Without Disk Encryption
CRITICAL ARM: Hardcoded Secret Detected

GCP Infrastructure

GCP Security Best Practices 12 checks
Severity Check
CRITICAL GCP: Firewall Rule Open to World
CRITICAL GCP: Bucket Publicly Accessible
CRITICAL GCP: Cloud SQL Publicly Accessible
CRITICAL GCP: Hardcoded Secret Detected
CRITICAL GCP: Overly Permissive IAM Role
HIGH GCP: Cloud SQL Without SSL
HIGH GCP: GKE Cluster Without Private Nodes
MEDIUM GCP: Instance with External IP
MEDIUM GCP: Bucket Without Uniform Access
MEDIUM GCP: No Audit Logging Configured
MEDIUM GCP: GKE Without Network Policy
LOW GCP: Resources Without Labels

Dockerfile

Docker CIS Benchmark 12 checks
Severity Check
CRITICAL Secret Exposed in Dockerfile
HIGH Container Runs as Root
MEDIUM Broad COPY Statement
MEDIUM Base Image Uses :latest Tag
MEDIUM Base Image Without Version Tag
LOW Use COPY Instead of ADD
LOW No HEALTHCHECK Instruction
LOW Consider Multi-Stage Build
LOW Too Many Ports Exposed
LOW apt-get Without --no-install-recommends
LOW Ensure .dockerignore Exists
LOW Downloaded Files Not Cleaned Up

CI/CD Pipelines

CI/CD Security Best Practices 12 checks
Severity Check
CRITICAL Hardcoded Secret in Pipeline
HIGH No Container Image Scanning
HIGH No Environment Protection for Deployment
MEDIUM No Test Step in Pipeline
MEDIUM No Pull Request Trigger
MEDIUM Unpinned GitHub Action
LOW No Caching Configured
LOW No Pipeline Timeout
MEDIUM No Static Analysis (SAST/Lint)
HIGH Auto-Deploy Without Approval
MEDIUM Self-Hosted Runner Used
LOW No Artifact Signing

Run All 100+ Checks on Your Code

Supports Kubernetes, Terraform, AWS CloudFormation, Azure ARM, GCP Deployment Manager, Docker, and CI/CD pipelines — get results in seconds with fix suggestions.