Copy disabled (too large)
Download .txt
Showing preview only (39,570K chars total). Download the full file to get everything.
Repository: bridgecrewio/checkov
Branch: main
Commit: 53b25944bdc5
Files: 9724
Total size: 35.5 MB
Directory structure:
gitextract_81zemmz3/
├── .cfnlintrc
├── .coveragerc
├── .dockerignore
├── .flake8
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── best_practices_issue.md
│ │ ├── checks_issue.md
│ │ ├── crash_report.md
│ │ ├── feature_request.md
│ │ ├── graph_issue.md
│ │ ├── integrations_issue.md
│ │ ├── languages_issue.md
│ │ ├── noise_issue.md
│ │ ├── outputs_issue.md
│ │ └── skips_issue.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── actionlint.yaml
│ ├── checkov.yaml
│ ├── codeql-config.yml
│ ├── dependabot.yml
│ ├── exclude-patterns.txt
│ ├── pr-title-checker-config.json
│ ├── release-changelog-config.json
│ ├── stale.yml
│ └── workflows/
│ ├── build.yml
│ ├── codeql-analysis.yml
│ ├── coverage.yaml
│ ├── jekyll-gh-pages.yml
│ ├── nightly.yml
│ ├── pipenv-update.yml
│ ├── pr-test.yml
│ ├── pr-title.yml
│ ├── security-shared.yml
│ └── security.yml
├── .gitignore
├── .gitmodules
├── .gitpod.Dockerfile
├── .gitpod.yml
├── .pre-commit-config.yaml
├── .pre-commit-hooks.yaml
├── .swm/
│ ├── creating-a-solver.gm0ti.sw.md
│ └── swimm.json
├── CHANGELOG.md
├── CNAME
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Dockerfile
├── INTHEWILD.md
├── LICENSE
├── Pipfile
├── README.md
├── SECURITY.md
├── bin/
│ ├── checkov
│ └── checkov.cmd
├── cdk_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── src/
│ │ ├── python/
│ │ │ ├── ALBDropHttpHeaders/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ALBListenerHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAuthorization/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayCacheEnable/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayV2AccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayXray/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncFieldLevelLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AthenaWorkgroupConfiguration/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AuroraEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── BackupVaultEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudFrontTLS12/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudTrailLogValidation/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupRetention/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailMultiRegion/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CodeBuildProjectEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DAXEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBAuditLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBTLS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbGlobalTableRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EC2PublicIP/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImageScanning/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImmutableTags/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRRepositoryEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSClusterContainerInsights/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EFSEncryptionEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EKSSecretsEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBAccessLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBv2AccessLogs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueDataCatalogEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfiguration/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── KinesisStreamEncryptionType/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaDLQConfigured/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentCredentials/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaInVPC/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSMultiAZEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedShiftSSL/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftInEc2ClassicMode/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicPolicy/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketKMSEncryption/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketLogging/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketPublicAccessBlock/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketVersioning/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3IgnorePublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLRead/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLWrite/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3RestrictPublicBuckets/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SNSTopicEncryption/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── SQSQueueEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecretManagerSecretEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecurityGroupRuleDescription/
│ │ │ │ ├── fail__4__.py
│ │ │ │ └── pass.py
│ │ │ ├── TransferServerIsPublic/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WAFEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ └── s3.py
│ │ └── typescript/
│ │ ├── ALBDropHttpHeaders/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ALBListenerHTTPS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAuthorization/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass__2__.ts
│ │ ├── APIGatewayCacheEnable/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayV2AccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayXray/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncFieldLevelLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AthenaWorkgroupConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── AuroraEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── BackupVaultEncrypted/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudFrontTLS12/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudTrailLogValidation/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupRetention/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionLogging/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailMultiRegion/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CodeBuildProjectEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DAXEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DocDBAuditLogs/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBTLS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodbGlobalTableRecovery/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodcRecovery/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EBSEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EC2PublicIP/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── ECRImageScanning/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRImmutableTags/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRRepositoryEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ECSClusterContainerInsights/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── EFSEncryptionEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── EKSSecretsEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBAccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBv2AccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueDataCatalogEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── KinesisStreamEncryptionType/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaDLQConfigured/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentCredentials/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaInVPC/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSMultiAZEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RDSPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedShiftSSL/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftInEc2ClassicMode/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BlockPublicACLs/
│ │ │ ├── fail.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ ├── pass2.ts
│ │ │ └── pass3.ts
│ │ ├── S3BlockPublicPolicy/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BucketEncryption/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketKMSEncryption/
│ │ │ ├── fail2__3__.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketPublicAccessBlock/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketVersioning/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3PublicACLRead/
│ │ │ ├── fail__3__.ts
│ │ │ └── pass.ts
│ │ ├── S3RestrictPublicBuckets/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SNSTopicEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── SQSQueueEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecretManagerSecretEncrypted/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecurityGroupRuleDescription/
│ │ │ ├── fail__4__.ts
│ │ │ └── pass.ts
│ │ ├── TransferServerIsPublic/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── WAFEnabled/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ └── s3.ts
│ ├── test_checks_python.py
│ ├── test_checks_typescript.py
│ └── utils.py
├── checkov/
│ ├── __init__.py
│ ├── ansible/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_ansible_task_check.py
│ │ │ ├── base_ansible_task_value_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── BlockErrorHandling.yaml
│ │ │ │ ├── DnfDisableGpgCheck.yaml
│ │ │ │ ├── DnfSslVerify.yaml
│ │ │ │ ├── DnfValidateCerts.yaml
│ │ │ │ ├── GetUrlHttpsOnly.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms.yaml
│ │ │ │ ├── PanosIPsecProtocols.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet.yaml
│ │ │ │ ├── PanosPolicyDescription.yaml
│ │ │ │ ├── PanosPolicyLogForwarding.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny.yaml
│ │ │ │ ├── PanosPolicyNoDSRI.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml
│ │ │ │ ├── PanosZoneProtectionProfile.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL.yaml
│ │ │ │ ├── UriHttpsOnly.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── registry.py
│ │ │ └── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ ├── EC2PublicIP.py
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated.py
│ │ │ ├── AptForce.py
│ │ │ ├── GetUrlValidateCerts.py
│ │ │ ├── UriValidateCerts.py
│ │ │ ├── YumSslVerify.py
│ │ │ ├── YumValidateCerts.py
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── argo_workflows/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_argo_workflows_check.py
│ │ │ ├── registry.py
│ │ │ └── template/
│ │ │ ├── DefaultServiceAccount.py
│ │ │ ├── RunAsNonRoot.py
│ │ │ └── __init__.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── arm/
│ │ ├── __init__.py
│ │ ├── base_parameter_check.py
│ │ ├── base_registry.py
│ │ ├── base_resource_check.py
│ │ ├── base_resource_negative_value_check.py
│ │ ├── base_resource_value_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── parameter/
│ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ ├── ACRContainerScanEnabled.py
│ │ │ ├── ACREnableImageQuarantine.py
│ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ ├── AKSDashboardDisabled.py
│ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ ├── AKSLoggingEnabled.py
│ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ ├── AKSNetworkPolicy.py
│ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ ├── AKSRbacEnabled.py
│ │ │ ├── AKSUpgradeChannel.py
│ │ │ ├── APIManagementMinTLS12.py
│ │ │ ├── APIManagementPublicAccess.py
│ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ ├── AkSSecretStoreRotation.py
│ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ ├── AppServiceAuthentication.py
│ │ │ ├── AppServiceClientCertificate.py
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ ├── AppServiceDisallowCORS.py
│ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ ├── AppServiceFTPSState.py
│ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ ├── AppServiceIdentity.py
│ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ ├── AppServiceJavaVersion.py
│ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ ├── AppServicePHPVersion.py
│ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ ├── AppServicePythonVersion.py
│ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ ├── AutomationEncrypted.py
│ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ ├── AzureDefenderOnSqlServersVMS.py
│ │ │ ├── AzureDefenderOnStorage.py
│ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ ├── AzureInstanceExtensions.py
│ │ │ ├── AzureInstancePassword.py
│ │ │ ├── AzureMLWorkspacePrivateEndpoint.py
│ │ │ ├── AzureManagedDiscEncryption.py
│ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ ├── AzureScaleSetPassword.py
│ │ │ ├── AzureSearchSLAIndex.py
│ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ ├── AzureSynapseWorkspaceVAisEnabled.py
│ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
│ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ ├── CosmosDBHaveCMK.py
│ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ ├── CustomRoleDefinitionSubscriptionOwner.py
│ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ ├── DataLakeStoreEncryption.py
│ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
│ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ ├── KeyBackedByHSM.py
│ │ │ ├── KeyExpirationDate.py
│ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ ├── LinuxVMUsesSSH.py
│ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ ├── MonitorLogProfileCategories.py
│ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ ├── PubsubSKUSLA.py
│ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ ├── SQLServerAuditingEnabled.py
│ │ │ ├── SQLServerAuditingRetention90Days.py
│ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ ├── SQLServerHasPublicAccessDisabled.py
│ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ ├── SQLServerUsesADAuth.py
│ │ │ ├── SecretContentType.py
│ │ │ ├── SecretExpirationDate.py
│ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ ├── SecurityCenterContactPhone.py
│ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ ├── StorageAccountName.py
│ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ ├── StorageAccountsUseReplication.py
│ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ ├── VMCredsInCustomData.py
│ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ ├── VMStorageOsDisk.py
│ │ │ ├── VnetLocalDNS.py
│ │ │ ├── VnetSingleDNSServer.py
│ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ └── __init__.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── azure_pipelines/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_azure_pipelines_check.py
│ │ │ ├── job/
│ │ │ │ ├── ContainerDigest.py
│ │ │ │ ├── ContainerLatestTag.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SetSecretVariable.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── bicep/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ ├── SQLServerThreatDetectionTypes.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── param/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_param_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ └── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── azure/
│ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ └── __init__.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_resource_check.py
│ │ │ ├── base_resource_value_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── context_definitions.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── azure.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── bitbucket/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ └── branch_restrictions.py
│ ├── bitbucket_pipelines/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── latest_image.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cdk/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── python/
│ │ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ │ ├── APIGatewayXray.yaml
│ │ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ │ ├── AppSyncLogging.yaml
│ │ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ │ ├── AuroraEncryption.yaml
│ │ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ │ ├── CloudFrontTLS12.yaml
│ │ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ │ ├── CloudtrailEncryption.yaml
│ │ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ │ ├── DAXEncryption.yaml
│ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ │ ├── DocDBAuditLogs.yaml
│ │ │ │ ├── DocDBEncryption.yaml
│ │ │ │ ├── DocDBTLS.yaml
│ │ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ │ ├── DynamodbRecovery.yaml
│ │ │ │ ├── EBSEncryption.yaml
│ │ │ │ ├── EC2PublicIP.yaml
│ │ │ │ ├── ECRImageScanning.yaml
│ │ │ │ ├── ECRImmutableTags.yaml
│ │ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ │ ├── ELBAccessLogs.yaml
│ │ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ │ ├── LambdaInVPC.yaml
│ │ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ │ ├── RedShiftSSL.yaml
│ │ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ ├── S3IgnorePublicACLs.yaml
│ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ │ ├── SNSTopicEncryption.yaml
│ │ │ │ ├── SQSQueueEncryption.yaml
│ │ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ │ ├── TransferServerIsPublic.yaml
│ │ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ │ ├── WAFEnabled.yaml
│ │ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ │ └── typescript/
│ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ ├── APIGatewayXray.yaml
│ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ ├── AppSyncLogging.yaml
│ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ ├── AuroraEncryption.yaml
│ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ ├── CloudFrontTLS12.yaml
│ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ ├── CloudtrailEncryption.yaml
│ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ ├── DAXEncryption.yaml
│ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ ├── DocDBAuditLogs.yaml
│ │ │ ├── DocDBEncryption.yaml
│ │ │ ├── DocDBTLS.yaml
│ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ ├── DynamodbRecovery.yaml
│ │ │ ├── EBSEncryption.yaml
│ │ │ ├── EC2PublicIP.yaml
│ │ │ ├── ECRImageScanning.yaml
│ │ │ ├── ECRImmutableTags.yaml
│ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ ├── ELBAccessLogs.yaml
│ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ ├── LambdaInVPC.yaml
│ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ ├── RedShiftSSL.yaml
│ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ ├── S3BucketEncryption.yaml
│ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ ├── S3BucketLogging.yaml
│ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ ├── S3BucketVersioning.yaml
│ │ │ ├── S3PublicACLRead.yaml
│ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ ├── SNSTopicEncryption.yaml
│ │ │ ├── SQSQueueEncryption.yaml
│ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ ├── TransferServerIsPublic.yaml
│ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ ├── WAFEnabled.yaml
│ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ └── base_registry.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── circleci_pipelines/
│ │ ├── __init__.py
│ │ ├── base_circleci_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── DetectImagesUsage.py
│ │ │ ├── ReverseShellNetcat.py
│ │ │ ├── ShellInjection.py
│ │ │ ├── SuspectCurlInScript.py
│ │ │ ├── __init__.py
│ │ │ ├── image_version_not_hash.py
│ │ │ ├── latest_image.py
│ │ │ ├── prevent_development_orbs.py
│ │ │ └── prevent_volatile_orbs.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── shell_injection_list.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cloudformation/
│ │ ├── __init__.py
│ │ ├── cfn_utils.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── resource/
│ │ │ │ ├── BaseCloudsplainingIAMCheck.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── ALBListenerTLS12.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayV2AccessLogging.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AmazonMQBrokerPublicAccess.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── CloudFrontTLS12.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudtrailEncryption.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbGlobalTableRecovery.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── KMSKeyWildCardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── ParameterStoreCredentials.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterPubliclyAccessible.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── S3AccessLogs.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3Encryption.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3PublicACLRead.py
│ │ │ │ │ ├── S3PublicACLWrite.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3Versioning.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ └── registry.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ └── iam_cloudformation_document_to_policy_converter.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── generic_resource_encryption.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── renderer.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── aws.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── cfn_keywords.py
│ │ │ └── cfn_yaml.py
│ │ └── runner.py
│ ├── common/
│ │ ├── __init__.py
│ │ ├── bridgecrew/
│ │ │ ├── __init__.py
│ │ │ ├── bc_source.py
│ │ │ ├── check_type.py
│ │ │ ├── code_categories.py
│ │ │ ├── integration_features/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_integration_feature.py
│ │ │ │ ├── features/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── custom_policies_integration.py
│ │ │ │ │ ├── fixes_integration.py
│ │ │ │ │ ├── licensing_integration.py
│ │ │ │ │ ├── policies_3d_integration.py
│ │ │ │ │ ├── policy_metadata_integration.py
│ │ │ │ │ ├── repo_config_integration.py
│ │ │ │ │ ├── suppressions_integration.py
│ │ │ │ │ └── vulnerabilities_integration.py
│ │ │ │ └── integration_feature_registry.py
│ │ │ ├── licensing.py
│ │ │ ├── platform_errors.py
│ │ │ ├── platform_integration.py
│ │ │ ├── platform_key.py
│ │ │ ├── run_metadata/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_run_metadata_extractor.py
│ │ │ │ ├── ci_variables.py
│ │ │ │ ├── extractors/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── bitbucket.py
│ │ │ │ │ ├── default_extractor.py
│ │ │ │ │ ├── github_actions.py
│ │ │ │ │ ├── gitlab_ci.py
│ │ │ │ │ └── jenkins.py
│ │ │ │ └── registry.py
│ │ │ ├── severities.py
│ │ │ ├── vulnerability_scanning/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_scanner.py
│ │ │ │ ├── integrations/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── docker_image_scanning.py
│ │ │ │ │ ├── package_scanning.py
│ │ │ │ │ └── twistcli.py
│ │ │ │ └── report.py
│ │ │ └── wrapper.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_check_registry.py
│ │ │ ├── enums.py
│ │ │ └── object_registry.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── checks_parser.py
│ │ │ ├── registry.py
│ │ │ ├── resources_types.py
│ │ │ └── solvers/
│ │ │ ├── __init__.py
│ │ │ ├── attribute_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── any_attribute_solver.py
│ │ │ │ ├── base_attribute_solver.py
│ │ │ │ ├── base_number_of_words_attribute_solver.py
│ │ │ │ ├── cidr_range_not_subset_attribute_solver.py
│ │ │ │ ├── cidr_range_subset_attribute_solver.py
│ │ │ │ ├── contains_attribute_solver.py
│ │ │ │ ├── ending_with_attribute_solver.py
│ │ │ │ ├── equals_attribute_solver.py
│ │ │ │ ├── equals_ignore_case_attribute_solver.py
│ │ │ │ ├── exists_attribute_solver.py
│ │ │ │ ├── greater_than_attribute_solver.py
│ │ │ │ ├── greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── intersects_attribute_solver.py
│ │ │ │ ├── is_empty_attribute_solver.py
│ │ │ │ ├── is_false_attribute_solver.py
│ │ │ │ ├── is_not_empty_attribute_solver.py
│ │ │ │ ├── is_true_attribute_solver.py
│ │ │ │ ├── length_equals_attribute_solver.py
│ │ │ │ ├── length_greater_than_attribute_solver.py
│ │ │ │ ├── length_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_less_than_attribute_solver.py
│ │ │ │ ├── length_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_not_equals_attribute_solver.py
│ │ │ │ ├── less_than_attribute_solver.py
│ │ │ │ ├── less_than_or_equal_attribute_solver.py
│ │ │ │ ├── not_contains_attribute_solver.py
│ │ │ │ ├── not_ending_with_attribute_solver.py
│ │ │ │ ├── not_equals_attribute_solver.py
│ │ │ │ ├── not_equals_ignore_case_attribute_solver.py
│ │ │ │ ├── not_exists_attribute_solver.py
│ │ │ │ ├── not_intersects_attribute_solver.py
│ │ │ │ ├── not_regex_match_attribute_solver.py
│ │ │ │ ├── not_starting_with_attribute_solver.py
│ │ │ │ ├── not_subset_attribute_solver.py
│ │ │ │ ├── not_within_attribute_solver.py
│ │ │ │ ├── number_of_words_equals_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_not_equals_attribute_solver.py
│ │ │ │ ├── range_includes_attribute_solver.py
│ │ │ │ ├── range_not_includes_attribute_solver.py
│ │ │ │ ├── regex_match_attribute_solver.py
│ │ │ │ ├── starting_with_attribute_solver.py
│ │ │ │ ├── subset_attribute_solver.py
│ │ │ │ └── within_attribute_solver.py
│ │ │ ├── complex_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_solver.py
│ │ │ │ ├── base_complex_solver.py
│ │ │ │ ├── not_solver.py
│ │ │ │ └── or_solver.py
│ │ │ ├── connections_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_connection_solver.py
│ │ │ │ ├── base_connection_solver.py
│ │ │ │ ├── complex_connection_solver.py
│ │ │ │ ├── connection_exists_solver.py
│ │ │ │ ├── connection_not_exists_solver.py
│ │ │ │ ├── connection_one_exists_solver.py
│ │ │ │ └── or_connection_solver.py
│ │ │ ├── filter_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_filter_solver.py
│ │ │ │ └── within_filter_solver.py
│ │ │ └── resource_solvers/
│ │ │ ├── __init__.py
│ │ │ ├── base_resource_solver.py
│ │ │ ├── exists_resource_solver.py
│ │ │ └── not_exists_resource_solver.py
│ │ ├── comment/
│ │ │ ├── __init__.py
│ │ │ └── enum.py
│ │ ├── goget/
│ │ │ ├── __init__.py
│ │ │ ├── base_getter.py
│ │ │ ├── github/
│ │ │ │ ├── __init__.py
│ │ │ │ └── get_git.py
│ │ │ └── registry/
│ │ │ ├── __init__.py
│ │ │ └── get_registry.py
│ │ ├── graph/
│ │ │ ├── __init__.py
│ │ │ ├── checks_infra/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_parser.py
│ │ │ │ ├── debug.py
│ │ │ │ ├── enums.py
│ │ │ │ ├── registry.py
│ │ │ │ └── solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ └── base_solver.py
│ │ │ ├── db_connectors/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── db_connector.py
│ │ │ │ ├── networkx/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── networkx_db_connector.py
│ │ │ │ └── rustworkx/
│ │ │ │ ├── __init__.py
│ │ │ │ └── rustworkx_db_connector.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── graph_components/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── attribute_names.py
│ │ │ │ │ ├── block_types.py
│ │ │ │ │ ├── blocks.py
│ │ │ │ │ ├── edge.py
│ │ │ │ │ └── generic_resource_encryption_base.py
│ │ │ │ ├── graph_resources_encription_manager.py
│ │ │ │ ├── local_graph.py
│ │ │ │ ├── utils.py
│ │ │ │ └── variable_rendering/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── breadcrumb_metadata.py
│ │ │ │ ├── renderer.py
│ │ │ │ └── vertex_reference.py
│ │ │ └── graph_manager.py
│ │ ├── images/
│ │ │ ├── __init__.py
│ │ │ ├── graph/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_referencer_manager.py
│ │ │ │ └── image_referencer_provider.py
│ │ │ ├── image_referencer.py
│ │ │ └── workflow/
│ │ │ ├── __init__.py
│ │ │ ├── image_referencer_manager.py
│ │ │ └── image_referencer_provider.py
│ │ ├── logger_streams.py
│ │ ├── models/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── enums.py
│ │ ├── output/
│ │ │ ├── __init__.py
│ │ │ ├── baseline.py
│ │ │ ├── common.py
│ │ │ ├── csv.py
│ │ │ ├── cyclonedx.py
│ │ │ ├── cyclonedx_consts.py
│ │ │ ├── extra_resource.py
│ │ │ ├── github_actions_record.py
│ │ │ ├── gitlab_sast.py
│ │ │ ├── graph_record.py
│ │ │ ├── record.py
│ │ │ ├── report.py
│ │ │ ├── sarif.py
│ │ │ ├── secrets_record.py
│ │ │ └── spdx.py
│ │ ├── packaging/
│ │ │ ├── __init__.py
│ │ │ └── version.py
│ │ ├── parallelizer/
│ │ │ ├── __init__.py
│ │ │ └── parallel_runner.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── decoder.py
│ │ │ │ └── errors.py
│ │ │ ├── node.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ ├── loader.py
│ │ │ └── parser.py
│ │ ├── proxy/
│ │ │ ├── __init__.py
│ │ │ └── proxy_client.py
│ │ ├── resource_code_logger_filter.py
│ │ ├── runners/
│ │ │ ├── __init__.py
│ │ │ ├── base_post_runner.py
│ │ │ ├── base_runner.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ └── local_graph.py
│ │ │ ├── graph_manager.py
│ │ │ ├── object_runner.py
│ │ │ └── runner_registry.py
│ │ ├── sast/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── report_types.py
│ │ ├── sca/
│ │ │ ├── __init__.py
│ │ │ ├── commons.py
│ │ │ ├── consts.py
│ │ │ ├── output.py
│ │ │ └── reachability/
│ │ │ ├── __init__.py
│ │ │ ├── package_alias_mapping/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_alias_mapping_strategy.py
│ │ │ │ ├── alias_mapping_creator.py
│ │ │ │ └── nodejs/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── nodejs_alias_mapping_strategy.py
│ │ │ │ └── utils.py
│ │ │ └── sast_contract/
│ │ │ ├── __init__.py
│ │ │ ├── data_fetcher_sast_lib.py
│ │ │ └── models.py
│ │ ├── secrets/
│ │ │ ├── __init__.py
│ │ │ └── consts.py
│ │ ├── typing.py
│ │ ├── util/
│ │ │ ├── __init__.py
│ │ │ ├── banner.py
│ │ │ ├── config_utils.py
│ │ │ ├── consts.py
│ │ │ ├── contextmanagers.py
│ │ │ ├── data_structures_utils.py
│ │ │ ├── decorators.py
│ │ │ ├── deep_merge.py
│ │ │ ├── dockerfile.py
│ │ │ ├── env_vars_config.py
│ │ │ ├── ext_argument_parser.py
│ │ │ ├── file_utils.py
│ │ │ ├── http_utils.py
│ │ │ ├── json_utils.py
│ │ │ ├── oidc_utils.py
│ │ │ ├── parser_utils.py
│ │ │ ├── prompt.py
│ │ │ ├── runner_dependency_handler.py
│ │ │ ├── secrets.py
│ │ │ ├── secrets_omitter.py
│ │ │ ├── stopit/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── signalstop.py
│ │ │ │ ├── threadstop.py
│ │ │ │ └── utils.py
│ │ │ ├── str_utils.py
│ │ │ ├── suppression.py
│ │ │ ├── templates/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data.jinja2
│ │ │ │ ├── init.jinja2
│ │ │ │ ├── provider.jinja2
│ │ │ │ ├── resource.jinja2
│ │ │ │ ├── unittest-python.jinja2
│ │ │ │ └── unittest-terraform.jinja2
│ │ │ ├── tqdm_utils.py
│ │ │ ├── type_forcers.py
│ │ │ ├── update_checker/
│ │ │ │ ├── __init__.py
│ │ │ │ └── update_checker.py
│ │ │ └── var_utils.py
│ │ ├── variables/
│ │ │ ├── __init__.py
│ │ │ └── context.py
│ │ ├── vcs/
│ │ │ ├── __init__.py
│ │ │ ├── base_vcs_dal.py
│ │ │ └── vcs_schema.py
│ │ └── version_manager.py
│ ├── contributor_metrics.py
│ ├── dockerfile/
│ │ ├── __init__.py
│ │ ├── base_dockerfile_check.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── AddExists.py
│ │ │ ├── AliasIsUnique.py
│ │ │ ├── ExposePort22.py
│ │ │ ├── HealthcheckExists.py
│ │ │ ├── MaintainerExists.py
│ │ │ ├── ReferenceLatestTag.py
│ │ │ ├── RootUser.py
│ │ │ ├── RunUsingAPT.py
│ │ │ ├── UpdateNotAlone.py
│ │ │ ├── UserExists.py
│ │ │ ├── WorkdirIsAbsolute.py
│ │ │ ├── __init__.py
│ │ │ └── graph_checks/
│ │ │ ├── EnvGitSslNoVerify.yaml
│ │ │ ├── EnvNodeTlsRejectUnauthorized.yaml
│ │ │ ├── EnvNpmConfigStrictSsl.yaml
│ │ │ ├── EnvPipTrustedHost.yaml
│ │ │ ├── EnvPythonHttpsVerify.yaml
│ │ │ ├── RunApkAllowUntrusted.yaml
│ │ │ ├── RunAptGetAllowUnauthenticated.yaml
│ │ │ ├── RunAptGetForceYes.yaml
│ │ │ ├── RunChpasswd.yaml
│ │ │ ├── RunNpmConfigSetStrictSsl.yaml
│ │ │ ├── RunPipTrustedHost.yaml
│ │ │ ├── RunRpmNoSignature.yaml
│ │ │ ├── RunUnsafeCurl.yaml
│ │ │ ├── RunUnsafeWget.yaml
│ │ │ ├── RunUsingSudo.yaml
│ │ │ ├── RunYumConfigManagerSslVerify.yaml
│ │ │ ├── RunYumNoGpgCheck.yaml
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── manager.py
│ │ │ └── provider.py
│ │ ├── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── docs_generator.py
│ ├── example_runner/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_example_runner_check.py
│ │ │ ├── base_example_runner_job_check.py
│ │ │ ├── job/
│ │ │ │ ├── ExampleCheckTrueFalse.py
│ │ │ │ └── __init__.py
│ │ │ └── job_registry.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── github/
│ │ ├── __init__.py
│ │ ├── base_github_branch_security.py
│ │ ├── base_github_configuration_check.py
│ │ ├── base_github_negative_branch_security.py
│ │ ├── base_github_org_check.py
│ │ ├── base_github_org_security.py
│ │ ├── checks/
│ │ │ ├── 2fa.py
│ │ │ ├── __init__.py
│ │ │ ├── disallow_branch_deletions.py
│ │ │ ├── disallow_force_pushes.py
│ │ │ ├── disallow_inactive_branch_60days.py
│ │ │ ├── dismiss_stale_reviews.py
│ │ │ ├── enforce_branch_protection_admins.py
│ │ │ ├── internal_repository_creation_is_limited.py
│ │ │ ├── ipallowlist.py
│ │ │ ├── minimum_admins_in_org.py
│ │ │ ├── private_repository_creation_is_limited.py
│ │ │ ├── public_repository_creation_is_limited.py
│ │ │ ├── repository_collaborators.py
│ │ │ ├── require_2approvals.py
│ │ │ ├── require_code_owner_reviews.py
│ │ │ ├── require_conversation_resolution.py
│ │ │ ├── require_linear_history.py
│ │ │ ├── require_push_restrictions.py
│ │ │ ├── require_signatures.py
│ │ │ ├── require_status_checks_pr.py
│ │ │ ├── require_strict_base_permissions_repository.py
│ │ │ ├── require_updated_branch_pr.py
│ │ │ ├── require_verified_organization.py
│ │ │ ├── restrict_pr_review_dismissal.py
│ │ │ ├── sso.py
│ │ │ ├── webhooks_https_orgs.py
│ │ │ └── webhooks_https_repos.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── branch.py
│ │ ├── branch_protection.py
│ │ ├── no_branch_protection.py
│ │ ├── org_members.py
│ │ ├── org_security.py
│ │ ├── org_webhooks.py
│ │ ├── organization.py
│ │ ├── repository_collaborators.py
│ │ └── repository_webhooks.py
│ ├── github_actions/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_github_action_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ReadOnlyTopLevelPermissions.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── job/
│ │ │ │ ├── AllowUnsecureCommandsOnJob.py
│ │ │ │ ├── CosignArtifacts.py
│ │ │ │ ├── CosignSBOM.py
│ │ │ │ ├── EmptyWorkflowDispatch.py
│ │ │ │ ├── ReverseShellNetcat.py
│ │ │ │ ├── ShellInjection.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── artifact_build.py
│ │ │ ├── build_actions.py
│ │ │ └── shell_injection_list.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ ├── schemas.py
│ │ └── utils.py
│ ├── gitlab/
│ │ ├── __init__.py
│ │ ├── base_gitlab_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── groups.py
│ │ └── project_approvals.py
│ ├── gitlab_ci/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_gitlab_ci_check.py
│ │ │ ├── job/
│ │ │ │ ├── AvoidDoublePipelines.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── reserved.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── helm/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── helm.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── json_doc/
│ │ ├── __init__.py
│ │ ├── base_json_check.py
│ │ ├── base_registry.py
│ │ ├── enums.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── kubernetes/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ImpersonatePermissions.yaml
│ │ │ │ ├── ModifyServicesStatus.yaml
│ │ │ │ ├── NoCreateNodesProxyOrPodsExec.yaml
│ │ │ │ ├── ReadAllSecrets.yaml
│ │ │ │ ├── RequireAllPodsToHaveNetworkPolicy.yaml
│ │ │ │ ├── RoleBindingPE.yaml
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── base_container_check.py
│ │ │ ├── base_rbac_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_root_container_check.py
│ │ │ ├── base_spec_check.py
│ │ │ ├── base_spec_omitted_or_value_check.py
│ │ │ ├── k8s/
│ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ ├── ApiServerAdmissionControlAlwaysAdmit.py
│ │ │ │ ├── ApiServerAdmissionControlEventRateLimit.py
│ │ │ │ ├── ApiServerAlwaysPullImagesPlugin.py
│ │ │ │ ├── ApiServerAnonymousAuth.py
│ │ │ │ ├── ApiServerAuditLog.py
│ │ │ │ ├── ApiServerAuditLogMaxAge.py
│ │ │ │ ├── ApiServerAuditLogMaxBackup.py
│ │ │ │ ├── ApiServerAuditLogMaxSize.py
│ │ │ │ ├── ApiServerAuthorizationModeNode.py
│ │ │ │ ├── ApiServerAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── ApiServerAuthorizationModeRBAC.py
│ │ │ │ ├── ApiServerBasicAuthFile.py
│ │ │ │ ├── ApiServerEncryptionProviders.py
│ │ │ │ ├── ApiServerEtcdCaFile.py
│ │ │ │ ├── ApiServerEtcdCertAndKey.py
│ │ │ │ ├── ApiServerInsecureBindAddress.py
│ │ │ │ ├── ApiServerInsecurePort.py
│ │ │ │ ├── ApiServerKubeletClientCertAndKey.py
│ │ │ │ ├── ApiServerKubeletHttps.py
│ │ │ │ ├── ApiServerNamespaceLifecyclePlugin.py
│ │ │ │ ├── ApiServerNodeRestrictionPlugin.py
│ │ │ │ ├── ApiServerPodSecurityPolicyPlugin.py
│ │ │ │ ├── ApiServerProfiling.py
│ │ │ │ ├── ApiServerRequestTimeout.py
│ │ │ │ ├── ApiServerSecurePort.py
│ │ │ │ ├── ApiServerSecurityContextDenyPlugin.py
│ │ │ │ ├── ApiServerServiceAccountKeyFile.py
│ │ │ │ ├── ApiServerServiceAccountLookup.py
│ │ │ │ ├── ApiServerServiceAccountPlugin.py
│ │ │ │ ├── ApiServerStrongCryptographicCiphers.py
│ │ │ │ ├── ApiServerTlsCertAndKey.py
│ │ │ │ ├── ApiServerTokenAuthFile.py
│ │ │ │ ├── ApiServerkubeletCertificateAuthority.py
│ │ │ │ ├── CPULimits.py
│ │ │ │ ├── CPURequests.py
│ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ ├── ControllerManagerBindAddress.py
│ │ │ │ ├── DangerousGitSync.py
│ │ │ │ ├── DefaultNamespace.py
│ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ ├── DropCapabilities.py
│ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ ├── EtcdAutoTls.py
│ │ │ │ ├── EtcdCertAndKey.py
│ │ │ │ ├── EtcdClientCertAuth.py
│ │ │ │ ├── EtcdPeerFiles.py
│ │ │ │ ├── HostPort.py
│ │ │ │ ├── ImageDigest.py
│ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ ├── ImageTagFixed.py
│ │ │ │ ├── KubeControllerManagerBlockProfiles.py
│ │ │ │ ├── KubeControllerManagerRootCAFile.py
│ │ │ │ ├── KubeControllerManagerServiceAccountCredentials.py
│ │ │ │ ├── KubeControllerManagerServiceAccountPrivateKeyFile.py
│ │ │ │ ├── KubeControllerManagerTerminatedPods.py
│ │ │ │ ├── KubeletAnonymousAuth.py
│ │ │ │ ├── KubeletAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── KubeletClientCa.py
│ │ │ │ ├── KubeletCryptographicCiphers.py
│ │ │ │ ├── KubeletHostnameOverride.py
│ │ │ │ ├── KubeletKeyFilesSetAppropriate.py
│ │ │ │ ├── KubeletMakeIptablesUtilChains.py
│ │ │ │ ├── KubeletProtectKernelDefaults.py
│ │ │ │ ├── KubeletReadOnlyPort.py
│ │ │ │ ├── KubeletStreamingConnectionIdleTimeout.py
│ │ │ │ ├── KubernetesDashboard.py
│ │ │ │ ├── KubletEventCapture.py
│ │ │ │ ├── KubletRotateCertificates.py
│ │ │ │ ├── LivenessProbe.py
│ │ │ │ ├── MemoryLimits.py
│ │ │ │ ├── MemoryRequests.py
│ │ │ │ ├── MinimizeCapabilities.py
│ │ │ │ ├── MinimizeCapabilitiesPSP.py
│ │ │ │ ├── NginxIngressCVE202125742Alias.py
│ │ │ │ ├── NginxIngressCVE202125742AllSnippets.py
│ │ │ │ ├── NginxIngressCVE202125742Lua.py
│ │ │ │ ├── PeerClientCertAuthTrue.py
│ │ │ │ ├── PodSecurityContext.py
│ │ │ │ ├── PrivilegedContainers.py
│ │ │ │ ├── PrivilegedContainersPSP.py
│ │ │ │ ├── RbacApproveCertificateSigningRequests.py
│ │ │ │ ├── RbacBindRoleBindings.py
│ │ │ │ ├── RbacControlWebhooks.py
│ │ │ │ ├── RbacEscalateRoles.py
│ │ │ │ ├── ReadOnlyFilesystem.py
│ │ │ │ ├── ReadinessProbe.py
│ │ │ │ ├── RootContainers.py
│ │ │ │ ├── RootContainersHighUID.py
│ │ │ │ ├── RootContainersPSP.py
│ │ │ │ ├── RotateKubeletServerCertificate.py
│ │ │ │ ├── SchedulerBindAddress.py
│ │ │ │ ├── SchedulerProfiling.py
│ │ │ │ ├── Seccomp.py
│ │ │ │ ├── SeccompPSP.py
│ │ │ │ ├── Secrets.py
│ │ │ │ ├── ServiceAccountTokens.py
│ │ │ │ ├── ShareHostIPC.py
│ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ ├── ShareHostPID.py
│ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ ├── Tiller.py
│ │ │ │ ├── TillerDeploymentListener.py
│ │ │ │ ├── TillerService.py
│ │ │ │ ├── WildcardRoles.py
│ │ │ │ ├── __init__.py
│ │ │ │ └── k8s_check_utils.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── ResourceKeywordIdentifier.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── edge_builders/
│ │ │ │ ├── K8SEdgeBuilder.py
│ │ │ │ ├── KeywordEdgeBuilder.py
│ │ │ │ ├── LabelSelectorEdgeBuilder.py
│ │ │ │ ├── NetworkPolicyEdgeBuilder.py
│ │ │ │ ├── ServiceAccountEdgeBuilder.py
│ │ │ │ └── __init__.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── k8s.py
│ │ ├── kubernetes_graph_flags.py
│ │ ├── kubernetes_utils.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── k8_json.py
│ │ │ ├── k8_yaml.py
│ │ │ ├── parser.py
│ │ │ └── validatior.py
│ │ ├── runner.py
│ │ └── test/
│ │ └── share-process-namespace.yaml
│ ├── kustomize/
│ │ ├── __init__.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── kustomize.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── logging_init.py
│ ├── main.py
│ ├── openapi/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_openapi_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── generic/
│ │ │ │ ├── ClearTextAPIKey.py
│ │ │ │ ├── GlobalSecurityFieldIsEmpty.py
│ │ │ │ ├── NoMaximumNumberItems.py
│ │ │ │ ├── SecurityOperations.py
│ │ │ │ └── __init__.py
│ │ │ ├── v2/
│ │ │ │ ├── BaseOpenapiCheckV2.py
│ │ │ │ ├── GlobalSchemeDefineHTTP.py
│ │ │ │ ├── GlobalSecurityScopeUndefined.py
│ │ │ │ ├── Oauth2OperationObjectPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionImplicitFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityRequirement.py
│ │ │ │ ├── OperationObjectBasicAuth.py
│ │ │ │ ├── OperationObjectConsumesUndefined.py
│ │ │ │ ├── OperationObjectImplicitFlow.py
│ │ │ │ ├── OperationObjectProducesUndefined.py
│ │ │ │ ├── OperationObjectSecurityScopeUndefined.py
│ │ │ │ ├── PathSchemeDefineHTTP.py
│ │ │ │ ├── SecurityDefinitionBasicAuth.py
│ │ │ │ ├── SecurityDefinitions.py
│ │ │ │ ├── SecurityRequirement.py
│ │ │ │ └── __init__.py
│ │ │ └── v3/
│ │ │ ├── BaseOpenapiCheckV3.py
│ │ │ ├── CleartextOverUnencryptedChannel.py
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── policies_3d/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ └── base_parser.py
│ │ ├── checks_parser.py
│ │ ├── output.py
│ │ ├── record.py
│ │ ├── runner.py
│ │ └── syntax/
│ │ ├── __init__.py
│ │ ├── cves_syntax.py
│ │ ├── iac_syntax.py
│ │ ├── secrets_syntax.py
│ │ └── syntax.py
│ ├── py.typed
│ ├── runner_filter.py
│ ├── sast/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_registry.py
│ │ │ └── registry.py
│ │ ├── common.py
│ │ ├── engines/
│ │ │ ├── __init__.py
│ │ │ ├── base_engine.py
│ │ │ ├── files_filter_manager.py
│ │ │ └── prisma_engine.py
│ │ ├── prisma_models/
│ │ │ ├── __init__.py
│ │ │ ├── library_input.py
│ │ │ └── policies_list.py
│ │ ├── record.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── sca_image/
│ │ ├── __init__.py
│ │ ├── models.py
│ │ └── runner.py
│ ├── sca_package_2/
│ │ ├── __init__.py
│ │ ├── output.py
│ │ ├── runner.py
│ │ └── scanner.py
│ ├── secrets/
│ │ ├── __init__.py
│ │ ├── context_parser.py
│ │ ├── coordinator.py
│ │ ├── git_history_store.py
│ │ ├── git_types.py
│ │ ├── local_secrets_runner.py
│ │ ├── log_prefix_stripper.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ └── multiline_parser.py
│ │ │ ├── multiline_parser.py
│ │ │ ├── single_line_parser.py
│ │ │ ├── terraform/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── multiline_parser.py
│ │ │ │ └── single_line_parser.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ └── multiline_parser.py
│ │ ├── plugins/
│ │ │ ├── __init__.py
│ │ │ ├── custom_regex_detector.py
│ │ │ ├── detector_utils.py
│ │ │ ├── entropy_keyword_combinator.py
│ │ │ └── load_detectors.py
│ │ ├── runner.py
│ │ ├── scan_git_history.py
│ │ └── utils.py
│ ├── serverless/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_function_check.py
│ │ │ ├── complete/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_complete_check.py
│ │ │ │ └── registry.py
│ │ │ ├── custom/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_custom_check.py
│ │ │ │ └── registry.py
│ │ │ ├── function/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AWSCredentials.py
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_function_check.py
│ │ │ │ └── registry.py
│ │ │ ├── layer/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_layer_check.py
│ │ │ │ └── registry.py
│ │ │ ├── package/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_package_check.py
│ │ │ │ └── registry.py
│ │ │ ├── plugin/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_plugin_check.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_provider_check.py
│ │ │ │ └── registry.py
│ │ │ └── service/
│ │ │ ├── __init__.py
│ │ │ ├── base_service_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── context_parser.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── terraform/
│ │ ├── __init__.py
│ │ ├── base_runner.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── data/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMPublicActionsPolicy.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── ResourcePolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ ├── WhoAMI.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_cloudsplaining_data_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── external/
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── GooglePolicyIsPrivate.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ └── OSSBucketPublic.yaml
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ │ ├── ALBProtectedByWAF.yaml
│ │ │ │ │ ├── ALBRedirectsHTTPToHTTPS.yaml
│ │ │ │ │ ├── ALBWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AMRClustersNotOpenToInternet.yaml
│ │ │ │ │ ├── APIGWLoggingLevelsDefinedProperly.yaml
│ │ │ │ │ ├── APIGatewayEndpointsUsesCertificateForAuthentication.yaml
│ │ │ │ │ ├── APIGatewayRequestParameterValidationEnabled.yaml
│ │ │ │ │ ├── APIGatewayWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── APIProtectedByWAF.yaml
│ │ │ │ │ ├── AWSConfigRecorderEnabled.yaml
│ │ │ │ │ ├── AWSNATGatewaysshouldbeutilized.yaml
│ │ │ │ │ ├── AWSSSMParameterShouldBeEncrypted.yaml
│ │ │ │ │ ├── AWS_private_MWAA_environment.yaml
│ │ │ │ │ ├── AWSdisableS3ACL.yaml
│ │ │ │ │ ├── AppLoadBalancerTLS12.yaml
│ │ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ │ ├── AppsyncWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AutoScalingEnableOnDynamoDBTables.yaml
│ │ │ │ │ ├── AutoScallingEnabledELB.yaml
│ │ │ │ │ ├── CLoudFrontS3OriginConfigWithOAI.yaml
│ │ │ │ │ ├── CloudFrontHasCustomSSLCertificate.yaml
│ │ │ │ │ ├── CloudFrontHasResponseHeadersPolicy.yaml
│ │ │ │ │ ├── CloudFrontUsesSecureProtocolsForHTTPS.yaml
│ │ │ │ │ ├── CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ │ ├── CloudtrailHasCloudwatch.yaml
│ │ │ │ │ ├── CodecommitApprovalRulesAttached.yaml
│ │ │ │ │ ├── ConfigRecorderRecordsAllGlobalResources.yaml
│ │ │ │ │ ├── DMSEndpointHaveSSLConfigured.yaml
│ │ │ │ │ ├── EBSAddedBackup.yaml
│ │ │ │ │ ├── EC2InstanceHasIAMRoleAttached.yaml
│ │ │ │ │ ├── EFSAddedBackup.yaml
│ │ │ │ │ ├── EIPAllocatedToVPCAttachedEC2.yaml
│ │ │ │ │ ├── EMRClusterHasSecurityConfiguration.yaml
│ │ │ │ │ ├── ElastiCacheRedisConfiguredAutomaticFailOver.yaml
│ │ │ │ │ ├── ElasticSearchDedicatedMasterEnabled.yaml
│ │ │ │ │ ├── EncryptedEBSVolumeOnlyConnectedToEC2s.yaml
│ │ │ │ │ ├── GuardDutyIsEnabled.yaml
│ │ │ │ │ ├── HTTPNotSendingPasswords.yaml
│ │ │ │ │ ├── IAMGroupHasAtLeastOneUser.yaml
│ │ │ │ │ ├── IAMManagedIAMFullAccessPolicy.yaml
│ │ │ │ │ ├── IAMPolicyNotAllowFullIAMAccess.yaml
│ │ │ │ │ ├── IAMUserHasNoConsoleAccess.yaml
│ │ │ │ │ ├── IAMUsersAreMembersAtLeastOneGroup.yaml
│ │ │ │ │ ├── KmsKeyPolicyIsDefined.yaml
│ │ │ │ │ ├── LBTargetGroup.yaml
│ │ │ │ │ ├── LBWeakCiphers.yaml
│ │ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ │ ├── NeptuneDeletionProtectionEnabled.yaml
│ │ │ │ │ ├── NetworkFirewallHasLogging.yaml
│ │ │ │ │ ├── OpenSearchDomainHasFineGrainedControl.yaml
│ │ │ │ │ ├── PostgresDBHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── PostgresRDSHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── RDSClusterHasBackupPlan.yaml
│ │ │ │ │ ├── RDSEnableCopyTagsToSnapshot.yaml
│ │ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ │ ├── Route53ARecordAttachedResource.yaml
│ │ │ │ │ ├── Route53ZoneEnableDNSSECSigning.yaml
│ │ │ │ │ ├── Route53ZoneHasMatchingQueryLog.yaml
│ │ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ │ ├── S3BucketEventNotifications.yaml
│ │ │ │ │ ├── S3BucketHasPublicAccessBlock.yaml
│ │ │ │ │ ├── S3BucketLifecycle.yaml
│ │ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ │ ├── S3BucketReplicationConfiguration.yaml
│ │ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ │ ├── S3KMSEncryptedByDefault.yaml
│ │ │ │ │ ├── S3NotAllowAccessToAllAuthenticatedUsers.yaml
│ │ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ │ ├── SGAttachedToResource.yaml
│ │ │ │ │ ├── SQSEncryptionCMK.yaml
│ │ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── SecretsAreRotated.yaml
│ │ │ │ │ ├── SubnetHasACL.yaml
│ │ │ │ │ ├── VPCHasFlowLog.yaml
│ │ │ │ │ ├── VPCHasRestrictedSG.yaml
│ │ │ │ │ ├── VPCPeeringRouteTableOverlyPermissive.yaml
│ │ │ │ │ └── WAF2HasLogs.yaml
│ │ │ │ ├── azure/
│ │ │ │ │ ├── AccessToPostgreSQLFromAzureServicesIsDisabled.yaml
│ │ │ │ │ ├── ApplicationGatewayEnablesWAF.yaml
│ │ │ │ │ ├── AzureACR_HTTPSwebhook.yaml
│ │ │ │ │ ├── AzureAKSclusterAzureCNIEnabled.yaml
│ │ │ │ │ ├── AzureActiveDirectoryAdminIsConfigured.yaml
│ │ │ │ │ ├── AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml
│ │ │ │ │ ├── AzureAutomationAccConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureAutomationAccNotOverlyPermissiveNetAccess.yaml
│ │ │ │ │ ├── AzureConfigMSSQLwithAD.yaml
│ │ │ │ │ ├── AzureContainerInstanceconfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── AzureKeyVaultConfigPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureMLWorkspaceHBIPublicNetwork.yaml
│ │ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ │ ├── AzureMSSQLServerHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── AzureMSSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverUsingTLS_1_2.yaml
│ │ │ │ │ ├── AzureMySQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMySQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureNetworkInterfacePublicIPAddressId.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexServerNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzurePostgreSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureRecoveryServicesvaultConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureSQLserverNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ │ ├── AzureSpringCloudTLSDisabled.yaml
│ │ │ │ │ ├── AzureSqlDbEnableTransparentDataEncryption.yaml
│ │ │ │ │ ├── AzureStorageAccConfigSharedKeyAuth.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml
│ │ │ │ │ ├── AzureStorageAccConfig_SAS_expirePolicy.yaml
│ │ │ │ │ ├── AzureStorageAccountEnableSoftDelete.yaml
│ │ │ │ │ ├── AzureSubnetConfigWithNSG.yaml
│ │ │ │ │ ├── AzureSynapseWorkspaceVAisEnabled.yaml
│ │ │ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml
│ │ │ │ │ ├── AzureUnattachedDisksAreEncrypted.yaml
│ │ │ │ │ ├── AzureVMconfigPublicIP_SerialConsoleAccess.yaml
│ │ │ │ │ ├── CognitiveServicesCustomerManagedKey.yaml
│ │ │ │ │ ├── DataExplorerEncryptionUsesCustomKey.yaml
│ │ │ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── MSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── PGSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ │ ├── StorageContainerActivityLogsNotPublic.yaml
│ │ │ │ │ ├── StorageCriticalDataEncryptedCMK.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForBlobService.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForTableService.yaml
│ │ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ │ ├── VAconfiguredToSendReports.yaml
│ │ │ │ │ ├── VAconfiguredToSendReportsToAdmins.yaml
│ │ │ │ │ ├── VAisEnabledInStorageAccount.yaml
│ │ │ │ │ ├── VAsetPeriodicScansOnSQL.yaml
│ │ │ │ │ ├── VMHasBackUpMachine.yaml
│ │ │ │ │ └── VirtualMachinesUtilizingManagedDisks.yaml
│ │ │ │ ├── azuredevops/
│ │ │ │ │ └── ADORepositoryHasMinTwoReviewers.yaml
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── CloudFunctionSecureHTTPTrigger.yaml
│ │ │ │ │ ├── DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml
│ │ │ │ │ ├── GCPAuditLogsConfiguredForAllServicesAndUsers.yaml
│ │ │ │ │ ├── GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── GCPComputeGlobalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPComputeRegionalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPContainerRegistryReposAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPDialogFlowAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxWebhookLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDocumentAIProcessorEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPKMSKeyRingsAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPLogBucketsConfiguredUsingLock.yaml
│ │ │ │ │ ├── GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml
│ │ │ │ │ ├── GCPNetworkDoesNotUseDefaultFirewall.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPProjectHasNoLegacyNetworks.yaml
│ │ │ │ │ ├── GCPTpuV2VmPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIEndpointEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIFeaturestoreEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateIndexEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAITensorboardEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimeEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimePrivate.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceNoPublicIp.yaml
│ │ │ │ │ ├── GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml
│ │ │ │ │ ├── GCRContainerVulnerabilityScanningEnabled.yaml
│ │ │ │ │ ├── GKEClustersAreNotUsingDefaultServiceAccount.yaml
│ │ │ │ │ └── ServiceAccountHasGCPmanagedKey.yaml
│ │ │ │ ├── github/
│ │ │ │ │ └── RepositoryHasBranchProtection.yaml
│ │ │ │ ├── ibm/
│ │ │ │ │ ├── IBM_EnableMFAatAccountLevel.yaml
│ │ │ │ │ ├── IBM_K8sClustersAccessibleViaPrivateEndPt.yaml
│ │ │ │ │ ├── IBM_LoadBalancerforVPCisPrivate.yaml
│ │ │ │ │ ├── IBM_RestrictAPIkeyCreationInAccountSettings.yaml
│ │ │ │ │ ├── IBM_RestrictServiceIDCreationInAccountSettings.yaml
│ │ │ │ │ └── IBM_VPCclassicAccessIsDisabled.yaml
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupRuleDefine.yaml
│ │ │ │ │ ├── AutoScalingEnabledLB.yaml
│ │ │ │ │ └── RouteTablePublicSubnetConnection.yaml
│ │ │ │ └── oci/
│ │ │ │ ├── AdministratorUserNotAssociatedWithAPIKey.yaml
│ │ │ │ ├── OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml
│ │ │ │ ├── OCI_K8EngineClusterPodSecPolicyEnforced.yaml
│ │ │ │ ├── OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml
│ │ │ │ ├── OCI_NFSaccessRestrictedToRootUsers.yaml
│ │ │ │ └── OCI_NSGNotAllowRDP.yaml
│ │ │ ├── module/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_module_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── generic/
│ │ │ │ │ ├── RevisionHash.py
│ │ │ │ │ ├── RevisionVersionTag.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── bridgecrew/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ └── registry.py
│ │ │ ├── resource/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ ├── ALBACLIsUnrestricted.py
│ │ │ │ │ ├── APIGatewayProtocolHTTPS.py
│ │ │ │ │ ├── AbsRDSParameter.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ActionTrailLogAllEvents.py
│ │ │ │ │ ├── ActionTrailLogAllRegions.py
│ │ │ │ │ ├── DiskEncryptedWithCMK.py
│ │ │ │ │ ├── DiskIsEncrypted.py
│ │ │ │ │ ├── K8sEnableNetworkPolicies.py
│ │ │ │ │ ├── K8sNodePoolAutoRepair.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyRotationIsEnabled.py
│ │ │ │ │ ├── LaunchTemplateDisksAreEncrypted.py
│ │ │ │ │ ├── LogAuditRDSEnabled.py
│ │ │ │ │ ├── MongoDBInsideVPC.py
│ │ │ │ │ ├── MongoDBInstanceSSL.py
│ │ │ │ │ ├── MongoDBIsPublic.py
│ │ │ │ │ ├── MongoDBTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── OSSBucketAccessLogs.py
│ │ │ │ │ ├── OSSBucketEncryptedWithCMK.py
│ │ │ │ │ ├── OSSBucketTransferAcceleration.py
│ │ │ │ │ ├── OSSBucketVersioning.py
│ │ │ │ │ ├── RAMPasswordPolicyExpiration.py
│ │ │ │ │ ├── RAMPasswordPolicyLength.py
│ │ │ │ │ ├── RAMPasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── RAMPasswordPolicyMaxLogin.py
│ │ │ │ │ ├── RAMPasswordPolicyNumber.py
│ │ │ │ │ ├── RAMPasswordPolicyReuse.py
│ │ │ │ │ ├── RAMPasswordPolicySymbol.py
│ │ │ │ │ ├── RAMPasswordPolicyUppcaseLetter.py
│ │ │ │ │ ├── RAMSecurityEnforceMFA.py
│ │ │ │ │ ├── RDSInstanceAutoUpgrade.py
│ │ │ │ │ ├── RDSInstanceLogConnections.py
│ │ │ │ │ ├── RDSInstanceLogDisconnections.py
│ │ │ │ │ ├── RDSInstanceLogsEnabled.py
│ │ │ │ │ ├── RDSInstanceSSL.py
│ │ │ │ │ ├── RDSIsPublic.py
│ │ │ │ │ ├── RDSRetention.py
│ │ │ │ │ ├── RDSTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── TLSPoliciesAreSecure.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMCertCreateBeforeDestroy.py
│ │ │ │ │ ├── ACMCertSetLoggingPreference.py
│ │ │ │ │ ├── ALBDesyncMode.py
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── AMICopyIsEncrypted.py
│ │ │ │ │ ├── AMICopyUsesCMK.py
│ │ │ │ │ ├── AMIEncryption.py
│ │ │ │ │ ├── AMILaunchIsShared.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDeploymentCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDomainNameTLS.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEnabled.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEncrypted.py
│ │ │ │ │ ├── APIGatewayMethodSettingsDataTrace.py
│ │ │ │ │ ├── APIGatewayMethodWOAuth.py
│ │ │ │ │ ├── APIGatewayV2RouteDefinesAuthorizationType.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AWSCodeGuruHasCMK.py
│ │ │ │ │ ├── AbsNACLUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedEgress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AppFlowConnectorProfileUsesCMK.py
│ │ │ │ │ ├── AppFlowUsesCMK.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionAtRest.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionInTransit.py
│ │ │ │ │ ├── AthenaDatabaseEncryption.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AthenaWorkgroupEncryption.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── AutoScalingGroupWithPublicAccess.py
│ │ │ │ │ ├── AutoScalingLaunchTemplate.py
│ │ │ │ │ ├── AutoScalingTagging.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BatchJobIsNotPrivileged.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── BedrockGuardrails.py
│ │ │ │ │ ├── CloudFrontGeoRestrictionDisabled.py
│ │ │ │ │ ├── CloudFrontResponseHeaderStrictTransportSecurity.py
│ │ │ │ │ ├── CloudWatchAlarmsEnabled.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudWatchLogGroupRetentionYear.py
│ │ │ │ │ ├── CloudformationStackNotificationArns.py
│ │ │ │ │ ├── CloudfrontDistributionDefaultRoot.py
│ │ │ │ │ ├── CloudfrontDistributionEnabled.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudfrontDistributionOriginFailover.py
│ │ │ │ │ ├── CloudfrontTLS12.py
│ │ │ │ │ ├── CloudsearchDomainEnforceHttps.py
│ │ │ │ │ ├── CloudsearchDomainTLS.py
│ │ │ │ │ ├── CloudtrailDefinesSNSTopic.py
│ │ │ │ │ ├── CloudtrailEnableLogging.py
│ │ │ │ │ ├── CloudtrailEncryptionWithCMK.py
│ │ │ │ │ ├── CloudtrailEventDataStoreUsesCMK.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeArtifactDomainEncryptedWithCMK.py
│ │ │ │ │ ├── CodeBuildPrivilegedMode.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CodePipelineArtifactsEncrypted.py
│ │ │ │ │ ├── CodebuildHasLogs.py
│ │ │ │ │ ├── CodebuildS3LogsEncrypted.py
│ │ │ │ │ ├── CodebuildUsesCMK.py
│ │ │ │ │ ├── CodecommitApprovalsRulesRequireMin2.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── ComprehendEntityRecognizerModelUsesCMK.py
│ │ │ │ │ ├── ComprehendEntityRecognizerVolumeUsesCMK.py
│ │ │ │ │ ├── ConfigConfgurationAggregatorAllRegions.py
│ │ │ │ │ ├── ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py
│ │ │ │ │ ├── ConnectInstanceS3StorageConfigUsesCMK.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DAXEndpointTLS.py
│ │ │ │ │ ├── DBInstanceBackupRetentionPeriod.py
│ │ │ │ │ ├── DBInstanceLogging.py
│ │ │ │ │ ├── DBInstanceMinorUpgrade.py
│ │ │ │ │ ├── DBSnapshotCopyUsesCMK.py
│ │ │ │ │ ├── DBSnapshotsArePrivate.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryption.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryption.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DMSEndpointUsesCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceMinorUpgrade.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DMSS3UsesCMK.py
│ │ │ │ │ ├── DatasyncLocationExposesSecrets.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryptedWithCMK.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBGlobalClusterEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBGlobalTableRecovery.py
│ │ │ │ │ ├── DynamoDBTableReplicaKMSUsesCMK.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EBSSnapshotCopyEncryptedWithCMK.py
│ │ │ │ │ ├── EBSVolumeEncryptedWithCMK.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2DetailedMonitoringEnabled.py
│ │ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSClusterLoggingEnabled.py
│ │ │ │ │ ├── ECSClusterLoggingEncryptedWithCMK.py
│ │ │ │ │ ├── ECSContainerHostProcess.py
│ │ │ │ │ ├── ECSContainerPrivilege.py
│ │ │ │ │ ├── ECSContainerReadOnlyRoot.py
│ │ │ │ │ ├── ECSServiceFargateLatest.py
│ │ │ │ │ ├── ECSServicePublicIP.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── ECSTaskDefinitionRoleCheck.py
│ │ │ │ │ ├── EFSAccessPointRoot.py
│ │ │ │ │ ├── EFSAccessUserIdentity.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPlatformVersion.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBCrossZoneEnable.py
│ │ │ │ │ ├── ELBPolicyUsesSecureProtocols.py
│ │ │ │ │ ├── ELBUsesSSL.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ELBwListenerNotTLSSSL.py
│ │ │ │ │ ├── EMRClusterConfEncryptsEBS.py
│ │ │ │ │ ├── EMRClusterConfEncryptsInTransit.py
│ │ │ │ │ ├── EMRClusterConfEncryptsLocalDisk.py
│ │ │ │ │ ├── EMRClusterIsEncryptedKMS.py
│ │ │ │ │ ├── EMRClusterKerberosAttributes.py
│ │ │ │ │ ├── EMRPubliclyAccessible.py
│ │ │ │ │ ├── Ec2TransitGatewayAutoAccept.py
│ │ │ │ │ ├── ElastiCacheHasCustomSubnet.py
│ │ │ │ │ ├── ElasticBeanstalkUseEnhancedHealthChecks.py
│ │ │ │ │ ├── ElasticBeanstalkUseManagedUpdates.py
│ │ │ │ │ ├── ElasticCacheAutomaticBackup.py
│ │ │ │ │ ├── ElasticCacheAutomaticMinorUpgrades.py
│ │ │ │ │ ├── ElasticacheHasSecurityGroup.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptedWithCMK.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDefaultSG.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainHA.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchEncryptionWithCMK.py
│ │ │ │ │ ├── ElasticsearchInVPC.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── ElasticsearchTLSPolicy.py
│ │ │ │ │ ├── FSXOntapFSEncryptedWithCMK.py
│ │ │ │ │ ├── FSXOpenZFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── FSXWindowsFSEncryptedWithCMK.py
│ │ │ │ │ ├── GlacierVaultAnyPrincipal.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── GuarddutyDetectorEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMStarResourcePolicyDocument.py
│ │ │ │ │ ├── IAMUserNotUsedForAccess.py
│ │ │ │ │ ├── IAMUserRootAccessKeys.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── ImagebuilderComponentEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderDistributionConfigurationEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderImageRecipeEBSEncrypted.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyWildcardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KendraIndexSSEUsesCMK.py
│ │ │ │ │ ├── KeyspacesTableUsesCMK.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamSSE.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamUsesCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptedWithCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── KinesisVideoEncryptedWithCMK.py
│ │ │ │ │ ├── LBCrossZone.py
│ │ │ │ │ ├── LBDeletionProtection.py
│ │ │ │ │ ├── LBTargetGroupsDefinesHealthcheck.py
│ │ │ │ │ ├── LambdaCodeSigningConfigured.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionIsNotPublic.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LambdaXrayEnabled.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── LaunchTemplateMetadataHop.py
│ │ │ │ │ ├── LustreFSEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MQBrokerEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerLogging.py
│ │ │ │ │ ├── MQBrokerMinorAutoUpgrade.py
│ │ │ │ │ ├── MQBrokerNotPubliclyExposed.py
│ │ │ │ │ ├── MQBrokerVersion.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── MWAASchedulerLogsEnabled.py
│ │ │ │ │ ├── MWAAWebserverLogsEnabled.py
│ │ │ │ │ ├── MWAAWorkerLogsEnabled.py
│ │ │ │ │ ├── MemoryDBClusterIntransitEncryption.py
│ │ │ │ │ ├── MemoryDBEncryptionWithCMK.py
│ │ │ │ │ ├── MemoryDBSnapshotEncryptionWithCMK.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncrypted.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── NeptuneDBClustersCopyTagsToSnapshots.py
│ │ │ │ │ ├── NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
│ │ │ │ │ ├── NetworkACLUnrestricted.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress20.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress21.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress22.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress3389.py
│ │ │ │ │ ├── NetworkFirewallDeletionProtection.py
│ │ │ │ │ ├── NetworkFirewallPolicyDefinesCMK.py
│ │ │ │ │ ├── NetworkFirewallUsesCMK.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSCACertIsRecent.py
│ │ │ │ │ ├── RDSClusterActivityStreamEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterAuditLogging.py
│ │ │ │ │ ├── RDSClusterAuroraBacktrack.py
│ │ │ │ │ ├── RDSClusterCopyTags.py
│ │ │ │ │ ├── RDSClusterEncrypted.py
│ │ │ │ │ ├── RDSClusterEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSClusterLogging.py
│ │ │ │ │ ├── RDSClusterSnapshotEncrypted.py
│ │ │ │ │ ├── RDSDeletionProtection.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSHasSecurityGroup.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSInstanceAutoBackupEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstanceDeletionProtection.py
│ │ │ │ │ ├── RDSInstancePerfInsightsEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstancePerformanceInsights.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPostgreSQLLogFDWExtension.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterAllowVersionUpgrade.py
│ │ │ │ │ ├── RedshiftClusterAutoSnap.py
│ │ │ │ │ ├── RedshiftClusterDatabaseName.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterKMSKey.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py
│ │ │ │ │ ├── RedshiftClusterUseEnhancedVPCRouting.py
│ │ │ │ │ ├── RedshiftClusterWithCommonUsernameAndPublicAccess.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── RedshiftServerlessNamespaceKMSKey.py
│ │ │ │ │ ├── RedshitClusterPubliclyAvailable.py
│ │ │ │ │ ├── Route53TransferLock.py
│ │ │ │ │ ├── S3AbortIncompleteUploads.py
│ │ │ │ │ ├── S3AccessPointPubliclyAccessible.py
│ │ │ │ │ ├── S3AllowsAnyPrincipal.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3BucketObjectEncryptedWithCMK.py
│ │ │ │ │ ├── S3BucketObjectLock.py
│ │ │ │ │ ├── S3GlobalViewACL.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3ObjectCopyEncryptedWithCMK.py
│ │ │ │ │ ├── S3ProtectAgainstPolicyLockout.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3SecureDataTransport.py
│ │ │ │ │ ├── SNSCrossAccountAccess.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SNSTopicPolicyAnyPrincipal.py
│ │ │ │ │ ├── SQSOverlyPermissive.py
│ │ │ │ │ ├── SQSPolicy.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SQSQueuePolicyAnyPrincipal.py
│ │ │ │ │ ├── SSMDocumentsArePrivate.py
│ │ │ │ │ ├── SSMParameterUsesCMK.py
│ │ │ │ │ ├── SSMSessionManagerDocumentEncryption.py
│ │ │ │ │ ├── SSMSessionManagerDocumentLogging.py
│ │ │ │ │ ├── SageMakerInternetAccessDisabled.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerDomainEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerEndpointConfigurationEncryption.py
│ │ │ │ │ ├── SagemakerFlowDefinitionUsesKMS.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryption.py
│ │ │ │ │ ├── SagemakerNotebookInCustomVPC.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SagemakerNotebookRoot.py
│ │ │ │ │ ├── SchedulerScheduleUsesCMK.py
│ │ │ │ │ ├── SecretManagerSecret90days.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedEgressAny.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngressAny.py
│ │ │ │ │ ├── SesConfigurationSetDefinesTLS.py
│ │ │ │ │ ├── StateMachineLoggingExecutionHistory.py
│ │ │ │ │ ├── StateMachineXray.py
│ │ │ │ │ ├── SubnetPublicIP.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerAllowsOnlySecureProtocols.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── TransferServerLatestPolicy.py
│ │ │ │ │ ├── UnpatchedAuroraPostgresDB.py
│ │ │ │ │ ├── VPCDefaultNetwork.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WAFHasAnyRules.py
│ │ │ │ │ ├── WAFHasLogs.py
│ │ │ │ │ ├── WAFRuleHasAnyActions.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ │ │ ├── ACRContainerScanEnabled.py
│ │ │ │ │ ├── ACRDedicatedDataEndpointEnabled.py
│ │ │ │ │ ├── ACREnableImageQuarantine.py
│ │ │ │ │ ├── ACREnableRetentionPolicy.py
│ │ │ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ │ │ ├── ACRGeoreplicated.py
│ │ │ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── ACRUseSignedImages.py
│ │ │ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ │ │ ├── AKSDashboardDisabled.py
│ │ │ │ │ ├── AKSEnablesPrivateClusters.py
│ │ │ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ │ │ ├── AKSIsPaidSku.py
│ │ │ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ │ │ ├── AKSLoggingEnabled.py
│ │ │ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ │ │ ├── AKSNetworkPolicy.py
│ │ │ │ │ ├── AKSNodePublicIpDisabled.py
│ │ │ │ │ ├── AKSOnlyCriticalPodsOnSystemNodes.py
│ │ │ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ │ │ ├── AKSRbacEnabled.py
│ │ │ │ │ ├── AKSSecretStoreRotation.py
│ │ │ │ │ ├── AKSUpgradeChannel.py
│ │ │ │ │ ├── AKSUsesAzurePoliciesAddon.py
│ │ │ │ │ ├── AKSUsesDiskEncryptionSet.py
│ │ │ │ │ ├── APIManagementBackendHTTPS.py
│ │ │ │ │ ├── APIManagementCertsEnforced.py
│ │ │ │ │ ├── APIManagementMinTLS12.py
│ │ │ │ │ ├── APIManagementPublicAccess.py
│ │ │ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ │ │ ├── ActiveDirectoryUsedAuthenticationServiceFabric.py
│ │ │ │ │ ├── AppConfigEncryption.py
│ │ │ │ │ ├── AppConfigLocalAuth.py
│ │ │ │ │ ├── AppConfigPublicAccess.py
│ │ │ │ │ ├── AppConfigPurgeProtection.py
│ │ │ │ │ ├── AppConfigSku.py
│ │ │ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ │ │ ├── AppGWUseWAFMode.py
│ │ │ │ │ ├── AppGWUsesHttps.py
│ │ │ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ │ │ ├── AppServiceAlwaysOn.py
│ │ │ │ │ ├── AppServiceAuthentication.py
│ │ │ │ │ ├── AppServiceClientCertificate.py
│ │ │ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ │ │ ├── AppServiceDisallowCORS.py
│ │ │ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ │ │ ├── AppServiceEnvironmentZoneRedundant.py
│ │ │ │ │ ├── AppServiceFTPSState.py
│ │ │ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ │ │ ├── AppServiceIdentity.py
│ │ │ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ │ │ ├── AppServiceJavaVersion.py
│ │ │ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ │ │ ├── AppServicePHPVersion.py
│ │ │ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ │ │ ├── AppServicePythonVersion.py
│ │ │ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ │ │ ├── AppServiceSkuMinimum.py
│ │ │ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ │ │ ├── AppServiceSlotMinTLS.py
│ │ │ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ │ │ ├── AutomationEncrypted.py
│ │ │ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ │ │ ├── AzureContainerGroupDeployedIntoVirtualNetwork.py
│ │ │ │ │ ├── AzureContainerInstanceEnvVarSecureValueType.py
│ │ │ │ │ ├── AzureContainerInstancePublicIPAddressType.py
│ │ │ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureDefenderDisabledForResManager.py
│ │ │ │ │ ├── AzureDefenderOnAppServices.py
│ │ │ │ │ ├── AzureDefenderOnContainerRegistry.py
│ │ │ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ │ │ ├── AzureDefenderOnServers.py
│ │ │ │ │ ├── AzureDefenderOnSqlServerVMS.py
│ │ │ │ │ ├── AzureDefenderOnSqlServers.py
│ │ │ │ │ ├── AzureDefenderOnStorage.py
│ │ │ │ │ ├── AzureFirewallDefinesPolicy.py
│ │ │ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ │ │ ├── AzureFirewallPolicyIDPSDeny.py
│ │ │ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ │ │ ├── AzureInstanceExtensions.py
│ │ │ │ │ ├── AzureInstancePassword.py
│ │ │ │ │ ├── AzureManagedDiskEncryption.py
│ │ │ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ │ │ ├── AzureScaleSetPassword.py
│ │ │ │ │ ├── AzureSearchAllowedIPsNotGlobal.py
│ │ │ │ │ ├── AzureSearchManagedIdentity.py
│ │ │ │ │ ├── AzureSearchPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── AzureSearchSLAIndex.py
│ │ │ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ │ │ ├── AzureServicebusDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureServicebusHasCMK.py
│ │ │ │ │ ├── AzureServicebusIdentityProviderEnabled.py
│ │ │ │ │ ├── AzureServicebusLocalAuthDisabled.py
│ │ │ │ │ ├── AzureServicebusMinTLSVersion.py
│ │ │ │ │ ├── AzureServicebusPublicAccessDisabled.py
│ │ │ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ │ │ ├── CDNDisableHttpEndpoints.py
│ │ │ │ │ ├── CDNEnableHttpsEndpoints.py
│ │ │ │ │ ├── CDNTLSProtocol12.py
│ │ │ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ │ │ ├── CosmosDBHaveCMK.py
│ │ │ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ │ │ ├── CutsomRoleDefinitionSubscriptionOwner.py
│ │ │ │ │ ├── DataExplorerSKUHasSLA.py
│ │ │ │ │ ├── DataExplorerServiceIdentity.py
│ │ │ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ │ │ ├── DataLakeStoreEncryption.py
│ │ │ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ │ │ ├── EventHubNamespaceZoneRedundant.py
│ │ │ │ │ ├── EventgridDomainIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridDomainLocalAuthentication.py
│ │ │ │ │ ├── EventgridDomainNetworkAccess.py
│ │ │ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ │ │ ├── FunctionAppEnableLogging.py
│ │ │ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ │ │ ├── FunctionAppPublicAccessDisabled.py
│ │ │ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IoTNoPublicNetworkAccess.py
│ │ │ │ │ ├── KeyBackedByHSM.py
│ │ │ │ │ ├── KeyExpirationDate.py
│ │ │ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ │ │ ├── KubernetesClusterHTTPApplicationRouting.py
│ │ │ │ │ ├── LinuxVMUsesSSH.py
│ │ │ │ │ ├── MLCCLADisabled.py
│ │ │ │ │ ├── MLComputeClusterMinNodes.py
│ │ │ │ │ ├── MLPublicAccess.py
│ │ │ │ │ ├── MSSQLServerAuditPolicyLogMonitor.py
│ │ │ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ │ │ ├── MonitorLogProfileCategories.py
│ │ │ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── MySQLTreatDetectionEnabled.py
│ │ │ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ │ │ ├── NSGRuleUDPAccessRestricted.py
│ │ │ │ │ ├── NetworkInterfaceEnableIPForwarding.py
│ │ │ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ │ │ ├── OpenAICognitiveServicesRestrictOutboundNetwork.py
│ │ │ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ │ │ ├── PostgreSQLFlexiServerGeoBackupEnabled.py
│ │ │ │ │ ├── PostgreSQLMinTLSVersion.py
│ │ │ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogRetentionEnabled.py
│ │ │ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── PostgresSQLTreatDetectionEnabled.py
│ │ │ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ │ │ ├── PubsubSKUSLA.py
│ │ │ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ │ │ ├── RedisCacheEnableNonSSLPort.py
│ │ │ │ │ ├── RedisCacheMinTLSVersion.py
│ │ │ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ │ │ ├── RedisCacheStandardReplicationEnabled.py
│ │ │ │ │ ├── SQLDatabaseLedgerEnabled.py
│ │ │ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ │ │ ├── SQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ │ │ ├── SecretContentType.py
│ │ │ │ │ ├── SecretExpirationDate.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ │ │ ├── SecurityCenterContactEmails.py
│ │ │ │ │ ├── SecurityCenterContactPhone.py
│ │ │ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ │ │ ├── SignalRSKUSLA.py
│ │ │ │ │ ├── SpringCloudAPIPortalHTTPSOnly.py
│ │ │ │ │ ├── SpringCloudAPIPortalPublicAccessIsDisabled.py
│ │ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ │ │ ├── StorageAccountName.py
│ │ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ │ ├── StorageAccountsUseReplication.py
│ │ │ │ │ ├── StorageBlobRestrictPublicAccess.py
│ │ │ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ │ │ ├── StorageLocalUsers.py
│ │ │ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ │ │ ├── StorageSyncServicePermissiveAccess.py
│ │ │ │ │ ├── SynapseSQLPoolDataEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ │ │ ├── VMAgentIsInstalled.py
│ │ │ │ │ ├── VMCredsInCustomData.py
│ │ │ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ │ │ ├── VMDiskWithPublicAccess.py
│ │ │ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ │ │ ├── VMStorageOsDisk.py
│ │ │ │ │ ├── VnetLocalDNS.py
│ │ │ │ │ ├── VnetSingleDNSServer.py
│ │ │ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_cloudsplaining_resource_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ ├── digitalocean/
│ │ │ │ │ ├── DropletSSHKeys.py
│ │ │ │ │ ├── FirewallIngressOpen.py
│ │ │ │ │ ├── SpacesBucketPublicRead.py
│ │ │ │ │ ├── SpacesBucketVersioning.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── AbsGoogleBasicRoles.py
│ │ │ │ │ ├── AbsGoogleComputeFirewallUnrestrictedIngress.py
│ │ │ │ │ ├── AbsGoogleIAMMemberDefaultServiceAccount.py
│ │ │ │ │ ├── AbsGoogleImpersonationRoles.py
│ │ │ │ │ ├── AbsGooglePostgresqlDatabaseFlags.py
│ │ │ │ │ ├── ArtifactRegistryPrivateRepo.py
│ │ │ │ │ ├── ArtifactRegsitryEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryPrivateTable.py
│ │ │ │ │ ├── BigQueryTableDeletionProtection.py
│ │ │ │ │ ├── BigQueryTableEncryptedWithCMK.py
│ │ │ │ │ ├── BigTableInstanceDeletionProtection.py
│ │ │ │ │ ├── BigTableInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── CloudArmorWAFACLCVE202144228.py
│ │ │ │ │ ├── CloudBuildWorkersArePrivate.py
│ │ │ │ │ ├── CloudFunctionPermissiveIngress.py
│ │ │ │ │ ├── CloudFunctionsShouldNotBePublic.py
│ │ │ │ │ ├── CloudPubSubEncryptedWithCMK.py
│ │ │ │ │ ├── CloudSqlMajorVersion.py
│ │ │ │ │ ├── CloudStorageLogging.py
│ │ │ │ │ ├── CloudStorageSelfLogging.py
│ │ │ │ │ ├── CloudStorageVersioningEnabled.py
│ │ │ │ │ ├── DataFusionPrivateInstance.py
│ │ │ │ │ ├── DataFusionStackdriverLogs.py
│ │ │ │ │ ├── DataFusionStackdriverMonitoring.py
│ │ │ │ │ ├── DataflowJobEncryptedWithCMK.py
│ │ │ │ │ ├── DataflowPrivateJob.py
│ │ │ │ │ ├── DataprocClusterEncryptedWithCMK.py
│ │ │ │ │ ├── DataprocPrivateCluster.py
│ │ │ │ │ ├── DataprocPublicIpCluster.py
│ │ │ │ │ ├── GCPCloudRunPrivateService.py
│ │ │ │ │ ├── GKEAliasIpEnabled.py
│ │ │ │ │ ├── GKEBinaryAuthorization.py
│ │ │ │ │ ├── GKEClientCertificateDisabled.py
│ │ │ │ │ ├── GKEClusterLogging.py
│ │ │ │ │ ├── GKEDisableLegacyAuth.py
│ │ │ │ │ ├── GKEDontUseNodePools.py
│ │ │ │ │ ├── GKEEnableShieldedNodes.py
│ │ │ │ │ ├── GKEEnableVPCFlowLogs.py
│ │ │ │ │ ├── GKEEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── GKEHasLabels.py
│ │ │ │ │ ├── GKEKubernetesRBACGoogleGroups.py
│ │ │ │ │ ├── GKEMasterAuthorizedNetworksEnabled.py
│ │ │ │ │ ├── GKEMetadataServerIsEnabled.py
│ │ │ │ │ ├── GKEMonitoringEnabled.py
│ │ │ │ │ ├── GKENetworkPolicyEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoRepairEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoUpgradeEnabled.py
│ │ │ │ │ ├── GKEPodSecurityPolicyEnabled.py
│ │ │ │ │ ├── GKEPrivateClusterConfig.py
│ │ │ │ │ ├── GKEPrivateNodes.py
│ │ │ │ │ ├── GKEPublicControlPlane.py
│ │ │ │ │ ├── GKEReleaseChannel.py
│ │ │ │ │ ├── GKESecureBootforShieldedNodes.py
│ │ │ │ │ ├── GKEUseCosImage.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── GoogleBigQueryDatasetPublicACL.py
│ │ │ │ │ ├── GoogleCloudDNSKeySpecsRSASHA1.py
│ │ │ │ │ ├── GoogleCloudDNSSECEnabled.py
│ │ │ │ │ ├── GoogleCloudMySqlLocalInfileOff.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlEnablePgaudit.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogCheckpoints.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogConnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogDisconnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogHostname.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogLockWaits.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinDuration.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinErrorStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinMessage.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogTemp.py
│ │ │ │ │ ├── GoogleCloudSqlBackupConfiguration.py
│ │ │ │ │ ├── GoogleCloudSqlDatabasePubliclyAccessible.py
│ │ │ │ │ ├── GoogleCloudSqlDatabaseRequireSsl.py
│ │ │ │ │ ├── GoogleCloudSqlServerContainedDBAuthentication.py
│ │ │ │ │ ├── GoogleCloudSqlServerCrossDBOwnershipChaining.py
│ │ │ │ │ ├── GoogleCloudSqlServerNoPublicIP.py
│ │ │ │ │ ├── GoogleComputeBlockProjectSSH.py
│ │ │ │ │ ├── GoogleComputeBootDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccountFullAccess.py
│ │ │ │ │ ├── GoogleComputeDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeExternalIP.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress20.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress21.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress22.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3306.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3389.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress80.py
│ │ │ │ │ ├── GoogleComputeIPForward.py
│ │ │ │ │ ├── GoogleComputeInstanceOSLogin.py
│ │ │ │ │ ├── GoogleComputeProjectOSLogin.py
│ │ │ │ │ ├── GoogleComputeSSLPolicy.py
│ │ │ │ │ ├── GoogleComputeSerialPorts.py
│ │ │ │ │ ├── GoogleComputeShieldedVM.py
│ │ │ │ │ ├── GoogleFolderBasicRole.py
│ │ │ │ │ ├── GoogleFolderImpersonationRole.py
│ │ │ │ │ ├── GoogleFolderMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleIAMWorkloadIdentityConditional.py
│ │ │ │ │ ├── GoogleKMSKeyIsPublic.py
│ │ │ │ │ ├── GoogleKMSPreventDestroy.py
│ │ │ │ │ ├── GoogleKMSRotationPeriod.py
│ │ │ │ │ ├── GoogleOrgBasicRole.py
│ │ │ │ │ ├── GoogleOrgImpersonationRole.py
│ │ │ │ │ ├── GoogleOrgMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleProjectAdminServiceAccount.py
│ │ │ │ │ ├── GoogleProjectBasicRole.py
│ │ │ │ │ ├── GoogleProjectDefaultNetwork.py
│ │ │ │ │ ├── GoogleProjectImpersonationRole.py
│ │ │ │ │ ├── GoogleProjectMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleRoleServiceAccountUser.py
│ │ │ │ │ ├── GoogleStorageBucketNotPublic.py
│ │ │ │ │ ├── GoogleStorageBucketUniformAccess.py
│ │ │ │ │ ├── GoogleStoragePublicAccessPrevention.py
│ │ │ │ │ ├── GoogleSubnetworkIPV6PrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkLoggingEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkPrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleVertexAINotebookShieldedVM.py
│ │ │ │ │ ├── MemorystoreForRedisAuthEnabled.py
│ │ │ │ │ ├── MemorystoreForRedisInTransitEncryption.py
│ │ │ │ │ ├── PubSubPrivateTopic.py
│ │ │ │ │ ├── SpannerDatabaseDeletionProtection.py
│ │ │ │ │ ├── SpannerDatabaseDropProtection.py
│ │ │ │ │ ├── SpannerDatabaseEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIMetadataStoreEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAINotebookEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── VertexAIPrivateInstance.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── github/
│ │ │ │ │ ├── BranchProtectionRequireSignedCommits.py
│ │ │ │ │ ├── BranchProtectionReviewNumTwo.py
│ │ │ │ │ ├── PrivateRepo.py
│ │ │ │ │ ├── RepositoryEnableVulnerabilityAlerts.py
│ │ │ │ │ ├── SecretsEncrypted.py
│ │ │ │ │ ├── WebhookInsecureSsl.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gitlab/
│ │ │ │ │ ├── ForcePushDisabled.py
│ │ │ │ │ ├── PreventSecretsEnabled.py
│ │ │ │ │ ├── RejectUnsignedCommits.py
│ │ │ │ │ ├── RequireTwoApprovalsToMerge.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── kubernetes/
│ │ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ │ ├── CPULimits.py
│ │ │ │ │ ├── CPURequests.py
│ │ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ │ ├── DangerousGitSync.py
│ │ │ │ │ ├── DefaultNamespace.py
│ │ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ │ ├── DropCapabilities.py
│ │ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ │ ├── HostPort.py
│ │ │ │ │ ├── ImageDigest.py
│ │ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ │ ├── ImageTagFixed.py
│ │ │ │ │ ├── LivenessProbe.py
│ │ │ │ │ ├── MemoryLimits.py
│ │ │ │ │ ├── MemoryRequests.py
│ │ │ │ │ ├── MinimiseCapabilities.py
│ │ │ │ │ ├── MinimiseCapabilitiesPSP.py
│ │ │ │ │ ├── PodSecurityContext.py
│ │ │ │ │ ├── PrivilegedContainer.py
│ │ │ │ │ ├── PrivilegedContainerPSP.py
│ │ │ │ │ ├── ReadinessProbe.py
│ │ │ │ │ ├── ReadonlyRootFilesystem.py
│ │ │ │ │ ├── RootContainerPSP.py
│ │ │ │ │ ├── SeccompPSP.py
│ │ │ │ │ ├── Secrets.py
│ │ │ │ │ ├── ShareHostIPC.py
│ │ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ │ ├── ShareHostPID.py
│ │ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ │ ├── Tiller.py
│ │ │ │ │ ├── TillerService.py
│ │ │ │ │ ├── WildcardRoles.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── authorized_keys.py
│ │ │ │ │ ├── firewall_inbound_policy.py
│ │ │ │ │ ├── firewall_outbound_policy.py
│ │ │ │ │ ├── user_email_set.py
│ │ │ │ │ └── user_username_set.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupInboundRule.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort22.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort3389.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort80.py
│ │ │ │ │ ├── AccessControlGroupOutboundRule.py
│ │ │ │ │ ├── AccessControlGroupRuleDescription.py
│ │ │ │ │ ├── LBListenerUsesSecureProtocols.py
│ │ │ │ │ ├── LBListenerUsingHTTPS.py
│ │ │ │ │ ├── LBNetworkPrivate.py
│ │ │ │ │ ├── LBTargetGroupDefinesHealthCheck.py
│ │ │ │ │ ├── LBTargetGroupUsingHTTPS.py
│ │ │ │ │ ├── LaunchConfigurationEncryptionVPC.py
│ │ │ │ │ ├── NACLInbound20.py
│ │ │ │ │ ├── NACLInbound21.py
│ │ │ │ │ ├── NACLInbound22.py
│ │ │ │ │ ├── NACLInbound3389.py
│ │ │ │ │ ├── NACLInboundCheck.py
│ │ │ │ │ ├── NACLPortCheck.py
│ │ │ │ │ ├── NASEncryptionEnabled.py
│ │ │ │ │ ├── NKSControlPlaneLogging.py
│ │ │ │ │ ├── NKSPublicAccess.py
│ │ │ │ │ ├── RouteTableNATGatewayDefault.py
│ │ │ │ │ ├── ServerEncryptionVPC.py
│ │ │ │ │ ├── ServerPublicIP.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityListUnrestrictedIngress.py
│ │ │ │ │ ├── DataCatalogWithPublicAccess.py
│ │ │ │ │ ├── FileSystemEncryption.py
│ │ │ │ │ ├── IAMPasswordLength.py
│ │ │ │ │ ├── IAMPasswordPolicyLowerCase.py
│ │ │ │ │ ├── IAMPasswordPolicyNumeric.py
│ │ │ │ │ ├── IAMPasswordPolicySpecialCharacters.py
│ │ │ │ │ ├── IAMPasswordPolicyUpperCase.py
│ │ │ │ │ ├── InstanceBootVolumeIntransitEncryption.py
│ │ │ │ │ ├── InstanceMetadataServiceEnabled.py
│ │ │ │ │ ├── InstanceMonitoringEnabled.py
│ │ │ │ │ ├── ObjectStorageEmitEvents.py
│ │ │ │ │ ├── ObjectStorageEncryption.py
│ │ │ │ │ ├── ObjectStoragePublic.py
│ │ │ │ │ ├── ObjectStorageVersioning.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupsIngressStatelessSecurityRules.py
│ │ │ │ │ ├── SecurityListIngress.py
│ │ │ │ │ ├── SecurityListIngressStateless.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress3389.py
│ │ │ │ │ ├── StorageBlockBackupEnabled.py
│ │ │ │ │ ├── StorageBlockEncryption.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── okta/
│ │ │ │ │ ├── TwoFASignOnPolicyRule.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ComputeInstanceAdminPassword.py
│ │ │ │ │ ├── FirewallRuleSetDestinationIP.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── InterfaceMgmtProfileNoHTTP.py
│ │ │ │ │ ├── InterfaceMgmtProfileNoTelnet.py
│ │ │ │ │ ├── NetworkIPsecAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecAuthAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecProtocols.py
│ │ │ │ │ ├── PolicyDescription.py
│ │ │ │ │ ├── PolicyLogForwarding.py
│ │ │ │ │ ├── PolicyLoggingEnabled.py
│ │ │ │ │ ├── PolicyNoApplicationAny.py
│ │ │ │ │ ├── PolicyNoDSRI.py
│ │ │ │ │ ├── PolicyNoServiceAny.py
│ │ │ │ │ ├── PolicyNoSrcAnyDstAny.py
│ │ │ │ │ ├── ZoneProtectionProfile.py
│ │ │ │ │ ├── ZoneUserIDIncludeACL.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── registry.py
│ │ │ │ ├── tencentcloud/
│ │ │ │ │ ├── CBSEncryption.py
│ │ │ │ │ ├── CDBInternetService.py
│ │ │ │ │ ├── CDBIntranetPort.py
│ │ │ │ │ ├── CLBInstanceLog.py
│ │ │ │ │ ├── CLBListenerProtocol.py
│ │ │ │ │ ├── CVMAllocatePublicIp.py
│ │ │ │ │ ├── CVMDisableMonitorService.py
│ │ │ │ │ ├── CVMUseDefaultSecurityGroup.py
│ │ │ │ │ ├── CVMUseDefaultVPC.py
│ │ │ │ │ ├── CVMUserData.py
│ │ │ │ │ ├── TKELogAgentEnabled.py
│ │ │ │ │ ├── TKEPublicIpAssigned.py
│ │ │ │ │ ├── VPCFlowLogConfigEnable.py
│ │ │ │ │ ├── VPCSecurityGroupRuleSet.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── yandexcloud/
│ │ │ │ ├── ComputeInstanceGroupPublicIP.py
│ │ │ │ ├── ComputeInstanceGroupSecurityGroup.py
│ │ │ │ ├── ComputeVMPublicIP.py
│ │ │ │ ├── ComputeVMSecurityGroup.py
│ │ │ │ ├── ComputeVMSerialConsole.py
│ │ │ │ ├── IAMCloudElevatedMembers.py
│ │ │ │ ├── IAMFolderElevatedMembers.py
│ │ │ │ ├── IAMOrganizationElevatedMembers.py
│ │ │ │ ├── IAMPassportAccountUsage.py
│ │ │ │ ├── K8SAutoUpgrade.py
│ │ │ │ ├── K8SEtcdKMSEncryption.py
│ │ │ │ ├── K8SNetworkPolicy.py
│ │ │ │ ├── K8SNodeGroupAutoUpgrade.py
│ │ │ │ ├── K8SNodeGroupPublicIP.py
│ │ │ │ ├── K8SNodeGroupSecurityGroup.py
│ │ │ │ ├── K8SPublicIP.py
│ │ │ │ ├── K8SSecurityGroup.py
│ │ │ │ ├── KMSSymmetricKeyRotation.py
│ │ │ │ ├── MDBPublicIP.py
│ │ │ │ ├── MDBSecurityGroup.py
│ │ │ │ ├── ObjectStorageBucketEncryption.py
│ │ │ │ ├── ObjectStorageBucketPublicAccess.py
│ │ │ │ ├── VPCSecurityGroupAllowAll.py
│ │ │ │ ├── VPCSecurityGroupRuleAllowAll.py
│ │ │ │ └── __init__.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ ├── base_cloudsplaining_iam_scanner.py
│ │ │ ├── consts.py
│ │ │ ├── dependency_path_handler.py
│ │ │ └── iam_terraform_document_to_policy_converter.py
│ │ ├── context_parsers/
│ │ │ ├── __init__.py
│ │ │ ├── base_parser.py
│ │ │ ├── parsers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data_context_parser.py
│ │ │ │ ├── locals_context_parser.py
│ │ │ │ ├── module_context_parser.py
│ │ │ │ ├── provider_context_parser.py
│ │ │ │ ├── resource_context_parser.py
│ │ │ │ └── variable_context_parser.py
│ │ │ ├── registry.py
│ │ │ └── tf_plan/
│ │ │ └── __init__.py
│ │ ├── deep_analysis_plan_graph_manager.py
│ │ ├── evaluation/
│ │ │ ├── __init__.py
│ │ │ └── base_variable_evaluation.py
│ │ ├── graph_builder/
│ │ │ ├── EncryptionCalculation.md
│ │ │ ├── __init__.py
│ │ │ ├── foreach/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_handler.py
│ │ │ │ ├── builder.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── data_handler.py
│ │ │ │ ├── foreach_entity_handler.py
│ │ │ │ ├── module_handler.py
│ │ │ │ ├── resource_handler.py
│ │ │ │ └── utils.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── attribute_names.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ ├── generic_resource_encryption.py
│ │ │ │ └── module.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── evaluate_terraform.py
│ │ │ ├── renderer.py
│ │ │ ├── safe_eval_functions.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ ├── module_loading/
│ │ │ ├── __init__.py
│ │ │ ├── content.py
│ │ │ ├── loader.py
│ │ │ ├── loaders/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── bitbucket_access_token_loader.py
│ │ │ │ ├── bitbucket_loader.py
│ │ │ │ ├── git_loader.py
│ │ │ │ ├── github_access_token_loader.py
│ │ │ │ ├── github_loader.py
│ │ │ │ ├── local_path_loader.py
│ │ │ │ ├── registry_loader.py
│ │ │ │ └── versions_parser.py
│ │ │ ├── module_finder.py
│ │ │ ├── module_params.py
│ │ │ └── registry.py
│ │ ├── modules/
│ │ │ ├── __init__.py
│ │ │ ├── module_objects.py
│ │ │ └── module_utils.py
│ │ ├── parser_functions.py
│ │ ├── parser_utils.py
│ │ ├── plan_parser.py
│ │ ├── plan_runner.py
│ │ ├── plan_utils.py
│ │ ├── runner.py
│ │ ├── tag_providers/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ └── tf_parser.py
│ ├── terraform_json/
│ │ ├── __init__.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── version.py
│ └── yaml_doc/
│ ├── __init__.py
│ ├── base_registry.py
│ ├── base_yaml_check.py
│ ├── enums.py
│ ├── registry.py
│ └── runner.py
├── dangerfile.ts
├── docs/
│ ├── 1.Welcome/
│ │ ├── Feature Descriptions.md
│ │ ├── Migration.md
│ │ ├── Quick Start.md
│ │ ├── Terms and Concepts.md
│ │ └── What is Checkov.md
│ ├── 2.Basics/
│ │ ├── CLI Command Reference.md
│ │ ├── Handling Variables.md
│ │ ├── Hard and soft fail.md
│ │ ├── Installing Checkov.md
│ │ ├── Reviewing Scan Results.md
│ │ ├── Scanning Credentials and Secrets.md
│ │ ├── Suppressing and Skipping Policies.md
│ │ └── Visualizing Checkov Output.md
│ ├── 3.Custom Policies/
│ │ ├── Custom Policies Overview.md
│ │ ├── Examples.md
│ │ ├── Python Custom Policies.md
│ │ ├── Sharing Custom Policies.md
│ │ └── YAML Custom Policies.md
│ ├── 4.Integrations/
│ │ ├── Bitbucket Cloud Pipelines.md
│ │ ├── Docker.md
│ │ ├── GitHub Actions.md
│ │ ├── GitLab CI.md
│ │ ├── Jenkins.md
│ │ ├── Kubernetes.md
│ │ └── pre-commit.md
│ ├── 404.md
│ ├── 5.Policy Index/
│ │ ├── all.md
│ │ ├── ansible.md
│ │ ├── argo_workflows.md
│ │ ├── arm.md
│ │ ├── azure_pipelines.md
│ │ ├── bicep.md
│ │ ├── bitbucket_configuration.md
│ │ ├── bitbucket_pipelines.md
│ │ ├── circleci_pipelines.md
│ │ ├── cloudformation.md
│ │ ├── dockerfile.md
│ │ ├── github_actions.md
│ │ ├── github_configuration.md
│ │ ├── gitlab_ci.md
│ │ ├── gitlab_configuration.md
│ │ ├── kubernetes.md
│ │ ├── openapi.md
│ │ ├── secrets.md
│ │ ├── serverless.md
│ │ └── terraform.md
│ ├── 6.Contribution/
│ │ ├── Contribute New Argo Workflows Policies.md
│ │ ├── Contribute New Azure Pipelines Policies.md
│ │ ├── Contribute New Bitbucket Policies.md
│ │ ├── Contribute New GitHub Policies.md
│ │ ├── Contribute New Gitlab Policies.md
│ │ ├── Contribute New OpenAPI Policies.md
│ │ ├── Contribute New Terraform Provider.md
│ │ ├── Contribute Python-Based Policies.md
│ │ ├── Contribute YAML-based Policies.md
│ │ ├── Contribution New IaC Runner.md
│ │ ├── Contribution Overview.md
│ │ ├── Implementing CI Metadata Extractor.md
│ │ └── Implementing ImageReferencer.md
│ ├── 7.Scan Examples/
│ │ ├── AWS SAM.md
│ │ ├── Ansible.md
│ │ ├── Argo Workflows.md
│ │ ├── Azure ARM templates.md
│ │ ├── Azure Pipelines.md
│ │ ├── Bicep.md
│ │ ├── Bitbucket.md
│ │ ├── CDK.md
│ │ ├── Cloudformation.md
│ │ ├── Dockerfile.md
│ │ ├── Git History.md
│ │ ├── Github.md
│ │ ├── Gitlab.md
│ │ ├── Helm.md
│ │ ├── Kubernetes.md
│ │ ├── Kustomize.md
│ │ ├── OpenAPI.md
│ │ ├── Sca.md
│ │ ├── Serverless Framework.md
│ │ ├── Terraform Plan Scanning.md
│ │ └── Terraform.md
│ ├── 8.Outputs/
│ │ ├── CSV.md
│ │ ├── CycloneDX BOM.md
│ │ ├── GitLab SAST.md
│ │ ├── JUnit XML.md
│ │ └── SARIF.md
│ ├── CNAME
│ ├── Gemfile
│ ├── _config.yml
│ ├── index.md
│ ├── menus.json
│ ├── search.html
│ └── web/
│ ├── css/
│ │ ├── checkov.pyro.css
│ │ ├── normalize.css
│ │ ├── pyro.css
│ │ └── theme.css
│ └── js/
│ └── pyro.js
├── dogfood_tests/
│ ├── pytest.ini
│ └── test_checkov_dogfood.py
├── extra_stubs/
│ ├── boolean/
│ │ ├── __init__.pyi
│ │ └── boolean.py
│ ├── docker/
│ │ ├── __init__.pyi
│ │ ├── client.pyi
│ │ └── models/
│ │ └── images.pyi
│ ├── dockerfile_parse/
│ │ ├── __init__.pyi
│ │ ├── constants.pyi
│ │ └── parser.pyi
│ ├── junit_xml/
│ │ └── __init__.pyi
│ └── license_expression/
│ └── __init__.pyi
├── flake8_plugins/
│ ├── __init__.py
│ └── flake8_class_attributes_plugin/
│ ├── __init__.py
│ ├── flake8_class_attributes/
│ │ ├── __init__.py
│ │ ├── checker.py
│ │ ├── class_members_errors.py
│ │ └── model_parts_info.py
│ └── tests/
│ ├── __init__.py
│ ├── conftest.py
│ ├── test_files/
│ │ ├── __init__.py
│ │ ├── class_attribute_fail.py
│ │ ├── class_const_pass.py
│ │ ├── class_special_attributes_pass.py
│ │ ├── dataclass_skip.py
│ │ └── typing_class_skip.py
│ └── test_handler.py
├── github_action_resources/
│ ├── checkov-problem-matcher-softfail.json
│ ├── checkov-problem-matcher.json
│ └── entrypoint.sh
├── integration_tests/
│ ├── __init__.py
│ ├── example_config_files/
│ │ └── config.yaml
│ ├── example_ext_private_modules/
│ │ └── main.tf
│ ├── example_workflow_file/
│ │ ├── .github/
│ │ │ └── workflows/
│ │ │ └── vulnerable_container.yaml
│ │ └── bitbucket/
│ │ └── bitbucket-pipelines.yml
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── test_checkov_cli_integration_report.py
│ ├── test_checkov_config.py
│ ├── test_checkov_cyclonedx_report.py
│ ├── test_checkov_ext_module_cloning.py
│ ├── test_checkov_json_report.py
│ ├── test_checkov_junit_report.py
│ ├── test_checkov_platform_only_policies.py
│ └── test_checkov_sarif_report.py
├── kubernetes/
│ ├── Dockerfile
│ ├── README.md
│ ├── checkov-job.yaml
│ ├── requirements.txt
│ └── run_checkov.sh
├── mypy.ini
├── performance_tests/
│ ├── __init__.py
│ ├── pytest.ini
│ └── test_checkov_performance.py
├── pyproject.toml
├── sast_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ └── test_checkov_sast_report.py
├── setup.py
└── tests/
├── __init__.py
├── ansible/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── graph_checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── BlockErrorHandling/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfDisableGpgCheck/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfSslVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfValidateCerts/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── GetUrlHttpsOnly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosIPsecProtocols/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyDescription/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogForwarding/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoDSRI/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneProtectionProfile/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ └── UriHttpsOnly/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── test_yaml_policies.py
│ │ ├── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── EC2PublicIP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── AptForce/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── GetUrlValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── UriValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumSslVerify/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── __init__.py
│ │ └── test_python_policies.py
│ ├── examples/
│ │ ├── blocks.yml
│ │ ├── empty_tasks.yml
│ │ ├── k8s_utf16.yaml
│ │ ├── nested_blocks.yml
│ │ ├── no_tasks.yml
│ │ ├── site.yml
│ │ ├── skip.yml
│ │ └── tasks.yml
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ └── test_local_graph.py
│ ├── test_graph_manager.py
│ ├── test_runner.py
│ └── test_utils.py
├── argo_workflows/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ └── template/
│ │ ├── __init__.py
│ │ ├── example_DefaultServiceAccount/
│ │ │ ├── fail_default.yaml
│ │ │ ├── fail_none.yaml
│ │ │ └── pass.yaml
│ │ ├── example_RunAsNonRoot/
│ │ │ ├── fail.yaml
│ │ │ └── pass.yaml
│ │ ├── test_DefaultServiceAccount.py
│ │ └── test_RunAsNonRoot.py
│ ├── examples/
│ │ ├── argo_cd_application.yaml
│ │ ├── hello_world.yaml
│ │ └── scripts_python.yaml
│ └── test_runner.py
├── arm/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── parameter/
│ │ │ ├── __init__.py
│ │ │ ├── test_SecureStringParameterNoHardcodedValue/
│ │ │ │ └── test_parameters.json
│ │ │ └── test_SecureStringParameterNoHardcodedValue.py
│ │ └── resource/
│ │ ├── __init__.py
│ │ ├── example_ACRAdminAccountDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACRAnonymousPullDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ ├── pass4.json
│ │ │ ├── pass5.json
│ │ │ └── pass6.json
│ │ ├── example_ACRContainerScanEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableImageQuarantine/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableZoneRedundancy/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_ACRPublicNetworkAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AKSApiServerAuthorizedIpRanges/
