Binding grants access to anonymous users
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A binding subject targets system:anonymous or system:unauthenticated, extending the granted permissions to unauthenticated callers.
Why it matters
A binding subject of system:anonymous or system:unauthenticated grants the bound permissions to callers who have not authenticated at all. Depending on the role, that can expose cluster resources to anyone who can reach the API server. This is almost always a mistake rather than an intentional design.
How to fix it
Remove the anonymous or unauthenticated subject from the binding and grant access only to authenticated, named service accounts or users. If some endpoint must be reachable without auth, handle that at the application or ingress layer, not by binding cluster permissions to anonymous. Confirm anonymous authentication is disabled on the API server where feasible.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo