Will It Vibe logoWill It Vibe?
K8S-027Low severity-4 points

No NetworkPolicy defined

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

The manifests deploy workloads but define no NetworkPolicy, so by default every pod can reach every other pod with no segmentation.

Why it matters

Kubernetes networking is open by default: without any NetworkPolicy, every pod can reach every other pod across namespaces. That means a single compromised workload can freely probe and connect to databases, internal APIs, and other services with no segmentation. Adding policies limits lateral movement. This is a repo-level heuristic, since policies may live outside the scanned manifests.

How to fix it

Add a default-deny NetworkPolicy per namespace, then add explicit allow policies for the traffic each workload actually needs (for example app to database on one port). If the cluster uses a mesh or a CNI-specific policy CRD instead of core NetworkPolicy, apply the equivalent there. Roll out in a staging namespace first to catch flows you forgot.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks