No NetworkPolicy defined
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The manifests deploy workloads but define no NetworkPolicy, so by default every pod can reach every other pod with no segmentation.
Why it matters
Kubernetes networking is open by default: without any NetworkPolicy, every pod can reach every other pod across namespaces. That means a single compromised workload can freely probe and connect to databases, internal APIs, and other services with no segmentation. Adding policies limits lateral movement. This is a repo-level heuristic, since policies may live outside the scanned manifests.
How to fix it
Add a default-deny NetworkPolicy per namespace, then add explicit allow policies for the traffic each workload actually needs (for example app to database on one port). If the cluster uses a mesh or a CNI-specific policy CRD instead of core NetworkPolicy, apply the equivalent there. Roll out in a staging namespace first to catch flows you forgot.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo