From 496ec149bc60d6ecb9b022d483768c5b059e29a6 Mon Sep 17 00:00:00 2001
From: LaibaBareera <89480808+LaibaBareera@users.noreply.github.com>
Date: Tue, 4 Nov 2025 19:05:33 +0500
Subject: [PATCH] fix: update checks 5.1.1, 5.1.2 and 5.1.4 for CIS 1.9 / CIS
 1.10 (#1989)

* Fix the issue 1982

* remove the type manual and revert changes of test in each check

* fix linter error

* changed scored to false for check 5.1.3, 5.1.5, 5.1.6
---
 cfg/cis-1.10/policies.yaml | 12 ++++++------
 cfg/cis-1.9/policies.yaml  | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/cfg/cis-1.10/policies.yaml b/cfg/cis-1.10/policies.yaml
index 8d84fc81..ecbc29ec 100644
--- a/cfg/cis-1.10/policies.yaml
+++ b/cfg/cis-1.10/policies.yaml
@@ -33,7 +33,7 @@ groups:
           Where possible, first bind users to a lower privileged role and then remove the
           clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
           Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
-        scored: true
+        scored: false
 
       - id: 5.1.2
         text: "Minimize access to secrets (Automated)"
@@ -46,7 +46,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove get, list and watch access to Secret objects in the cluster.
-        scored: true
+        scored: false
 
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
@@ -93,7 +93,7 @@ groups:
           objects or actions.
           Condition: role_is_compliant is false if ["*"] is found in rules.
           Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
-        scored: true
+        scored: false
 
       - id: 5.1.4
         text: "Minimize access to create pods (Automated)"
@@ -107,7 +107,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove create access to pod objects in the cluster.
-        scored: true
+        scored: false
       - id: 5.1.5
         text: "Ensure that default service accounts are not actively used (Automated)"
         audit: |
@@ -125,7 +125,7 @@ groups:
           to the Kubernetes API server.
           Modify the configuration of each default service account to include this value
           `automountServiceAccountToken: false`.
-        scored: true
+        scored: false
 
       - id: 5.1.6
         text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
@@ -158,7 +158,7 @@ groups:
           Condition: Pod is_compliant to true when
             - ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
             - ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
-        scored: true
+        scored: false
 
       - id: 5.1.7
         text: "Avoid use of system:masters group (Manual)"
diff --git a/cfg/cis-1.9/policies.yaml b/cfg/cis-1.9/policies.yaml
index cc597d16..44968bf8 100644
--- a/cfg/cis-1.9/policies.yaml
+++ b/cfg/cis-1.9/policies.yaml
@@ -33,7 +33,7 @@ groups:
           Where possible, first bind users to a lower privileged role and then remove the
           clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
           Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
-        scored: true
+        scored: false
 
       - id: 5.1.2
         text: "Minimize access to secrets (Automated)"
@@ -46,7 +46,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove get, list and watch access to Secret objects in the cluster.
-        scored: true
+        scored: false
 
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
@@ -93,7 +93,7 @@ groups:
           objects or actions.
           Condition: role_is_compliant is false if ["*"] is found in rules.
           Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
-        scored: true
+        scored: false
 
       - id: 5.1.4
         text: "Minimize access to create pods (Automated)"
@@ -107,7 +107,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove create access to pod objects in the cluster.
-        scored: true
+        scored: false
       - id: 5.1.5
         text: "Ensure that default service accounts are not actively used (Automated)"
         audit: |
@@ -125,7 +125,7 @@ groups:
           to the Kubernetes API server.
           Modify the configuration of each default service account to include this value
           `automountServiceAccountToken: false`.
-        scored: true
+        scored: false
 
       - id: 5.1.6
         text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
@@ -158,7 +158,7 @@ groups:
           Condition: Pod is_compliant to true when
             - ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
             - ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
-        scored: true
+        scored: false
 
       - id: 5.1.7
         text: "Avoid use of system:masters group (Manual)"