kubescape · craigbox · Oct 4, 2023 · Oct 2, 2023 · Oct 2, 2023
diff --git a/README.md b/README.md
@@ -137,7 +137,7 @@ Example of rule.metadata.json:
       {
         "path": "settings.postureControlInputs.cpu_request_max",
         "name": "cpu_request_max",
-        "description": "Ensure CPU max requests are set"
+        "description": "Ensure a CPU resource request is set and is under this defined maximum value."
       }
     ],
     "description": "CPU limits and requests are not set.",

diff --git a/rules/K8s common labels usage/rule.metadata.json b/rules/K8s common labels usage/rule.metadata.json
@@ -51,7 +51,7 @@
       {
         "path": "settings.postureControlInputs.k8sRecommendedLabels",
         "name": "Kubernetes Recommended Labels",
-        "description": "Kubescape checks that workloads have at least one of the following kubernetes recommended labels."
+        "description": "Kubescape checks that workloads have at least one of this list of configurable labels, as recommended in the Kubernetes documentation."
       }
     ],
     "description": "Check if the list of label that start with app.kubernetes.io/ are defined.",

diff --git a/rules/container-image-repository-v1/rule.metadata.json b/rules/container-image-repository-v1/rule.metadata.json
@@ -53,7 +53,7 @@
     {
       "path": "settings.postureControlInputs.imageRepositoryAllowList",
       "name": "Allowed image repositories",
-      "description": "Kubescape checks that all the containers are using images from the allowed repositories provided in the following list."
+      "description": "Kubescape checks that all container images are from repositories explicitly allowed in this list."
     }
   ],
   "description": "Fails if image is not from allowed repository",

diff --git a/rules/container-image-repository/rule.metadata.json b/rules/container-image-repository/rule.metadata.json
@@ -53,7 +53,7 @@
     {
       "path": "settings.postureControlInputs.imageRepositoryAllowList",
       "name": "Allowed image repositories",
-      "description": "Kubescape checks that all the containers are using images from the allowed repositories provided in the following list."
+      "description": "Kubescape checks that all container images are from repositories explicitly allowed in this list."
     }
   ],
   "description": "Fails if image is not from allowed repository",

diff --git a/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json b/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json
@@ -41,13 +41,13 @@
   "controlConfigInputs": [
     {
       "path": "settings.postureControlInputs.max_critical_vulnerabilities",
-      "name": "Max critical vulnerabilities",
-      "description": "Maximum amount of allowed critical risk vulnerabilities"
+      "name": "Max Critical vulnerabilities",
+      "description": "The maximum number of Critical severity vulnerabilities permitted."
     },
     {
       "path": "settings.postureControlInputs.max_high_vulnerabilities",
-      "name": "Max high vulnerabilities",
-      "description": "Maximum amount of allowed high risk vulnerabilities"
+      "name": "Max High vulnerabilities",
+      "description": "The maximum number of High severity vulnerabilities permitted."
     }
   ],
   "ruleDependencies": [

diff --git a/rules/exposed-sensitive-interfaces-v1/rule.metadata.json b/rules/exposed-sensitive-interfaces-v1/rule.metadata.json
@@ -58,7 +58,7 @@
     {
       "path": "settings.postureControlInputs.sensitiveInterfaces",
       "name": "Sensitive interfaces",
-      "description": "The following interfaces were seen exploited. Kubescape checks it they are externally exposed."
+      "description": "List of known software interfaces that should not generally be exposed to the Internet."
     }
   ],
   "description": "fails if known interfaces have exposed services",

diff --git a/rules/exposed-sensitive-interfaces/rule.metadata.json b/rules/exposed-sensitive-interfaces/rule.metadata.json
@@ -58,7 +58,7 @@
     {
       "path": "settings.postureControlInputs.servicesNames",
       "name": "Service names",
-      "description": "Kubescape will look for the following services that exposes sensitive interfaces of common K8s projects/applications"
+      "description": "List of services relating to known software interfaces that should not generally be exposed to the Internet."
     }
   ],
   "description": "fails if known interfaces have exposed services",

diff --git a/rules/insecure-capabilities/rule.metadata.json b/rules/insecure-capabilities/rule.metadata.json
@@ -51,7 +51,7 @@
     {
       "path": "settings.postureControlInputs.insecureCapabilities",
       "name": "Insecure capabilities",
-      "description": "You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system."
+      "description": "Kubescape looks for these capabilities in containers, which might lead to attackers getting elevated privileges in your cluster. You can see the full list of possible capabilities at https://man7.org/linux/man-pages/man7/capabilities.7.html."
     }
   ],
   "description": "fails if container has insecure capabilities",

diff --git a/rules/label-usage-for-resources/rule.metadata.json b/rules/label-usage-for-resources/rule.metadata.json
@@ -51,7 +51,7 @@
       {
         "path": "settings.postureControlInputs.recommendedLabels",
         "name": "Recommended Labels",
-        "description": "Kubescape checks that workloads have at least one of the following labels."
+        "description": "Kubescape checks that workloads have at least one label that identifies semantic attributes."
       }
     ],
     "description": "check if a certain set of labels is defined, this is a configurable control. Initial list: app, tier, phase, version, owner, env.",

