Will It Vibe logoWill It Vibe?
K8S-023Medium severity-8 points

Workload has no securityContext

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A workload defines containers but no securityContext anywhere, so it runs with permissive defaults (root allowed, privilege escalation allowed, writable root FS).

Why it matters

A workload with containers but no securityContext runs on permissive defaults: root is allowed, privilege escalation is allowed, and the root filesystem is writable. That leaves the easy hardening wins on the table and makes any container compromise more damaging. This is a heuristic, since a cluster-wide policy might set these defaults elsewhere.

How to fix it

Add a securityContext to the pod or container with runAsNonRoot: true, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, and capabilities.drop: ["ALL"]. Adjust for what the image supports, adding a non-zero runAsUser and any writable-path volumes it needs. Consider enforcing these defaults with Pod Security Admission so new workloads inherit them.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks