release: prepare-0.12 (#1929)

* release: prepare-0.12

* fix

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24.5 AS build
+FROM golang:1.25.0 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

Dockerfile.fips.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.24.5 AS build
+FROM golang:1.25.0 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

Dockerfile.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.24.5 AS build
+FROM golang:1.25.0 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

cfg/config.yaml

@@ -423,6 +423,12 @@ target_mapping:
     - "controlplane"
     - "policies"
     - "managedservices"
+  "eks-1.7.0":
+    - "master"
+    - "node"
+    - "controlplane"
+    - "policies"
+    - "managedservices"
   "rh-0.7":
     - "master"
     - "node"

cfg/eks-1.7.0/config.yaml

@@ -0,0 +1,9 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+## These settings are required if you are using the --asff option to report findings to AWS Security Hub
+## AWS account number is required.
+AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
+## AWS region is required.
+AWS_REGION: "<AWS_REGION>"
+## EKS Cluster ARN is required.
+CLUSTER_ARN: "<AWS_CLUSTER_ARN>"

cfg/eks-1.7.0/controlplane.yaml

@@ -0,0 +1,69 @@
+---
+controls:
+version: "eks-1.7.0"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+  - id: 2.1
+    text: "Logging"
+    checks:
+      - id: 2.1.1
+        text: "Enable audit Logs (Manual)"
+        type: manual
+        remediation: |
+          From Console:
+          1.  For each EKS Cluster in each region;
+          2.  Go to 'Amazon EKS' > 'Clusters' > '' > 'Configuration' > 'Logging'.
+          3.  Click 'Manage logging'.
+          4.  Ensure that all options are toggled to 'Enabled'.
+                API server: Enabled
+                Audit: Enabled
+                Authenticator: Enabled
+                Controller manager: Enabled
+                Scheduler: Enabled
+          5.  Click 'Save Changes'.
+
+          From CLI:
+          # For each EKS Cluster in each region;
+          aws eks update-cluster-config \
+            --region '${REGION_CODE}' \
+            --name '${CLUSTER_NAME}' \
+            --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
+        scored: false
+
+      - id: 2.1.2
+        text: "Ensure audit logs are collected and managed (Manual)"
+        type: manual
+        remediation: |
+          Create or update the audit-policy.yaml to specify the audit logging configuration:
+          apiVersion: audit.k8s.io/v1
+          kind: Policy
+          rules:
+            - level: Metadata
+              resources:
+                - group: ""
+                  resources: ["pods"]
+          Apply the audit policy configuration to the cluster:
+            kubectl apply -f <path-to-audit-policy>.yaml
+          Ensure audit logs are forwarded to a centralized logging system like CloudWatch, Elasticsearch, or another log management solution:
+            kubectl create configmap cluster-audit-policy --from-file=audit-policy.yaml -n kube-system
+            kubectl apply -f - <<EOF
+          apiVersion: v1
+          kind: Pod
+          metadata:
+            name: audit-logging
+            namespace: kube-system
+          spec:
+            containers:
+              - name: audit-log-forwarder
+                image: my-log-forwarder-image
+                volumeMounts:
+                  - mountPath: /etc/kubernetes/audit
+                    name: audit-config
+            volumes:
+              - name: audit-config
+                configMap:
+                  name: cluster-audit-policy
+            EOF
+        scored: false

cfg/eks-1.7.0/managedservices.yaml

@@ -0,0 +1,227 @@
+---
+controls:
+version: "eks-1.7.0"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+  - id: 5.1
+    text: "Image Registry and Image Scanning"
+    checks:
+      - id: 5.1.1
+        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Manual)"
+        type: "manual"
+        remediation: |
+          To utilize AWS ECR for Image scanning please follow the steps below:
+
+          To create a repository configured for scan on push (AWS CLI):
+          aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
+
+          To edit the settings of an existing repository (AWS CLI):
+          aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
+
+          Use the following steps to start a manual image scan using the AWS Management Console.
+
+          1.  Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
+          2.  From the navigation bar, choose the Region to create your repository in.
+          3.  In the navigation pane, choose Repositories.
+          4.  On the Repositories page, choose the repository that contains the image to scan.
+          5.  On the Images page, select the image to scan and then choose Scan.
+        scored: false
+
+      - id: 5.1.2
+        text: "Minimize user access to Amazon ECR (Manual)"
+        type: "manual"
+        remediation: |
+          Before you use IAM to manage access to Amazon ECR, you should understand what IAM features
+          are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other
+          AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
+        scored: false
+
+      - id: 5.1.3
+        text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
+        type: "manual"
+        remediation: |
+          You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites.
+
+          The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess
+          the following IAM policy permissions for Amazon ECR.
+
+          {
+              "Version": "2012-10-17",
+              "Statement": [
+                  {
+                      "Effect": "Allow",
+                      "Action": [
+                          "ecr:BatchCheckLayerAvailability",
+                          "ecr:BatchGetImage",
+                          "ecr:GetDownloadUrlForLayer",
+                          "ecr:GetAuthorizationToken"
+                      ],
+                      "Resource": "*"
+                  }
+              ]
+          }
+        scored: false
+
+      - id: 5.1.4
+        text: "Minimize Container Registries to only those approved (Manual)"
+        type: "manual"
+        remediation: |
+          To minimize AWS ECR container registries to only those approved, you can follow these steps:
+
+          1.  Define your approval criteria: Determine the criteria that containers must meet to
+              be considered approved. This can include factors such as security, compliance,
+              compatibility, and other requirements.
+          2.  Identify all existing ECR registries: Identify all ECR registries that are currently
+              being used in your organization.
+          3.  Evaluate ECR registries against approval criteria: Evaluate each ECR registry
+              against your approval criteria to determine whether it should be approved or not.
+              This can be done by reviewing the registry settings and configuration, as well as
+              conducting security assessments and vulnerability scans.
+          4.  Establish policies and procedures: Establish policies and procedures that outline
+              how ECR registries will be approved, maintained, and monitored. This should
+              include guidelines for developers to follow when selecting a registry for their
+              container images.
+          5.  Implement access controls: Implement access controls to ensure that only
+              approved ECR registries are used to store and distribute container images. This
+              can be done by setting up IAM policies and roles that restrict access to
+              unapproved registries or create a whitelist of approved registries.
+          6.  Monitor and review: Continuously monitor and review the use of ECR registries
+              to ensure that they continue to meet your approval criteria. This can include
+        scored: false
+
+  - id: 5.2
+    text: "Identity and Access Management (IAM)"
+    checks:
+      - id: 5.2.1
+        text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
+        type: "manual"
+        remediation: |
+          With IAM roles for service accounts on Amazon EKS clusters, you can associate an
+          IAM role with a Kubernetes service account. This service account can then provide
+          AWS permissions to the containers in any pod that uses that service account. With this
+          feature, you no longer need to provide extended permissions to the worker node IAM
+          role so that pods on that node can call AWS APIs.
+          Applications must sign their AWS API requests with AWS credentials. This feature
+          provides a strategy for managing credentials for your applications, similar to the way
+          that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
+          Instead of creating and distributing your AWS credentials to the containers or using the
+          Amazon EC2 instance’s role, you can associate an IAM role with a Kubernetes service
+          account. The applications in the pod’s containers can then use an AWS SDK or the
+          AWS CLI to make API requests to authorized AWS services.
+
+          The IAM roles for service accounts feature provides the following benefits:
+
+          - Least privilege - By using the IAM roles for service accounts feature, you no
+            longer need to provide extended permissions to the worker node IAM role so that
+            pods on that node can call AWS APIs. You can scope IAM permissions to a
+            service account, and only pods that use that service account have access to
+            those permissions. This feature also eliminates the need for third-party solutions
+            such as kiam or kube2iam.
+          - Credential isolation - A container can only retrieve credentials for the IAM role
+            that is associated with the service account to which it belongs. A container never
+            has access to credentials that are intended for another container that belongs to
+            another pod.
+          - Audit-ability - Access and event logging is available through CloudTrail to help
+            ensure retrospective auditing.
+        scored: false
+
+  - id: 5.3
+    text: "AWS EKS Key Management Service"
+    checks:
+      - id: 5.3.1
+        text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
+        type: "manual"
+        remediation: |
+          This process can only be performed during Cluster Creation.
+
+          Enable 'Secrets Encryption' during Amazon EKS cluster creation as described
+          in the links within the 'References' section.
+        scored: false
+
+  - id: 5.4
+    text: "Cluster Networking"
+    checks:
+      - id: 5.4.1
+        text: "Restrict Access to the Control Plane Endpoint (Manual)"
+        type: "manual"
+        remediation: |
+          By enabling private endpoint access to the Kubernetes API server, all communication
+          between your nodes and the API server stays within your VPC. You can also limit the IP
+          addresses that can access your API server from the internet, or completely disable
+          internet access to the API server.
+          With this in mind, you can update your cluster accordingly using the AWS CLI to ensure
+          that Private Endpoint Access is enabled.
+          If you choose to also enable Public Endpoint Access then you should also configure a
+          list of allowable CIDR blocks, resulting in restricted access from the internet. If you
+          specify no CIDR blocks, then the public API server endpoint is able to receive and
+          process requests from all IP addresses by defaulting to ['0.0.0.0/0'].
+          For example, the following command would enable private access to the Kubernetes
+          API as well as limited public access over the internet from a single IP address (noting
+          the /32 CIDR suffix):
+          aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPrivateAccess=true,publicAccessCidrs="203.0.113.5/32"
+
+          Note: The CIDR blocks specified cannot include reserved addresses.
+          There is a maximum number of CIDR blocks that you can specify. For more information,
+          see the EKS Service Quotas link in the references section.
+          For more detailed information, see the EKS Cluster Endpoint documentation link in the
+          references section.
+        scored: false
+
+      - id: 5.4.2
+        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
+        type: "manual"
+        remediation: |
+          By enabling private endpoint access to the Kubernetes API server, all communication
+          between your nodes and the API server stays within your VPC.
+          With this in mind, you can update your cluster accordingly using the AWS CLI to ensure
+          that Private Endpoint Access is enabled.
+          For example, the following command would enable private access to the Kubernetes
+          API and ensure that no public access is permitted:
+          aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false
+
+          Note: For more detailed information, see the EKS Cluster Endpoint documentation link
+          in the references section.
+        scored: false
+
+      - id: 5.4.3
+        text: "Ensure clusters are created with Private Nodes (Manual)"
+        type: "manual"
+        remediation: |
+          aws eks update-cluster-config \
+            --region region-code \
+            --name my-cluster \
+            --resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32",endpointPrivateAccess=true
+        scored: false
+
+      - id: 5.4.4
+        text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
+        type: "manual"
+        remediation: |
+          Utilize Calico or other network policy engine to segment and isolate your traffic.
+        scored: false
+
+      - id: 5.4.5
+        text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
+        type: "manual"
+        remediation: |
+          Your load balancer vendor can provide details on configuring HTTPS with TLS.
+        scored: false
+
+
+  - id: 5.5
+    text: "Authentication and Authorization"
+    checks:
+      - id: 5.5.1
+        text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater (Manual)"
+        type: "manual"
+        remediation: |
+          Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS documentation.
+
+          Note: If using AWS CLI version 1.16.156 or later there is no need to install the AWS
+          IAM Authenticator anymore.
+          The relevant AWS CLI commands, depending on the use case, are:
+          aws eks update-kubeconfig
+          aws eks get-token
+        scored: false

cfg/eks-1.7.0/master.yaml

@@ -0,0 +1,6 @@
+---
+controls:
+version: "eks-1.7.0"
+id: 1
+text: "Control Plane Components"
+type: "master"

cfg/eks-1.7.0/node.yaml

@@ -0,0 +1,452 @@
+---
+controls:
+version: "eks-1.7.0"
+id: 3
+text: "Worker Nodes"
+type: "node"
+groups:
+  - id: 3.1
+    text: "Worker Node Configuration Files"
+    checks:
+      - id: 3.1.1
+        text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
+        remediation: |
+          Run the below command (based on the file location on your system) on the each worker node.
+          For example,
+          chmod 644 $kubeletkubeconfig
+        scored: true
+
+      - id: 3.1.2
+        text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
+        tests:
+          test_items:
+            - flag: root:root
+        remediation: |
+          Run the below command (based on the file location on your system) on the each worker node.
+          For example,
+          chown root:root $kubeletkubeconfig
+        scored: true
+
+      - id: 3.1.3
+        text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
+        remediation: |
+          Run the following command (using the config file location identified in the Audit step)
+          chmod 644 $kubeletconf
+        scored: true
+
+      - id: 3.1.4
+        text: "Ensure that the kubelet configuration file ownership is set to root:root (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+        tests:
+          test_items:
+            - flag: root:root
+        remediation: |
+          Run the following command (using the config file location identified in the Audit step)
+          chown root:root $kubeletconf
+        scored: true
+
+  - id: 3.2
+    text: "Kubelet"
+    checks:
+      - id: 3.2.1
+        text: "Ensure that the Anonymous Auth is Not Enabled (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: "--anonymous-auth"
+              path: '{.authentication.anonymous.enabled}'
+              set: true
+              compare:
+                op: eq
+                value: false
+        remediation: |
+          Remediation Method 1:
+          If configuring via the Kubelet config file, you first need to locate the file.
+          To do this, SSH to each node and execute the following command to find the kubelet
+          process:
+          ps -ef | grep kubelet
+          The output of the above command provides details of the active kubelet process, from
+          which we can see the location of the configuration file provided to the kubelet service
+          with the --config argument. The file can be viewed with a command such as more or
+          less, like so:
+          sudo less /path/to/kubelet-config.json
+          Disable Anonymous Authentication by setting the following parameter:
+          "authentication": { "anonymous": { "enabled": false } }
+
+          Remediation Method 2.
+          If using executable arguments, edit the kubelet service file on each worker node and
+          ensure the below parameters are part of the KUBELET_ARGS variable string.
+          For systems using systemd, such as the Amazon EKS Optimised Amazon Linux or
+          Bottlerocket AMIs, then this file can be found at
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf. Otherwise,
+          you may need to look up documentation for your chosen operating system to determine
+          which service manager is configured:
+          --anonymous-auth=false
+
+          For Both Remediation Steps:
+          Based on your system, restart the kubelet service and check the service status.
+          The following example is for operating systems using systemd, such as the Amazon
+          EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the systemctl
+          command. If systemctl is not available then you will need to look up documentation for
+          your chosen operating system to determine which service manager is configured:
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.2
+        text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --authorization-mode
+              path: '{.authorization.mode}'
+              set: true
+              compare:
+                op: nothave
+                value: AlwaysAllow
+        remediation: |
+          Remediation Method 1:
+          If configuring via the Kubelet config file, you first need to locate the file.
+          To do this, SSH to each node and execute the following command to find the kubelet
+          process:
+          ps -ef | grep kubelet
+          The output of the above command provides details of the active kubelet process, from
+          which we can see the location of the configuration file provided to the kubelet service
+          with the --config argument. The file can be viewed with a command such as more or
+          less, like so:
+          sudo less /path/to/kubelet-config.json
+          Enable Webhook Authentication by setting the following parameter:
+          "authentication": { "webhook": { "enabled": true } }
+          Next, set the Authorization Mode to Webhook by setting the following parameter:
+          "authorization": { "mode": "Webhook }
+          Finer detail of the authentication and authorization fields can be found in the
+          Kubelet Configuration documentation.
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file on each worker node and
+          ensure the below parameters are part of the KUBELET_ARGS variable string.
+          For systems using systemd, such as the Amazon EKS Optimised Amazon Linux or
+          Bottlerocket AMIs, then this file can be found at
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf. Otherwise,
+          you may need to look up documentation for your chosen operating system to determine
+          which service manager is configured:
+          --authentication-token-webhook
+          --authorization-mode=Webhook
+
+          For Both Remediation Steps:
+          Based on your system, restart the kubelet service and check the service status.
+          The following example is for operating systems using systemd, such as the Amazon
+          EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the systemctl
+          command. If systemctl is not available then you will need to look up documentation for
+          your chosen operating system to determine which service manager is configured:
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.3
+        text: "Ensure that a Client CA File is Configured (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --client-ca-file
+              path: '{.authentication.x509.clientCAFile}'
+              set: true
+        remediation: |
+          Remediation Method 1:
+          If configuring via the Kubelet config file, you first need to locate the file.
+          To do this, SSH to each node and execute the following command to find the kubelet
+          process:
+          ps -ef | grep kubelet
+          The output of the above command provides details of the active kubelet process, from
+          which we can see the location of the configuration file provided to the kubelet service
+          with the --config argument. The file can be viewed with a command such as more or
+          less, like so:
+          sudo less /path/to/kubelet-config.json
+          Configure the client certificate authority file by setting the following parameter
+          appropriately:
+          "authentication": { "x509": {"clientCAFile": <path/to/client-ca-file> } }"
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file on each worker node and
+          ensure the below parameters are part of the KUBELET_ARGS variable string.
+          For systems using systemd, such as the Amazon EKS Optimised Amazon Linux or
+          Bottlerocket AMIs, then this file can be found at
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf. Otherwise,
+          you may need to look up documentation for your chosen operating system to determine
+          which service manager is configured:
+          --client-ca-file=<path/to/client-ca-file>
+
+          For Both Remediation Steps:
+          Based on your system, restart the kubelet service and check the service status.
+          The following example is for operating systems using systemd, such as the Amazon
+          EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the systemctl
+          command. If systemctl is not available then you will need to look up documentation for
+          your chosen operating system to determine which service manager is configured:
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.4
+        text: "Ensure that the --read-only-port is disabled (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: "--read-only-port"
+              path: '{.readOnlyPort}'
+              set: true
+              compare:
+                op: eq
+                value: 0
+        remediation: |
+          If modifying the Kubelet config file, edit the kubelet-config.json file
+          /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to 0
+          "readOnlyPort": 0
+          If using executable arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each
+          worker node and add the below parameter at the end of the KUBELET_ARGS variable
+          string.
+          --read-only-port=0
+
+          Based on your system, restart the kubelet service and check status
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.5
+        text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --streaming-connection-idle-timeout
+              path: '{.streamingConnectionIdleTimeout}'
+              set: true
+              compare:
+                op: noteq
+                value: 0
+            - flag: --streaming-connection-idle-timeout
+              path: '{.streamingConnectionIdleTimeout}'
+              set: false
+          bin_op: or
+        remediation: |
+          Remediation Method 1:
+          If modifying the Kubelet config file, edit the kubelet-config.json file
+          /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to a
+          non-zero value in the format of #h#m#s
+          "streamingConnectionIdleTimeout": "4h0m0s"
+          You should ensure that the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not
+          specify a --streaming-connection-idle-timeout argument because it would
+          override the Kubelet config file.
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each
+          worker node and add the below parameter at the end of the KUBELET_ARGS variable
+          string.
+          --streaming-connection-idle-timeout=4h0m0s
+
+          Remediation Method 3:
+          If using the api configz endpoint consider searching for the status of
+          "streamingConnectionIdleTimeout": by extracting the live configuration from the
+          nodes running kubelet.
+          **See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a
+          Live Cluster, and then rerun the curl statement from audit process to check for kubelet
+          configuration changes
+          kubectl proxy --port=8001 &
+          export HOSTNAME_PORT=localhost:8001 (example host and port number)
+          export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
+          curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
+
+          For all three remediations:
+          Based on your system, restart the kubelet service and check status
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.6
+        text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --make-iptables-util-chains
+              path: '{.makeIPTablesUtilChains}'
+              set: true
+              compare:
+                op: eq
+                value: true
+            - flag: --make-iptables-util-chains
+              path: '{.makeIPTablesUtilChains}'
+              set: false
+          bin_op: or
+        remediation: |
+          Remediation Method 1:
+          If modifying the Kubelet config file, edit the kubelet-config.json file
+          /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to
+          true
+          "makeIPTablesUtilChains": true
+          Ensure that /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
+          does not set the --make-iptables-util-chains argument because that would
+          override your Kubelet config file.
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each
+          worker node and add the below parameter at the end of the KUBELET_ARGS variable
+          string.
+          --make-iptables-util-chains:true
+
+          Remediation Method 3:
+          If using the api configz endpoint consider searching for the status of
+          "makeIPTablesUtilChains.: true by extracting the live configuration from the nodes
+          running kubelet.
+          **See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a
+          Live Cluster, and then rerun the curl statement from audit process to check for kubelet
+          configuration changes
+          kubectl proxy --port=8001 &
+          export HOSTNAME_PORT=localhost:8001 (example host and port number)
+          export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
+          curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
+
+          For all three remediations:
+          Based on your system, restart the kubelet service and check status
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true
+
+      - id: 3.2.7
+        text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --event-qps
+              path: '{.eventRecordQPS}'
+              set: true
+              compare:
+                op: gte
+                value: 0
+        remediation: |
+          If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate
+          level.
+          If using command line arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node
+          and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+          Based on your system, restart the kubelet service. For example:
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+        scored: true
+
+      - id: 3.2.8
+        text: "Ensure that the --rotate-certificates argument is not present or is set to true (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: --rotate-certificates
+              path: '{.rotateCertificates}'
+              compare:
+                op: eq
+                value: true
+            - flag: --rotate-certificates
+              path: '{.rotateCertificates}'
+              set: false
+          bin_op: or
+        remediation: |
+          Remediation Method 1:
+          If modifying the Kubelet config file, edit the kubelet-config.json file
+          /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to
+          true
+          "RotateCertificate":true
+          Additionally, ensure that the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not set the --RotateCertificate
+          executable argument to false because this would override the Kubelet
+          config file.
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each
+          worker node and add the below parameter at the end of the KUBELET_ARGS variable
+          string.
+          --RotateCertificate=true
+        scored: true
+
+      - id: 3.2.9
+        text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
+        audit: "/bin/ps -fC $kubeletbin"
+        audit_config: "/bin/cat $kubeletconf"
+        tests:
+          test_items:
+            - flag: RotateKubeletServerCertificate
+              path: '{.featureGates.RotateKubeletServerCertificate}'
+              set: true
+              compare:
+                op: eq
+                value: true
+        remediation: |
+          Remediation Method 1:
+          If modifying the Kubelet config file, edit the kubelet-config.json file
+          /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to
+          true
+
+          "featureGates": {
+            "RotateKubeletServerCertificate":true
+          },
+
+          Additionally, ensure that the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not set
+          the --rotate-kubelet-server-certificate executable argument to false because
+          this would override the Kubelet config file.
+
+          Remediation Method 2:
+          If using executable arguments, edit the kubelet service file
+          /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each
+          worker node and add the below parameter at the end of the KUBELET_ARGS variable
+          string.
+          --rotate-kubelet-server-certificate=true
+
+          Remediation Method 3:
+          If using the api configz endpoint consider searching for the status of
+          "RotateKubeletServerCertificate": by extracting the live configuration from the
+          nodes running kubelet.
+          **See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a
+          Live Cluster, and then rerun the curl statement from audit process to check for kubelet
+          configuration changes
+          kubectl proxy --port=8001 &
+          export HOSTNAME_PORT=localhost:8001 (example host and port number)
+          export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
+          curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
+
+          For all three remediation methods:
+          Restart the kubelet service and check status. The example below is for when using
+          systemctl to manage services:
+          systemctl daemon-reload
+          systemctl restart kubelet.service
+          systemctl status kubelet -l
+        scored: true

cfg/eks-1.7.0/policies.yaml

@@ -0,0 +1,358 @@
+---
+controls:
+version: "eks-1.7.0"
+id: 4
+text: "Policies"
+type: "policies"
+groups:
+  - id: 4.1
+    text: "RBAC and Service Accounts"
+    checks:
+      - id: 4.1.1
+        text: "Ensure that the cluster-admin role is only used where required (Automated)"
+        audit: |
+          kubectl get clusterrolebindings -o json | jq -r '
+            .items[]
+            | select(.roleRef.name == "cluster-admin")
+            | .subjects[]?
+            | select(.kind != "Group" or (.name != "system:masters" and .name != "system:nodes"))
+            | "FOUND_CLUSTER_ADMIN_BINDING"
+          ' || echo "NO_CLUSTER_ADMIN_BINDINGS"
+        tests:
+          test_items:
+            - flag: "NO_CLUSTER_ADMIN_BINDINGS"
+              set: true
+              compare:
+                op: eq
+                value: "NO_CLUSTER_ADMIN_BINDINGS"
+        remediation: |
+          Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if
+          they need this role or if they could use a role with fewer privileges.
+          Where possible, first bind users to a lower privileged role and then remove the
+          clusterrolebinding to the cluster-admin role :
+          kubectl delete clusterrolebinding [name]
+        scored: true
+
+      - id: 4.1.2
+        text: "Minimize access to secrets (Automated)"
+        audit: |
+          count=$(kubectl get roles --all-namespaces -o json | jq '
+            .items[]
+            | select(.rules[]?
+              | (.resources[]? == "secrets")
+              and ((.verbs[]? == "get") or (.verbs[]? == "list") or (.verbs[]? == "watch"))
+            )' | wc -l)
+
+          if [ "$count" -gt 0 ]; then
+            echo "SECRETS_ACCESS_FOUND"
+          fi
+        tests:
+          test_items:
+            - flag: "SECRETS_ACCESS_FOUND"
+              set: false
+        remediation: |
+          Where possible, remove get, list and watch access to secret objects in the cluster.
+        scored: true
+
+      - id: 4.1.3
+        text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
+        audit: |
+          wildcards=$(kubectl get roles --all-namespaces -o json | jq '
+            .items[] | select(
+              .rules[]? | (.verbs[]? == "*" or .resources[]? == "*" or .apiGroups[]? == "*")
+            )' | wc -l)
+
+          wildcards_clusterroles=$(kubectl get clusterroles -o json | jq '
+            .items[] | select(
+              .rules[]? | (.verbs[]? == "*" or .resources[]? == "*" or .apiGroups[]? == "*")
+            )' | wc -l)
+
+          total=$((wildcards + wildcards_clusterroles))
+
+          if [ "$total" -gt 0 ]; then
+            echo "wildcards_present"
+          fi
+        tests:
+          test_items:
+            - flag: wildcards_present
+              set: false
+        remediation: |
+          Where possible replace any use of wildcards in clusterroles and roles with specific
+          objects or actions.
+        scored: true
+
+      - id: 4.1.4
+        text: "Minimize access to create pods (Automated)"
+        audit: |
+          access=$(kubectl get roles,clusterroles -A -o json | jq '
+            [.items[] |
+              select(
+                .rules[]? |
+                (.resources[]? == "pods" and .verbs[]? == "create")
+              )
+            ] | length')
+
+          if [ "$access" -gt 0 ]; then
+            echo "pods_create_access"
+          fi
+        tests:
+          test_items:
+            - flag: pods_create_access
+              set: false
+        remediation: |
+          Where possible, remove create access to pod objects in the cluster.
+        scored: true
+
+      - id: 4.1.5
+        text: "Ensure that default service accounts are not actively used. (Automated)"
+        audit: |
+          default_sa_count=$(kubectl get serviceaccounts --all-namespaces -o json | jq '
+            [.items[] | select(.metadata.name == "default" and (.automountServiceAccountToken != false))] | length')
+          if [ "$default_sa_count" -gt 0 ]; then
+            echo "default_sa_not_auto_mounted"
+          fi
+
+          pods_using_default_sa=$(kubectl get pods --all-namespaces -o json | jq '
+            [.items[] | select(.spec.serviceAccountName == "default")] | length')
+          if [ "$pods_using_default_sa" -gt 0 ]; then
+            echo "default_sa_used_in_pods"
+          fi
+        tests:
+          test_items:
+            - flag: default_sa_not_auto_mounted
+              set: false
+            - flag: default_sa_used_in_pods
+              set: false
+        remediation: |
+          Create explicit service accounts wherever a Kubernetes workload requires specific
+          access to the Kubernetes API server.
+          Modify the configuration of each default service account to include this value
+          automountServiceAccountToken: false
+
+          Automatic remediation for the default account:
+          kubectl patch serviceaccount default -p
+          $'automountServiceAccountToken: false'
+        scored: true
+
+      - id: 4.1.6
+        text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
+        audit: |
+          pods_with_token_mount=$(kubectl get pods --all-namespaces -o json | jq '
+            [.items[] | select(.spec.automountServiceAccountToken != false)] | length')
+
+          if [ "$pods_with_token_mount" -gt 0 ]; then
+            echo "automountServiceAccountToken"
+          fi
+        tests:
+          test_items:
+            - flag: automountServiceAccountToken
+              set: false
+        remediation: |
+          Regularly review pod and service account objects in the cluster to ensure that the automountServiceAccountToken setting is false for pods and accounts that do not explicitly require API server access.
+        scored: true
+
+      - id: 4.1.7
+        text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Manual)"
+        type: "manual"
+        remediation: |
+          Log in to the AWS Management Console.
+            Navigate to Amazon EKS and select your EKS cluster.
+
+            Go to the Access tab and click on "Manage Access" in the "Access Configuration section".
+            Under Cluster Authentication Mode for Cluster Access settings.
+            Click EKS API to change cluster will source authenticated IAM principals only from EKS access entry APIs.
+            Click ConfigMap to change cluster will source authenticated IAM principals only from the aws-auth ConfigMap.
+          Note: EKS API and ConfigMap must be selected during Cluster creation and cannot be changed once the Cluster is provisioned.
+        scored: false
+
+      - id: 4.1.8
+        text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
+        type: "manual"
+        remediation: |
+          Where possible, remove the impersonate, bind and escalate rights from subjects.
+        scored: false
+
+  - id: 4.2
+    text: "Pod Security Standards"
+    checks:
+      - id: 4.2.1
+        text: "Minimize the admission of privileged containers (Automated)"
+        audit: |
+          kubectl get pods --all-namespaces -o json | \
+            jq -r 'if any(.items[]?.spec.containers[]?; .securityContext?.privileged == true) then "PRIVILEGED_FOUND" else "NO_PRIVILEGED" end'
+        tests:
+          test_items:
+            - flag: "NO_PRIVILEGED"
+              set: true
+              compare:
+                op: eq
+                value: "NO_PRIVILEGED"
+        remediation: |
+          Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
+            To enable PSA for a namespace in your cluster, set the pod-security.kubernetes.io/enforce label with the policy value you want to enforce.
+            kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
+            The above command enforces the restricted policy for the NAMESPACE namespace.
+          You can also enable Pod Security Admission for all your namespaces. For example:
+            kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
+        scored: true
+
+      - id: 4.2.2
+        text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
+        audit: |
+          kubectl get pods --all-namespaces -o json | \
+            jq -r 'if any(.items[]?; .spec.hostPID == true) then "HOSTPID_FOUND" else "NO_HOSTPID" end'
+        tests:
+          test_items:
+            - flag: "NO_HOSTPID"
+              set: true
+              compare:
+                op: eq
+                value: "NO_HOSTPID"
+        remediation: |
+          Add policies to each namespace in the cluster which has user workloads to restrict the
+          admission of hostPID containers.
+        scored: true
+
+      - id: 4.2.3
+        text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
+        audit: |
+          kubectl get pods --all-namespaces -o json | jq -r 'if any(.items[]?; .spec.hostIPC == true) then "HOSTIPC_FOUND" else "NO_HOSTIPC" end'
+        tests:
+          test_items:
+            - flag: "NO_HOSTIPC"
+              set: true
+              compare:
+                op: eq
+                value: "NO_HOSTIPC"
+        remediation: |
+          Add policies to each namespace in the cluster which has user workloads to restrict the
+          admission of hostIPC containers.
+        scored: true
+
+      - id: 4.2.4
+        text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
+        audit: |
+          kubectl get pods --all-namespaces -o json | jq -r 'if any(.items[]?; .spec.hostNetwork == true) then "HOSTNETWORK_FOUND" else "NO_HOSTNETWORK" end'
+        tests:
+          test_items:
+            - flag: "NO_HOSTNETWORK"
+              set: true
+              compare:
+                op: eq
+                value: "NO_HOSTNETWORK"
+        remediation: |
+          Add policies to each namespace in the cluster which has user workloads to restrict the
+          admission of hostNetwork containers.
+        scored: true
+
+      - id: 4.2.5
+        text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
+        audit: |
+          kubectl get pods --all-namespaces -o json | \
+            jq -r 'if any(.items[]?.spec.containers[]?; .securityContext?.allowPrivilegeEscalation == true) then "ALLOWPRIVILEGEESCALTION_FOUND" else "NO_ALLOWPRIVILEGEESCALTION" end'
+        tests:
+          test_items:
+            - flag: "NO_ALLOWPRIVILEGEESCALTION"
+              set: true
+              compare:
+                op: eq
+                value: "NO_ALLOWPRIVILEGEESCALTION"
+        remediation: |
+          Add policies to each namespace in the cluster which has user workloads to restrict the
+          admission of containers with .spec.allowPrivilegeEscalation set to true.
+        scored: true
+
+  - id: 4.3
+    text: "CNI Plugin"
+    checks:
+      - id: 4.3.1
+        text: "Ensure CNI plugin supports network policies (Manual)"
+        type: "manual"
+        remediation: |
+          As with RBAC policies, network policies should adhere to the policy of least privileged
+          access. Start by creating a deny all policy that restricts all inbound and outbound traffic
+          from a namespace or create a global policy using Calico.
+        scored: false
+
+      - id: 4.3.2
+        text: "Ensure that all Namespaces have Network Policies defined (Automated)"
+        audit: |
+          ns_without_np=$(kubectl get namespaces -o json | jq -r '.items[].metadata.name' | while read ns; do
+            count=$(kubectl get networkpolicy -n $ns --no-headers 2>/dev/null | wc -l)
+            if [ "$count" -eq 0 ]; then echo $ns; fi
+          done)
+          if [ -z "$ns_without_np" ]; then
+            echo "ALL_NAMESPACES_HAVE_NETWORK_POLICIES"
+          else
+            echo "NAMESPACES_WITHOUT_NETWORK_POLICIES: $ns_without_np"
+          fi
+        tests:
+          test_items:
+            - flag: "ALL_NAMESPACES_HAVE_NETWORK_POLICIES"
+              set: true
+              compare:
+                op: eq
+                value: "ALL_NAMESPACES_HAVE_NETWORK_POLICIES"
+        remediation: |
+          Create at least one NetworkPolicy in each namespace to control and restrict traffic between pods as needed.
+        scored: true
+
+  - id: 4.4
+    text: "Secrets Management"
+    checks:
+      - id: 4.4.1
+        text: "Prefer using secrets as files over secrets as environment variables (Automated)"
+        audit: |
+          result=$(kubectl get all --all-namespaces -o jsonpath='{range .items[?(@..secretKeyRef)]}{.metadata.namespace} {.kind} {.metadata.name}{"\n"}{end}')
+          if [ -z "$result" ]; then
+            echo "NO_SECRETS_AS_ENV_VARS"
+          else
+            echo "SECRETS_AS_ENV_VARS_FOUND: $result"
+          fi
+        tests:
+          test_items:
+            - flag: "NO_SECRETS_AS_ENV_VARS"
+              set: true
+              compare:
+                op: eq
+                value: "NO_SECRETS_AS_ENV_VARS"
+        remediation: |
+          If possible, rewrite application code to read secrets from mounted secret files, rather than
+          from environment variables.
+        scored: true
+
+      - id: 4.4.2
+        text: "Consider external secret storage (Manual)"
+        type: "manual"
+        remediation: |
+          Refer to the secrets management options offered by your cloud provider or a third-party
+          secrets management solution.
+        scored: false
+
+  - id: 4.5
+    text: "General Policies"
+    checks:
+      - id: 4.5.1
+        text: "Create administrative boundaries between resources using namespaces (Manual)"
+        type: "manual"
+        remediation: |
+          Follow the documentation and create namespaces for objects in your deployment as you need
+          them.
+        scored: false
+
+      - id: 4.5.2
+        text: "The default namespace should not be used (Automated)"
+        audit: |
+          output=$(kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default 2>/dev/null | grep -v "^kubernetes ")
+          if [ -z "$output" ]; then
+            echo "NO_USER_RESOURCES_IN_DEFAULT"
+          else
+            echo "USER_RESOURCES_IN_DEFAULT_FOUND: $output"
+          fi
+        tests:
+          test_items:
+            - flag: "NO_USER_RESOURCES_IN_DEFAULT"
+              set: true
+        remediation: |
+          Create and use dedicated namespaces for resources instead of the default namespace. Move any user-defined objects out of the default namespace to improve resource segregation and RBAC control.
+        scored: true

cmd/common_test.go

@@ -474,6 +474,12 @@ func TestValidTargets(t *testing.T) {
 			targets:   []string{"node", "policies", "controlplane", "managedservices"},
 			expected:  true,
 		},
+		{
+			name:      "eks-1.7.0 valid",
+			benchmark: "eks-1.7.0",
+			targets:   []string{"node", "policies", "controlplane", "managedservices"},
+			expected:  true,
+		},
 	}
 
 	for _, c := range cases {

cmd/util.go

@@ -15,6 +15,7 @@ import (
 	"github.com/fatih/color"
 	"github.com/golang/glog"
 	"github.com/spf13/viper"
+	"golang.org/x/exp/slices"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -521,7 +522,11 @@ func getPlatformBenchmarkVersion(platform Platform) string {
 	glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
 	switch platform.Name {
 	case "eks":
-		return "eks-1.5.0"
+		oldEKSVersions := []string{"1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28"}
+		if slices.Contains(oldEKSVersions, platform.Version) {
+			return "eks-1.5.0"
+		}
+		return "eks-1.7.0"
 	case "aks":
 		return "aks-1.7"
 	case "gke":

cmd/util_test.go

@@ -651,9 +651,16 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
 		want string
 	}{
 		{
-			name: "eks",
+			name: "eks 1.31",
 			args: args{
-				platform: Platform{Name: "eks"},
+				platform: Platform{Name: "eks", Version: "1.31"},
+			},
+			want: "eks-1.7.0",
+		},
+		{
+			name: "eks 1.24",
+			args: args{
+				platform: Platform{Name: "eks", Version: "1.24"},
 			},
 			want: "eks-1.5.0",
 		},

go.mod

@@ -3,9 +3,9 @@ module github.com/aquasecurity/kube-bench
 go 1.24.4
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.36.6
-	github.com/aws/aws-sdk-go-v2/config v1.29.18
-	github.com/aws/aws-sdk-go-v2/service/securityhub v1.58.2
+	github.com/aws/aws-sdk-go-v2 v1.38.0
+	github.com/aws/aws-sdk-go-v2/config v1.31.0
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.62.0
 	github.com/fatih/color v1.18.0
 	github.com/golang/glog v1.2.5
 	github.com/magiconair/properties v1.8.10
@@ -14,25 +14,26 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/stretchr/testify v1.10.0
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/gorm v1.30.0
-	k8s.io/apimachinery v0.33.3
-	k8s.io/client-go v0.33.3
+	gorm.io/gorm v1.30.1
+	k8s.io/apimachinery v0.33.4
+	k8s.io/client-go v0.33.4
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.71 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 // indirect
-	github.com/aws/smithy-go v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect
+	github.com/aws/smithy-go v1.22.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
@@ -41,7 +42,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
@@ -76,7 +77,7 @@ require (
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
@@ -85,7 +86,7 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.33.3 // indirect
+	k8s.io/api v0.33.4 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect

go.sum

@@ -1,31 +1,31 @@
-github.com/aws/aws-sdk-go-v2 v1.36.6 h1:zJqGjVbRdTPojeCGWn5IR5pbJwSQSBh5RWFTQcEQGdU=
-github.com/aws/aws-sdk-go-v2 v1.36.6/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0=
-github.com/aws/aws-sdk-go-v2/config v1.29.18 h1:x4T1GRPnqKV8HMJOMtNktbpQMl3bIsfx8KbqmveUO2I=
-github.com/aws/aws-sdk-go-v2/config v1.29.18/go.mod h1:bvz8oXugIsH8K7HLhBv06vDqnFv3NsGDt2Znpk7zmOU=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.71 h1:r2w4mQWnrTMJjOyIsZtGp3R3XGY3nqHn8C26C2lQWgA=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.71/go.mod h1:E7VF3acIup4GB5ckzbKFrCK0vTvEQxOxgdq4U3vcMCY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 h1:D9ixiWSG4lyUBL2DDNK924Px9V/NBVpML90MHqyTADY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33/go.mod h1:caS/m4DI+cij2paz3rtProRBI4s/+TCiWoaWZuQ9010=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 h1:osMWfm/sC/L4tvEdQ65Gri5ZZDCUpuYJZbTTDrsn4I0=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37/go.mod h1:ZV2/1fbjOPr4G4v38G3Ww5TBT4+hmsK45s/rxu1fGy0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 h1:v+X21AvTb2wZ+ycg1gx+orkB/9U6L7AOp93R7qYxsxM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37/go.mod h1:G0uM1kyssELxmJ2VZEfG0q2npObR3BAkF3c1VsfVnfs=
+github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU=
+github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
+github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4=
+github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 h1:vvbXsA2TVO80/KT7ZqCbx934dt6PY+vQ8hZpUZ/cpYg=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18/go.mod h1:m2JJHledjBGNMsLOF1g9gbAxprzq3KjC8e4lxtn+eWg=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.58.2 h1:riL/fVBOXsF2gTBHjD9x7xoybip0Pu585bARvWXSMmI=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.58.2/go.mod h1:cmiWoD/e3qeEr3gbUnK+rK4TKD5jBu1bkmdJvGKG77Y=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 h1:rGtWqkQbPk7Bkwuv3NzpE/scwwL9sC1Ul3tn9x83DUI=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.6/go.mod h1:u4ku9OLv4TO4bCPdxf4fA1upaMaJmP9ZijGk3AAOC6Q=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 h1:OV/pxyXh+eMA0TExHEC4jyWdumLxNbzz1P0zJoezkJc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4/go.mod h1:8Mm5VGYwtm+r305FfPSuc+aFkrypeylGYhFim6XEPoc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 h1:aUrLQwJfZtwv3/ZNG2xRtEen+NqI3iesuacjP51Mv1s=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.1/go.mod h1:3wFBZKoWnX3r+Sm7in79i54fBmNfwhdNdQuscCw7QIk=
-github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw=
-github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 h1:ieRzyHXypu5ByllM7Sp4hC5f/1Fy5wqxqY0yB85hC7s=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3/go.mod h1:O5ROz8jHiOAKAwx179v+7sHMhfobFVi6nZt8DEyiYoM=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.62.0 h1:sKzvE3fkQNa4iXbS2zhPsWhoYZUuPGeyCx29zWaUAyg=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.62.0/go.mod h1:O3x2LxaDhY0QmJKHLaw2MGgKeYhDMWvi7zsJ+rcnWQU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 h1:Mc/MKBf2m4VynyJkABoVEN+QzkfLqGj0aiJuEe7cMeM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.0/go.mod h1:iS5OmxEcN4QIPXARGhavH7S8kETNL11kym6jhoS7IUQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7yBW653Wy/B9hnBofW+sw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8=
+github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
+github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -58,8 +58,8 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8Wd
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
-github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
@@ -193,6 +193,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -209,8 +211,8 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -237,8 +239,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -271,14 +273,14 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.30.0 h1:qbT5aPv1UH8gI99OsRlvDToLxW5zR7FzS9acZDOZcgs=
-gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
-k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8=
-k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE=
-k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
-k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
-k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA=
-k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg=
+gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
+gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
+k8s.io/api v0.33.4 h1:oTzrFVNPXBjMu0IlpA2eDDIU49jsuEorGHB4cvKupkk=
+k8s.io/api v0.33.4/go.mod h1:VHQZ4cuxQ9sCUMESJV5+Fe8bGnqAARZ08tSTdHWfeAc=
+k8s.io/apimachinery v0.33.4 h1:SOf/JW33TP0eppJMkIgQ+L6atlDiP/090oaX0y9pd9s=
+k8s.io/apimachinery v0.33.4/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/client-go v0.33.4 h1:TNH+CSu8EmXfitntjUPwaKVPN0AYMbc9F1bBS8/ABpw=
+k8s.io/client-go v0.33.4/go.mod h1:LsA0+hBG2DPwovjd931L/AoaezMPX9CmBgyVyBZmbCY=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=

job.yaml

@@ -11,7 +11,7 @@ spec:
     spec:
       containers:
         - command: ["kube-bench"]
-          image: docker.io/aquasec/kube-bench:v0.11.2
+          image: docker.io/aquasec/kube-bench:v0.12.0
           name: kube-bench
           volumeMounts:
             - name: var-lib-cni

makefile

@@ -11,7 +11,7 @@ uname := $(shell uname -s)
 BUILDX_PLATFORM ?= linux/amd64,linux/arm64,linux/arm,linux/ppc64le,linux/s390x
 DOCKER_ORGS ?= aquasec public.ecr.aws/aquasecurity
 GOARCH ?= $@
-KUBECTL_VERSION ?= 1.34.0-alpha.1
+KUBECTL_VERSION ?= 1.34.0-rc.2
 ARCH ?= $(shell go env GOARCH)
 
 ifneq ($(findstring Microsoft,$(shell uname -r)),)