GKE Autopilot clusters with non-default GSA aren't detected

[gbidkar]

IDs

avd-gcp-0050

Description

Autopilot clusters of GCP GKE are defined with non-default Google Service Accounts, which aren't considered as OK for the avd-gcp-0050 check. I'm assuming this is because it only looks for the node_config block configuration and doesn't consider Autopilot clusters.

Reproduction Steps

resource "google_container_cluster" "primary" {
# ...Configurations...

  cluster_autoscaling {
    auto_provisioning_defaults {
      service_account = google_service_account.custom_gke.email
    }
  }
}

### Target

Filesystem

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
n/a

Version

Version: 0.63.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-06-15 06:16:46.886791552 +0000 UTC
  NextUpdate: 2025-06-16 06:16:46.886791392 +0000 UTC
  DownloadedAt: 2025-06-15 11:32:33.272781 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-06-15 11:35:45.418648 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @gbidkar !

Thanks for the report, we will improve the check!

[nikpivkin]

Track #9038