Added EntraInternalAuthenticator

[vshekar]

Wrapper around OIDCAuthenticator that extracts username from Entra token

Checklist

• Add a Changelog entry
• Add the ticket number which this PR closes to the comment section

[checkmarx-gh-ast-us-povs]

Checkmarx One – Scan Summary & Details – 02ef2837-e3e7-42ee-bdbb-5ab4422aa707

---

New Issues (140)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-42043	Npm-axios-1.11.0	details Recommended version: 1.15.1 Description: Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influ... Attack Vector: NETWORK Attack Complexity: LOW ID: 69v1B7ku91%2BGHsJsZ9TnEAuthbfJMdZW6NbsBfjf%2Bmk%3D Vulnerable Package
2		CVE-2026-4800	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW ID: MZTyN2nQzWrpBYmUdLxJs%2Bhhr7Vq3zQR8rYR7G86%2FIE%3D Vulnerable Package
3		Command_Injection	tiled/client/context.py: 62	details The application's method calls an OS (shell) command with input, at line 62 of /tiled/client/context.py, using an untrusted string with the com... ID: sBr2%2BWSuWdae8UM2SltaqEjaWP8%3D Attack Vector
4		Command_Injection	tiled/client/context.py: 84	details The application's method calls an OS (shell) command with input, at line 84 of /tiled/client/context.py, using an untrusted string with the com... ID: RjAYkbV8IzhQ3Rvh9qs2YYnqv6g%3D Attack Vector
5		Stored_Command_Injection	tiled/utils.py: 498	details The application's method calls an OS (shell) command with filepath, at line 84 of /tiled/commandline/_profile.py, using an untrusted string wi... ID: okROum3Vq0g4ZxmvEod80dhYVGA%3D Attack Vector
6		CVE-2025-58754	Npm-axios-1.11.0	details Recommended version: 1.15.1 Description: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.12.0 runs on Node.js and is given a URL with the "d... Attack Vector: NETWORK Attack Complexity: LOW ID: Tk8%2FR19s2myhgY9RW86mY4hgVvtQG1d4HKcl5jmBoJA%3D Vulnerable Package
7		CVE-2025-64756	Npm-glob-10.4.5	details Recommended version: 10.5.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH ID: 77AkxJjT0t%2FHIXlWAj4fq1st4co79215Xk1AHhLKLiw%3D Vulnerable Package
8		CVE-2026-25639	Npm-axios-1.11.0	details Recommended version: 1.15.1 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW ID: CaE1A97vl4AyW1PRGUmuSEIwwzkzp6X5AyQ9gn6gbDo%3D Vulnerable Package
9		CVE-2026-26996	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW ID: gLRLNoPYaxctk2VXz5vRN%2Fw4bmnMmNEs7SLIC7M8Xfk%3D Vulnerable Package
10		CVE-2026-27606	Npm-rollup-4.48.1	details Recommended version: 4.59.0 Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ... Attack Vector: NETWORK Attack Complexity: LOW ID: Ts35JMSCvT2JfUbHUC0msZ9W%2FB5TzHjy7sKeHbdQeaE%3D Vulnerable Package
11		CVE-2026-27903	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW ID: 6hGN46e607LvZyNgP5E4IslDszRoAgd%2BDG%2FFwUHu8zQ%3D Vulnerable Package
12		CVE-2026-27904	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW ID: xBGZnnzgBExrNGL38Aahw7NZ4a8uOYBg%2FL2qb2ZrCxw%3D Vulnerable Package
13		CVE-2026-33671	Npm-picomatch-4.0.3	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW ID: 7Dcpfc1X%2ByMoj5%2B0y2uJ3RpyTjaqQ2HvnWM3ddgBHLY%3D Vulnerable Package
14		CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW ID: gEAShZp9WVfA1wp%2B%2F82okDjmtKGK6sAqEr8yAHCSHU4%3D Vulnerable Package
15		CVE-2026-33750	Npm-brace-expansion-2.0.2	details Recommended version: 2.0.3 Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3... Attack Vector: NETWORK Attack Complexity: LOW ID: YvR60PdYijPt%2FqQxOivnumhSudL5DMv56mepIEI4dq0%3D Vulnerable Package
16		CVE-2026-39363	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 6.0.0 prior to 6.4.2, 7.0.0 prior to 7.3.2, and 8.0.0 prior to 8.0.5, if it is possible t... Attack Vector: NETWORK Attack Complexity: LOW ID: YvMFW6EpUsYC5IZph%2FB1IbzstLcEpwI%2BKmiG4uIn6tE%3D Vulnerable Package
17		CVE-2026-39364	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.0 prior to 8.0.5, on the Vite dev server, files that should... Attack Vector: NETWORK Attack Complexity: LOW ID: ju0fzulooAD2EDBhgU47PfRd1iynC5pTRy%2FegpfZlUM%3D Vulnerable Package
18		Deserialization_of_Untrusted_Data	tiled/access_control/access_tags.py: 341	details The serialized object tag_config_file processed in  in the file /tiled/access_control/access_tags.py at line 341 is deserialized by load in th... ID: s%2FEQR7%2BMu8jfcaG%2Fk5avRMQ8zsQ%3D Attack Vector
19		Deserialization_of_Untrusted_Data	example_configs/catalog/create_catalog.py: 19	details The serialized object config_file processed in  in the file /example_configs/catalog/create_catalog.py at line 19 is deserialized by load in th... ID: zlWNkoG%2FsLtZkmRzMNGjjEVbTrI%3D Attack Vector
20		Passwords And Secrets - Generic Password	/compose.yaml: 6	details Query to find passwords and secrets in infrastructure code. ID: HVZArRam0IAapfdAV%2F6NLRSjDTU%3D
21		Passwords And Secrets - Generic Password	/ldap-docker-compose.yml: 11	details Query to find passwords and secrets in infrastructure code. ID: VSJ0FwnLiahAmNH1p7zhT9jADzY%3D
22		Passwords And Secrets - Generic Password	/docker-compose.yml: 12	details Query to find passwords and secrets in infrastructure code. ID: l0Xwj0Fo6THxWfyAQPlvOREfwfo%3D
23		Passwords And Secrets - Generic Password	/minio-docker-compose.yml: 12	details Query to find passwords and secrets in infrastructure code. ID: 4y%2FFuVk%2Bv5nQkpgT98Qewb8UEvg%3D
24		Passwords And Secrets - Password in URL	/ci.yml: 97	details Query to find passwords and secrets in infrastructure code. ID: ooMV1HclmPdeztUpoHrOdQn58IQ%3D
25		Passwords And Secrets - Password in URL	/ci.yml: 99	details Query to find passwords and secrets in infrastructure code. ID: QUmz9X6yBZuVaUloUb6xPRYcCDs%3D
26		Passwords And Secrets - Password in URL	/docker-compose.yml: 18	details Query to find passwords and secrets in infrastructure code. ID: bo0HFldxPfsF9pW2A6SM01bUefA%3D
27		Passwords And Secrets - Password in URL	/minio-docker-compose.yml: 18	details Query to find passwords and secrets in infrastructure code. ID: djaf00a8j1ekSUkqB4pklRuA1BY%3D
28		Passwords And Secrets - Password in URL	/ci.yml: 86	details Query to find passwords and secrets in infrastructure code. ID: vsXgAsWQbFcWe%2BXpJPM4XSWApGM%3D
29		Privilege Escalation Allowed	/deployment.yaml: 70	details Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process ID: x18ot5VVsfWGwxIbM2dYZ4wNNHU%3D
30		CVE-2025-13465	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW ID: PGkAsDx7ndDyhftJhh8wHwgboyH4sNwZqTtgFn%2BGrp4%3D Vulnerable Package
31		CVE-2025-59288	Npm-playwright-1.55.0	details Recommended version: 1.55.1 Description: In versions prior to 1.55.1, improper verification of the cryptographic signature in Playwright allows an unauthorized attacker to perform spoofin... Attack Vector: ADJACENT_NETWORK Attack Complexity: HIGH ID: HyBH7M874c65xJsriOKdctz1m6%2BDzc07NqayshrOpuc%3D Vulnerable Package
32		CVE-2025-62522	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. In versions 2.9.18 prior to 3.0.0, 3.2.9 prior to 4.0.0, 4.5.3 prior to 5.0.0, 5.2.6 prior to ... Attack Vector: NETWORK Attack Complexity: LOW ID: 2as5fBlw4LeiEQXsvnFFBgF9Azvt1ARiwKgIHTjTYNI%3D Vulnerable Package
33		CVE-2025-62718	Npm-axios-1.11.0	details Recommended version: 1.15.1 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec... Attack Vector: NETWORK Attack Complexity: LOW ID: 0Y75cCraGWxnOjz3JbQZHQaODKSlZoh6vw94ay6wApc%3D Vulnerable Package
34		CVE-2025-64718	Npm-js-yaml-4.1.0	details Recommended version: 4.1.1 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW ID: YjYZG1FppdL9n1%2F0xT%2FsgpHcAwzoByxQ%2FONYRCjJpOc%3D Vulnerable Package
35		CVE-2025-68470	Npm-react-router-6.30.1	details Recommended version: 6.30.2 Description: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.6-pre.0, an attacker-supplied path can be crafted so tha... Attack Vector: NETWORK Attack Complexity: LOW ID: fQ8PPZuzoYrU9wbub1BRnMlKXrCAxAJkBK7WbhgY57Y%3D Vulnerable Package
36		CVE-2025-68470	Npm-@remix-run/router-1.23.0	details Recommended version: 1.23.2 Description: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.6-pre.0, an attacker-supplied path can be crafted so tha... Attack Vector: NETWORK Attack Complexity: LOW ID: lNLLBdu1uIYeIMvgL%2BaEUHZXIXBwD5hg3VhupyEsEEw%3D Vulnerable Package
37		CVE-2026-22029	Npm-@remix-run/router-1.23.0	details Recommended version: 1.23.2 Description: React Router is a router for React. In @remix-run/router version through 1.23.1, and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/... Attack Vector: NETWORK Attack Complexity: LOW ID: pk%2Fmoto9gylgeUtuXXuhMU75zo1crz0nl4yCxg%2BDGa8%3D Vulnerable Package
38		CVE-2026-33532	Npm-yaml-1.10.2	details Recommended version: 1.10.3 Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x... Attack Vector: NETWORK Attack Complexity: LOW ID: lQBaLuPoGR%2BummFLlSO8SiRWYP97kOIPSOu%2BS3nG%2BBw%3D Vulnerable Package
39		CVE-2026-40175	Npm-axios-1.11.0	details Recommended version: 1.15.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe... Attack Vector: NETWORK Attack Complexity: HIGH ID: VI0Ibxk0ToNI%2FfnGsU3mjumlGalU1sFCNTGf2bu4Cr4%3D Vulnerable Package
40		CVE-2026-40895	Npm-follow-redirects-1.15.11	details Recommended version: 1.16.0 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio... Attack Vector: NETWORK Attack Complexity: LOW ID: 2ieILUkRc6s9wpsMiPVHh7hFAqqc1QDIrDQS3Ryz68I%3D Vulnerable Package
41		Container Capabilities Unrestricted	/docker-compose.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: H11DtRm9NRTsa6gby62Q%2FBungKg%3D
42		Container Capabilities Unrestricted	compose.yml: 51	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: eqtRJzhibSXlw%2BC3Nwn%2Fu8%2F%2FBhY%3D
43		Container Capabilities Unrestricted	/minio-docker-compose.yml: 15	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: S0GX%2FbsjjP1AoyU8mQjO0Nl71Uo%3D
44		Container Capabilities Unrestricted	/compose.yaml: 35	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: R3QJhm6Pp0VPUBUH0%2BprrDHvojQ%3D
45		Container Capabilities Unrestricted	compose.dev.yml: 56	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: A3FxKPCjvixSO1EA4tI11n%2BH9jM%3D
46		Container Capabilities Unrestricted	/compose.yaml: 22	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: 9hDyMxPasWjX%2BYIzkgkrTT3Uoxo%3D
47		Container Capabilities Unrestricted	compose.dev.yml: 34	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: XatdU15pM75XmqinCwXBccmyPLc%3D
48		Container Capabilities Unrestricted	compose.yml: 29	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: X7Ubxha12il8AUZ6kZkk%2F%2FosZ5c%3D
49		Container Capabilities Unrestricted	compose.dev.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: bn6IUBQParyXV2Tynjg4HZdIy74%3D
50		Container Capabilities Unrestricted	compose.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: QR1lq9BY0b%2FsXfW0s%2BLFo9U6N0k%3D
51		Container Capabilities Unrestricted	/minio-docker-compose.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: D5kGQvqg7xVVxSDJdh8owOMDeG8%3D
52		Container Capabilities Unrestricted	/compose.yaml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: mrpQDaSdUSSvd5IV2RZ2nhiTIFs%3D
53		Container Capabilities Unrestricted	compose.monitoring.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: u7p4CmPEIm%2BNEDJWrqMpoxS7TKA%3D
54		Container Capabilities Unrestricted	compose.monitoring.yml: 16	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: JqWjSqFkXCKEED2mG8VQp%2BRdexo%3D
55		Container Capabilities Unrestricted	/docker-compose.yml: 15	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: QjwQ82YkdMtxFrRj1njUvN5grOU%3D
56		Container Capabilities Unrestricted	/ldap-docker-compose.yml: 4	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: 5bpEDTi588IpPBxzWTpv%2Ff0ko9s%3D
57		Container Running As Root	/deployment.yaml: 70	details Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibiliti... ID: AWt669WiLRZ%2Bs351Jjp314EbQV4%3D
58		Container Running With Low UID	/deployment.yaml: 70	details Check if containers are running with low UID, which might cause conflicts with the host's user table. ID: cmg4d9ULyk8Fuwu78vJExIEWe24%3D
59		Container Traffic Not Bound To Host Interface	/minio-docker-compose.yml: 5	details Incoming container traffic should be bound to a specific host interface ID: ZLfEbBPupxQAftfOmhYgph1tEaQ%3D
60		Container Traffic Not Bound To Host Interface	/compose.yaml: 29	details Incoming container traffic should be bound to a specific host interface ID: 0s%2BsNZ77xifKdLllrHHaMV2ZNfM%3D
61		Container Traffic Not Bound To Host Interface	/ldap-docker-compose.yml: 6	details Incoming container traffic should be bound to a specific host interface ID: tePLgT27mV7ZxS1KEszzaSHDfeI%3D
62		Container Traffic Not Bound To Host Interface	/compose.yaml: 38	details Incoming container traffic should be bound to a specific host interface ID: %2F%2BDEifLpH1dFtdnrZXe6YeFtnvg%3D
63		Container Traffic Not Bound To Host Interface	compose.monitoring.yml: 20	details Incoming container traffic should be bound to a specific host interface ID: mRwfy0dH4EToZ0F72OXUBv2gcIU%3D
64		Container Traffic Not Bound To Host Interface	compose.dev.yml: 17	details Incoming container traffic should be bound to a specific host interface ID: WoiEjhAVu59ZT0bpCYUA5ntJYFQ%3D
65		Container Traffic Not Bound To Host Interface	/docker-compose.yml: 5	details Incoming container traffic should be bound to a specific host interface ID: fZZt1ObLMu6Z9%2FLar1V0WYWKdDg%3D
66		Container Traffic Not Bound To Host Interface	compose.yml: 12	details Incoming container traffic should be bound to a specific host interface ID: uRpyUr4GF2RYaU3K1NXv21h3eHw%3D
67		Container Traffic Not Bound To Host Interface	/compose.yaml: 13	details Incoming container traffic should be bound to a specific host interface ID: VFx7t6arKqrxOR6HF0GSfUlAJCk%3D
68		Healthcheck Not Set	/ldap-docker-compose.yml: 4	details Check containers periodically to see if they are running properly. ID: nXoTfRDDC292HWBmwzq5mrsYH%2Bw%3D
69		Healthcheck Not Set	/docker-compose.yml: 15	details Check containers periodically to see if they are running properly. ID: zbItMbEis9HnbocUSWQKIo15oZw%3D
70		Healthcheck Not Set	/minio-docker-compose.yml: 15	details Check containers periodically to see if they are running properly. ID: aDOzmNJiuXtam%2Bu%2BK9yyVL%2BnYVY%3D
71		Healthcheck Not Set	/compose.yaml: 35	details Check containers periodically to see if they are running properly. ID: HaWs5bydzOq2dolYRQAWzRG63EU%3D
72		Healthcheck Not Set	compose.monitoring.yml: 3	details Check containers periodically to see if they are running properly. ID: ARR%2F7BpSkq4gMbjNKqZSIc0HkXE%3D
73		Healthcheck Not Set	/compose.yaml: 22	details Check containers periodically to see if they are running properly. ID: UmAtUyd1zWtMToIQR5rxIIJB2DE%3D
74		Healthcheck Not Set	/minio-docker-compose.yml: 3	details Check containers periodically to see if they are running properly. ID: H7zx5WFvga2tyFIhvoNy51Z7L%2Fc%3D