diff --git a/rules/resources-cpu-limit-and-request/rule.metadata.json b/rules/resources-cpu-limit-and-request/rule.metadata.json
@@ -55,22 +55,22 @@
       {
         "path": "settings.postureControlInputs.cpu_request_max",
         "name": "cpu_request_max",
-        "description": "Ensure CPU max requests are set"
+        "description": "Ensure a CPU resource request is set and is under this defined maximum value."
       },
       {
         "path": "settings.postureControlInputs.cpu_request_min",
         "name": "cpu_request_min",
-        "description": "Ensure CPU min requests are set"
+        "description": "Ensure a CPU resource request is set and is above this defined minimum value."
       },
       {
         "path": "settings.postureControlInputs.cpu_limit_max",
         "name": "cpu_limit_max",
-        "description": "Ensure CPU max limits are set"
+        "description": "Ensure a CPU resource limit is set and is under this defined maximum value."
       },
       {
         "path": "settings.postureControlInputs.cpu_limit_min",
         "name": "cpu_limit_min",
-        "description": "Ensure CPU min limits are set"
+        "description": "Ensure a CPU resource limit is set and is above this defined minimum value."
       }
     ],
     "description": "CPU limits and requests are not set.",

diff --git a/rules/resources-memory-limit-and-request/rule.metadata.json b/rules/resources-memory-limit-and-request/rule.metadata.json
@@ -55,22 +55,22 @@
     {
       "path": "settings.postureControlInputs.memory_request_max",
       "name": "memory_request_max",
-      "description": "Ensure memory max requests are set"
+      "description": "Ensure a memory resource request is set and is under this defined maximum value."
     },
     {
       "path": "settings.postureControlInputs.memory_request_min",
       "name": "memory_request_min",
-      "description": "Ensure memory min requests are set"
+      "description": "Ensure a memory resource request is set and is above this defined minimum value."
     },
     {
       "path": "settings.postureControlInputs.memory_limit_max",
       "name": "memory_limit_max",
-      "description": "Ensure memory max limits are set"
+      "description": "Ensure a memory resource limit is set and is under this defined maximum value."
     },
     {
       "path": "settings.postureControlInputs.memory_limit_min",
       "name": "memory_limit_min",
-      "description": "Ensure memory min limits are set"
+      "description": "Ensure a memory resource limit is set and is under this defined maximum value."
     }
   ],
   "description": "memory limits and requests are not set.",

diff --git a/rules/rule-credentials-configmap/rule.metadata.json b/rules/rule-credentials-configmap/rule.metadata.json
@@ -28,17 +28,17 @@
     {
       "path": "settings.postureControlInputs.sensitiveValues",
       "name": "Values",
-      "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for"
+      "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
     {
       "path": "settings.postureControlInputs.sensitiveKeyNames",
       "name": "Keys",
-      "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for"
+      "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
     {
       "path":  "settings.postureControlInputs.sensitiveValuesAllowed",
       "name": "AllowedValues",
-      "description": "Allowed values"
+      "description": "Explicitly allowed values, which will override sensitiveValues."
     }
   ],
   "description": "fails if ConfigMaps have sensitive information in configuration",

diff --git a/rules/rule-credentials-in-env-var/rule.metadata.json b/rules/rule-credentials-in-env-var/rule.metadata.json
@@ -54,17 +54,17 @@
     {
       "path": "settings.postureControlInputs.sensitiveValues",
       "name": "Values",
-      "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for"
+      "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
     {
       "path": "settings.postureControlInputs.sensitiveKeyNames",
       "name": "Keys",
-      "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for"
+      "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
     {
       "path":  "settings.postureControlInputs.sensitiveValuesAllowed",
       "name": "AllowedValues",
-      "description": "Allowed values"
+      "description": "Explicitly allowed values, which will override sensitiveValues."
     }
   ],
   "description": "fails if Pods have sensitive information in configuration",

diff --git a/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json
@@ -54,12 +54,12 @@
     {
       "path": "settings.postureControlInputs.publicRegistries",
       "name": "Public registries",
-      "description": "Kubescape checks none of these public registries are in use."
+      "description": "Kubescape checks none of these public container registries are in use."
     },
     {
       "path": "settings.postureControlInputs.untrustedRegistries",
       "name": "Registries block list",
-      "description": "Kubescape checks none of the following registries are in use."
+      "description": "Kubescape checks none of these user-provided container registries are in use."
     }
   ],
   "description": "Identifying if pod container images are from unallowed registries",

diff --git a/rules/rule-identify-blocklisted-image-registries/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries/rule.metadata.json
@@ -54,12 +54,12 @@
     {
       "path": "settings.postureControlInputs.publicRegistries",
       "name": "Public registries",
-      "description": "Kubescape checks none of these public registries are in use."
+      "description": "Kubescape checks none of these public container registries are in use."
     },
     {
       "path": "settings.postureControlInputs.untrustedRegistries",
       "name": "Registries block list",
-      "description": "Kubescape checks none of the following registries are in use."
+      "description": "Kubescape checks none of these user-provided container registries are in use."
     }
   ],
   "description": "Identifying if pod container images are from unallowed registries",

diff --git a/rules/verify-image-signature/rule.metadata.json b/rules/verify-image-signature/rule.metadata.json
@@ -54,7 +54,7 @@
         {
       "path": "settings.postureControlInputs.trustedCosignPublicKeys",
       "name": "Trusted Cosign public keys",
-      "description": "Trusted Cosign public keys"
+      "description": "A list of trusted Cosign public keys that are used for validating container image signatures."
     }
       ]
   }