Fix 685 update apparmor detection rules

[esticansat]

Fixes #658

This PR builds on top of the work by #694.

Starting on Kubernetes 1.31, support for AppArmor is considered stable. As part of this change, the AppArmor configuration is no longer tracked as part of annotations but within the securityContext fields of the manifest. The changes of this PR aim at updating Kubesec so that it can now check for this new location of AppArmor. Additionally, a new rule is introduced called AppArmorUncofinged, which checks that the profile for AppArmor is not set to the Unconfined value.

The list of locations where the Apparmor profile can be specified is nicely recollected under the Kubernetes PSS documentation page (search for 'Apparmor' under the either the baseline or restricted policy sections):

spec.securityContext.appArmorProfile.type
spec.containers[*].securityContext.appArmorProfile.type
spec.initContainers[*].securityContext.appArmorProfile.type
spec.ephemeralContainers[*].securityContext.appArmorProfile.type

Consequently I have:

• Updated the ApparmorAny rule and unit tests to look for the values of the apparmorProfile in the four places above.
• Created the new ApparmorUnconfined rule and unit tests to look for the values of the apparmorProfile in the four places above.
• Added new acceptance tests to cover for the new AppArmor scenarios.
• Fixed two regression tests that included evaluating an AppArmor annotations and now as a result return different scores

All Submissions.

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Code Submissions.

• Does your submission pass linting, tests, and security analysis?

Changes to Core Features.

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?

[kusari-inspector]

Kusari Analysis Results

Analysis for commit: f533c72, performed at: 2025-09-05T09:23:07Z

• @kusari-inspector rerun - Trigger a re-analysis of this PR

• @kusari-inspector feedback [your message] - Send feedback to our AI and team

---

Recommendation

✅ PROCEED with this Pull Request

Summary

✅ No Flagged Issues Detected

All values appear to be within acceptable risk parameters.

Combined analysis shows no critical security risks to production systems. While 368 security issues were detected, they are exclusively located in test asset files (test/asset/ directory) that are intentionally designed with insecure configurations to validate the Kubesec security scanner functionality. The dependency analysis found no concerning changes to pinned versions, code issues, or exposed secrets. No production code vulnerabilities, secrets, or workflow issues were identified. The security issues serve a legitimate testing purpose and do not pose a threat to the actual codebase or deployment security.

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Kusari PR Analysis rerun based on - 9f696f0 performed at: 2025-08-11T15:50:28Z - link to updated analysis

[esticansat]

cc @06kellyjac @sublimino this is ready for review

[kusari-inspector]

Kusari PR Analysis rerun based on - f533c72 performed at: 2025-09-05T09:23:07Z - link to updated analysis