75		Healthcheck Not Set	/docker-compose.yml: 3	details Check containers periodically to see if they are running properly. ID: qp1vq4mPAhSxfCA24Llw78W8WwM%3D
76		Healthcheck Not Set	compose.monitoring.yml: 16	details Check containers periodically to see if they are running properly. ID: o9zrfq36055ug91fyGFpk4rKolc%3D
77		Memory Limits Not Defined	/deployment.yaml: 70	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: y0MXEgfDTZ7dWedSAixX%2BSQImaY%3D
78		Memory Not Limited	/docker-compose.yml: 15	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: FF1H9MwozsQpWLZjI9452z8%2FIP0%3D
79		Memory Not Limited	/ldap-docker-compose.yml: 4	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: 3zXZ8OWqDroj4pDie3qO1HX39XI%3D
80		Memory Not Limited	/minio-docker-compose.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: nZ54baE0Fl9Jsqz7YV8Knqd3Jj8%3D
81		Memory Not Limited	/minio-docker-compose.yml: 15	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: djlbojOgV1yF%2BICmPLtXvG1zLDg%3D
82		Memory Not Limited	/docker-compose.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: xxpaBqannCPNo38eiCHVPjNlaBk%3D
83		Memory Requests Not Defined	/deployment.yaml: 70	details Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents ove... ID: 6%2F%2Ftgyf6ZmuvKIPY9NvIPHB%2Fico%3D
84		NET_RAW Capabilities Not Being Dropped	/deployment.yaml: 70	details Containers should drop 'ALL' or at least 'NET_RAW' capabilities ID: tH14XfajxWdP3B2PSfebqjlONRM%3D
85		Pids Limit Not Set	/ldap-docker-compose.yml: 4	details 'pids_limit' should be set and different than -1 ID: qGekROaBQGbge0l2y8sYfTnW1YI%3D
86		Seccomp Profile Is Not Configured	/deployment.yaml: 70	details Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls ID: jWtO9WrQjm6sx1E2S%2Bljf8xS1kM%3D
87		Security Opt Not Set	/compose.yaml: 22	details Attribute 'security_opt' should be defined. ID: u%2Bv4tV1Y5QB%2BoZwvKyn%2Fd9P7f7Q%3D
88		Security Opt Not Set	/minio-docker-compose.yml: 15	details Attribute 'security_opt' should be defined. ID: ZMaGqiW82J2r664B6uUICIR7cQI%3D
89		Security Opt Not Set	/docker-compose.yml: 3	details Attribute 'security_opt' should be defined. ID: F3ukETJwVO8%2BBGYhpD1E4oOiA1Q%3D
90		Security Opt Not Set	/docker-compose.yml: 15	details Attribute 'security_opt' should be defined. ID: Flxyks%2BBNKTpbIq2A%2FuwH7Ey0HU%3D
91		Security Opt Not Set	compose.yml: 29	details Attribute 'security_opt' should be defined. ID: vRkEZFT8R7i%2FmyEn%2BczLCmb%2Bnv0%3D
92		Security Opt Not Set	compose.yml: 3	details Attribute 'security_opt' should be defined. ID: uinVHVwUWWS2ysslhu9VBHXI5oU%3D
93		Security Opt Not Set	compose.yml: 51	details Attribute 'security_opt' should be defined. ID: 5u%2BOirv3fdWwOjEhSCkjgSi23ww%3D
94		Security Opt Not Set	compose.monitoring.yml: 3	details Attribute 'security_opt' should be defined. ID: VhvCLWUEw8afNDsSeA21Cr2SULc%3D
95		Security Opt Not Set	compose.dev.yml: 3	details Attribute 'security_opt' should be defined. ID: jHZCGE1wpAgBHGEnxVvMLaV5P8g%3D
96		Security Opt Not Set	compose.dev.yml: 34	details Attribute 'security_opt' should be defined. ID: l3S5ahpP0tt0UCRCJdBDJSiVonY%3D
97		Security Opt Not Set	/compose.yaml: 3	details Attribute 'security_opt' should be defined. ID: WluCYMEN4T8TVLUBoth7mLqcqbI%3D
98		Security Opt Not Set	compose.dev.yml: 56	details Attribute 'security_opt' should be defined. ID: YJL%2BGgV%2BVFvh8zS%2FfBJNYA6ASCo%3D
99		Security Opt Not Set	/minio-docker-compose.yml: 3	details Attribute 'security_opt' should be defined. ID: HZ9AaY87SMAtUb1T0TFHFMvGHoE%3D
100		Security Opt Not Set	/ldap-docker-compose.yml: 4	details Attribute 'security_opt' should be defined. ID: utnIvxmRiPPElXiEqsJG17XJIzc%3D
