Service account token auto-mounted
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
automountServiceAccountToken: true mounts an API token into the pod, which is only needed when the workload calls the Kubernetes API.
Why it matters
automountServiceAccountToken: true mounts a Kubernetes API token into the pod. If the workload never calls the API, that token is only extra attack surface: an attacker in the pod can use it against the API server with whatever permissions the service account holds. Disabling it removes a credential the workload does not use. This is a hardening default, so the finding is low severity.
How to fix it
Set automountServiceAccountToken: false on the pod spec or the ServiceAccount for workloads that do not call the Kubernetes API. For workloads that do, keep it enabled but make sure the bound service account has only the minimum RBAC it needs rather than broad or default permissions.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo