SAST finding telling me Kubernetes labels are invalid

Problem to solve

GitLab SAST kics scanner is reporting that a Kubernetes label is invalid.

kubernetes_namespace_v1[my-namespace].metada.labels[app.kubernetes.io/instance] has invalid label

However, when researching the app.kubernetes.io/instance is actually recommended by Kubernetes. See the documentation here.

The finding does say what the potential vulnerability is and where to find the code in question, but it doesn’t say why it considers it a vulnerability, meaning I don’t know if there is some other source of documentation that contradicts what I have found, of if this is a false positive.

Further adding to my confusion is that the Identifier link in the finding links to a Terraform resource that I am not deploying, so offers no help whatsoever.

What I wish to know is -

  • Is this particular potential vulnerability a false positive?
  • If it is a false positive, will it be addressed (don’t want engineers investigating false positives)?
  • If it is not a false positive, where is the evidence that demonstrates how the kics scanner found the potential vulnerability? At the moment it simply tells me it thinks it’s a potential vulnerability without any explanation as to why.

Steps to reproduce

Create a namespace, commit and create a merge request. In my case I’m using Terraform.

resource "kubernetes_namespace_v1" "my_namespace" {
  metadata {
    name = "my-namespace"

    annotations = {
      name = "my-namespace"
    }

    labels = {
      "app.kubernetes.io/name"     = "my-namespace"
      "app.kubernetes.io/instance" = "my-namespace"
    }
  }
}

Configuration

stages:
  - test
sast:
  stage: test
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/SAST-IaC.latest.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

Versions

Please select whether options apply, and add the version information.

  • Self-managed version v16.10.2-ee
  • GitLab.com SaaS
  • Self-hosted Runners