101		Security Opt Not Set	/compose.yaml: 35	details Attribute 'security_opt' should be defined. ID: 5ZEp2HZvubr%2FaEpBrkkmH7mM5j4%3D
102		Security Opt Not Set	compose.monitoring.yml: 16	details Attribute 'security_opt' should be defined. ID: P%2FFFO5YiXNaWJyd1LXWa92vSDhA%3D
103		Service Account Token Automount Not Disabled	/deployment.yaml: 25	details Service Account Tokens are automatically mounted even if not necessary ID: oKkmpqluOkYCk3vM%2BsPhjwXuAeA%3D
104		Shared Host Network Namespace	/compose.yaml: 36	details Container should not share the host network namespace ID: CFA4NW3IsZfkhZkjletM6tVAKSs%3D
105		Shared Host Network Namespace	/compose.yaml: 23	details Container should not share the host network namespace ID: gPHRlRNcFuN%2Bt1N%2FSxmVMlp3tRk%3D
106		Use_Of_Hardcoded_Password	tiled/client/context.py: 113	details The application uses the hard-coded password "password" for authentication purposes, either using it to verify users' identities, or to access ano... ID: mhVAzNjtlhncduPN%2BjC4S8JT13w%3D Attack Vector
107		Use_Of_Hardcoded_Password	tiled/alembic_utils.py: 127	details The application uses the hard-coded password "[redacted]" for authentication purposes, either using it to verify users' identities, or to access... ID: 3V%2BBhb15zjXX%2BeiqihuEspuYiGs%3D Attack Vector
108		Use_Of_Hardcoded_Password	tiled/alembic_utils.py: 153	details The application uses the hard-coded password "[redacted]" for authentication purposes, either using it to verify users' identities, or to access... ID: qtK4WnBeCyNxDXUna%2B69nbhtC8E%3D Attack Vector
109		Use_of_Broken_or_Risky_Cryptographic_Algorithm	tiled/adapters/sql.py: 135	details In , the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivially broken, in /tile... ID: QCeC25%2Bsll4ISwokN0xaq%2FL%2FHa4%3D Attack Vector
110		Use_of_Broken_or_Risky_Cryptographic_Algorithm	tiled/catalog/utils.py: 10	details In , the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivially broken, in /tile... ID: aeZYj4It%2FHW4RyK6Z24ePh8aYH0%3D Attack Vector
111		Using Unrecommended Namespace	/configmap.yaml: 4	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: ihIrpLAqhj37Kie6jj9iZ9eTcZE%3D
112		Using Unrecommended Namespace	/service.yaml: 3	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: YS8mlkhTCPXH7dVkg25Uizyd11k%3D
113		CPU Limits Not Set	/deployment.yaml: 70	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: K4SClj4RiLMt%2BGkRT4hTH5g2a2A%3D
114		CPU Requests Not Set	/deployment.yaml: 70	details CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node ID: axr7NbJGf9kosuTYvLyVVO0VsQA%3D
115		CVE-2025-58751	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the ... Attack Vector: NETWORK Attack Complexity: LOW ID: a8iILvZpEf%2BrjdknIEZRAtVa7KTZsM1owI3YBtSTbYs%3D Vulnerable Package
116		CVE-2025-58752	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. In Vite versions through 5.4.19, 6.x through 6.3.5, 7.0.x through 7.0.6 and 7.1.x through 7.1.... Attack Vector: NETWORK Attack Complexity: LOW ID: kOoMOprOpnd5pZsobXxMd2PQ%2FZebPGsqZDva45pr%2F80%3D Vulnerable Package
117		Cpus Not Limited	/ldap-docker-compose.yml: 4	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: YOXQBmN0A9AtsklLZNj57q%2BjVGw%3D
118		Cpus Not Limited	/minio-docker-compose.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: uNSwp4eixlgtaWPqcb%2F7LTA0z%2B4%3D
119		Cpus Not Limited	/docker-compose.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: 7MvwtU456lTcJJEv5z9sY2BpC0o%3D

More results are available on the CxOne platform

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

[danielballan]

Just noting here our plan to not merge this but step back and consider what we want to do here.