│ │ │ ├── aks-authIPRanges-preview-FAILED-3.json
│ │ │ ├── aks-authIPRanges-preview-FAILED.json
│ │ │ ├── aks-authIPRanges-preview-PASSED.json
│ │ │ ├── aks-authIPRanges-supported-FAILED-2.json
│ │ │ ├── aks-authIPRanges-supported-FAILED.json
│ │ │ ├── aks-authIPRanges-supported-PASSED.json
│ │ │ └── aks-authIPRanges-unsupported-FAILED.json
│ │ ├── example_AKSDashboardDisabled/
│ │ │ ├── AKSDashboardDisabled-FAILED.json
│ │ │ ├── AKSDashboardDisabled-FAILED2.json
│ │ │ ├── AKSDashboardDisabled-FAILED3.json
│ │ │ ├── AKSDashboardDisabled-FAILED4.json
│ │ │ └── AKSDashboardDisabled-PASSED.json
│ │ ├── example_AKSEncryptionAtHostEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── failA1.json
│ │ │ ├── failA2.json
│ │ │ ├── pass.json
│ │ │ └── passA.json
│ │ ├── example_AKSEphemeralOSDisks/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLocalAdminDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLoggingEnabled/
│ │ │ ├── AKSLoggingEnabled-FAILED2.json
│ │ │ ├── aksLoggingEnabled-FAILED.json
│ │ │ ├── aksLoggingEnabled-FAILED3.json
│ │ │ └── aksLoggingEnabled-PASSED.json
│ │ ├── example_AKSMaxPodsMinimum/
│ │ │ ├── agentPoolProfiles_with_maxPods_fail4.json
│ │ │ ├── agentPoolProfiles_with_maxPods_pass.json
│ │ │ ├── agentPoolProfiles_without_maxPods_fail3.json
│ │ │ ├── properties_with_maxPods_fail2.json
│ │ │ ├── properties_with_maxPods_pass1.json
│ │ │ └── properties_without_maxPods_fail.json
│ │ ├── example_AKSNetworkPolicy/
│ │ │ ├── aksNetworkPolicy-FAILED.json
│ │ │ ├── aksNetworkPolicy-FAILED2.json
│ │ │ ├── aksNetworkPolicy-FAILED3.json
│ │ │ ├── aksNetworkPolicy-FAILED4.json
│ │ │ └── aksNetworkPolicy-PASSED.json
│ │ ├── example_AKSPoolTypeIsScaleSet/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AKSRbacEnabled/
│ │ │ ├── aksEnableRbac-FAILED.json
│ │ │ ├── aksEnableRbac-FAILED2.json
│ │ │ ├── aksEnableRbac-FAILED3.json
│ │ │ └── aksEnableRbac-PASSED.json
│ │ ├── example_AKSUpgradeChannel/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementMinTLS12/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementPublicAccess/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIServicesUseVirtualNetwork/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AkSSecretStoreRotation/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AppGWDefinesSecureProtocols/
│ │ │ ├── empty_sslPolicy_fail1.json
│ │ │ ├── with_policyName_fail3.json
│ │ │ ├── with_policyName_pass1.json
│ │ │ ├── with_protocolversion_and_cipher_fail2.json
│ │ │ ├── with_protocolversion_and_cipher_pass.json
│ │ │ └── without_sslPolicy_fail.json
│ │ ├── example_AppGatewayWAFACLCVE202144228/
│ │ │ ├── empty_disabled_rules_pass.json
│ │ │ ├── owasp_3_0_fail.json
│ │ │ ├── owasp_3_1_default_pass.json
│ │ │ ├── owasp_3_1_disabled_different_pass.json
│ │ │ ├── owasp_3_1_disabled_fail.json
│ │ │ ├── owasp_3_2_default_pass.json
│ │ │ └── version_3_1_default_pass.json
│ │ ├── example_AppServiceAuthentication/
│ │ │ ├── appServiceAuthentication-FAILED.json
│ │ │ ├── appServiceAuthentication-PASSED.json
│ │ │ └── appServiceAuthentication-PASSED2.json
│ │ ├── example_AppServiceClientCertificate/
│ │ │ ├── appServiceClientCertificate-FAILED.json
│ │ │ ├── appServiceClientCertificate-FAILED2.json
│ │ │ ├── appServiceClientCertificate-PASSED.json
│ │ │ └── appServiceClientCertificate-PASSED2.json
│ │ ├── example_AppServiceDetailedErrorMessagesEnabled/
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed.json
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed2.json
│ │ │ └── AppServiceDetailedErrorMessagesEnabled-passed.json
│ │ ├── example_AppServiceDisallowCORS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceDotnetFrameworkVersion/
│ │ │ ├── failed.json
│ │ │ └── passed.json
│ │ ├── example_AppServiceEnabledFailedRequest/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ └── AppServiceEnableFailedRequest-passed.json
│ │ ├── example_AppServiceFTPSState/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ └── pass3.json
│ │ ├── example_AppServiceHTTPSOnly/
│ │ │ ├── appServiceHTTPSOnly-FAILED.json
│ │ │ ├── appServiceHTTPSOnly-FAILED2.json
│ │ │ ├── appServiceHTTPSOnly-PASSED.json
│ │ │ └── appServiceHTTPSOnly-PASSED2.json
│ │ ├── example_AppServiceHttpLoggingEnabled/
│ │ │ ├── AppServiceHttpLoggingEnabled-failed.json
│ │ │ ├── AppServiceHttpLoggingEnabled-failed2.json
│ │ │ └── AppServiceHttpLoggingEnabled-passed.json
│ │ ├── example_AppServiceHttps20Enabled/
│ │ │ ├── appServiceHttps20Enabled-FAILED.json
│ │ │ ├── appServiceHttps20Enabled-FAILED2.json
│ │ │ ├── appServiceHttps20Enabled-FAILED3.json
│ │ │ ├── appServiceHttps20Enabled-PASSED.json
│ │ │ └── appServiceHttps20Enabled-PASSED2.json
│ │ ├── example_AppServiceIdentity/
│ │ │ ├── appServiceIdentity-FAILED.json
│ │ │ ├── appServiceIdentity-PASSED.json
│ │ │ └── appServiceIdentity-PASSED2.json
│ │ ├── example_AppServiceIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceInstanceMinimum/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── unknown.json
│ │ │ └── unknown2.json
│ │ ├── example_AppServiceJavaVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceMinTLSVersion/
│ │ │ ├── appServiceMinTLSVersion-FAILED.json
│ │ │ ├── appServiceMinTLSVersion-FAILED2.json
│ │ │ ├── appServiceMinTLSVersion-FAILED3.json
│ │ │ ├── appServiceMinTLSVersion-PASSED.json
│ │ │ └── appServiceMinTLSVersion-PASSED2.json
│ │ ├── example_AppServicePHPVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePlanZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePublicAccessDisabled/
│ │ │ ├── configFail.json
│ │ │ ├── configPass.json
│ │ │ ├── linuxDefault.json
│ │ │ ├── linuxFail.json
│ │ │ ├── linuxPass.json
│ │ │ ├── slotFail.json
│ │ │ ├── slotPass.json
│ │ │ ├── windowsDefault.json
│ │ │ ├── windowsFail.json
│ │ │ └── windowsPass.json
│ │ ├── example_AppServicePythonVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_AppServiceRemoteDebuggingNotEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AppServiceSetHealthCheck/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotDebugDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotHTTPSOnly/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceUsedAzureFiles/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ ├── AppServiceEnableFailedRequest-failed2.json
│ │ │ └── AppServiceUsedAzureFiles-passed.json
│ │ ├── example_AutomationEncrypted/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountEndpointAccessDefaultAction.py/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountUsesKeyVaultEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDataExplorerDoubleEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKeyVaults/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKubernetes/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnSqlServersVMS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnStorage/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureFirewallDenyThreatIntelMode/
│ │ │ ├── CKV_AZURE_216.fail.json
│ │ │ ├── CKV_AZURE_216.fail2.json
│ │ │ └── CKV_AZURE_216.pass.json
│ │ ├── example_AzureFrontDoorEnablesWAF/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstanceExtensions/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstancePassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ ├── UNKNOWN.json
│ │ │ └── UNKNOWN_1.json
│ │ ├── example_AzureMLWorkspacePrivateEndpoint/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AzureManagedDiscEncryption/
│ │ │ ├── azureManagedDiscEncryption-FAILED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED_2.json
│ │ │ └── azureManagedDiscEncryption-PASSED_3.json
│ │ ├── example_AzureManagedDiskEncryptionSet/
│ │ │ ├── azureManagedDiskEncyptionSet-FAILED.json
│ │ │ └── azureManagedDiskEncyptionSet-PASSED.json
│ │ ├── example_AzureScaleSetPassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── UNKNOWN.json
│ │ ├── example_AzureSearchSLAIndex/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSearchSLAQueryUpdates/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureServiceFabricClusterProtectionLevel/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSparkPoolIsolatedComputeEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspaceVAisEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_CognitiveServicesConfigureIdentity/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesDisablesPublicNetwork/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesEnableLocalAuth/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBAccountsRestrictedAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_CosmosDBDisableAccessKeyWrite/
│ │ │ ├── CosmosDBDisableAccessKeyWrite-FAILED.json
│ │ │ └── CosmosDBDisableAccessKeyWrite-PASSED.json
│ │ ├── example_CosmosDBDisablesPublicNetwork/
│ │ │ ├── Fail.json
│ │ │ ├── Fail2.json
│ │ │ ├── Fail3.json
│ │ │ └── Pass.json
│ │ ├── example_CosmosDBHaveCMK/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBLocalAuthDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_CustomRoleDefinitionSubscriptionOwner/
│ │ │ ├── example_customRoleDefinitionSubscriptionOwner-FAILED.json
│ │ │ └── example_customRoleDefinitionSubscriptionOwner-PASSED.json
│ │ ├── example_DataExplorerUsesDiskEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryNoPublicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryUsesGitRepository/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_DataLakeStoreEncryption/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DatabricksWorkspaceIsNotPublic/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventHubNamespaceMinTLS12/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventgridTopicIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicLocalAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_FrontDoorWAFACLCVE202144228/
│ │ │ ├── fail1.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FrontdoorUseWAFMode/
│ │ │ ├── example_FrontdoorUseWAFMode-FAILED.json
│ │ │ └── example_FrontdoorUseWAFMode-PASSED.json
│ │ ├── example_FunctionAppDisallowCORS/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass_with_cors.json
│ │ ├── example_FunctionAppHttpVersionLatest/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_FunctionAppMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FunctionAppsAccessibleOverHttps/
│ │ │ ├── sites_config_fail.json
│ │ │ ├── sites_config_pass.json
│ │ │ ├── sites_config_pass1.json
│ │ │ ├── sites_fail.json
│ │ │ ├── sites_fail1.json
│ │ │ └── sites_pass.json
│ │ ├── example_FunctionAppsEnableAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyBackedByHSM/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyExpirationDate/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultDisablesPublicNetworkAccess/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── fail5.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_KeyVaultEnablesFirewallRulesSettings/
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings-FAILED.json
│ │ │ └── KeyVaultEnablesFirewallRulesSettings-PASSED.json
│ │ ├── example_KeyVaultEnablesPurgeProtection/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultEnablesSoftDelete/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyvaultRecoveryEnabled/
│ │ │ ├── keyvaultRecoveryEnabled-FAILED.json
│ │ │ ├── keyvaultRecoveryEnabled-FAILED2.json
│ │ │ └── keyvaultRecoveryEnabled-PASSED.json
│ │ ├── example_LinuxVMUsesSSH/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MSSQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_MariaDBGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBSSLEnforcementEnabled/
│ │ │ ├── FAILED.json
│ │ │ ├── FAILED_2.json
│ │ │ └── PASSED.json
│ │ ├── example_MonitorLogProfileCategories/
│ │ │ ├── monitorLogProfileCategories-FAILED.json
│ │ │ └── monitorLogProfileCategories-PASSED.json
│ │ ├── example_MonitorLogProfileRetentionDays/
│ │ │ ├── monitorLogProfileRetentionDays-FAILED.json
│ │ │ ├── monitorLogProfileRetentionDays-FAILED2.json
│ │ │ └── monitorLogProfileRetentionDays-PASSED.json
│ │ ├── example_MySQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_MySQLGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerSSLEnforcementEnabled/
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED.json
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED2.json
│ │ │ └── mysqlSSLEnforcementEnabled-PASSED.json
│ │ ├── example_NSGRuleHTTPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleRDPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleSSHAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NetworkWatcherFlowLogPeriod/
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED2.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED3.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED4.json
│ │ │ └── networkWatcherFlowLogPeriod-PASSED.json
│ │ ├── example_PostgreSQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerConnectionThrottlingEnabled/
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-FAILED.json
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-PASSED.json
│ │ │ └── postgreSQL-ConnectionThrottlingEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogCheckpointsEnabled/
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogCheckpointsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogConnectionsEnabled/
│ │ │ ├── postgreSQL-LogConnectionsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogConnectionsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogConnectionsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerPublicAccessDisable/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerSSLEnforcementEnabled/
│ │ │ ├── postgreSQL-SSL-FAILED.json
│ │ │ ├── postgreSQL-SSL-FAILED2.json
│ │ │ └── postgreSQL-SSL-PASSED.json
│ │ ├── example_PostgressSQLGeoBackupEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSKUSLA/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSpecifyIdentity/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_RedisCachePublicNetworkAccessEnabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLDatabaseZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerAuditingEnabled/
│ │ │ ├── sqlServerAuditingEnabled-PASSED.json
│ │ │ ├── sqlServerAuditingEnabled-TDE-FAILED.json
│ │ │ └── sqlServerDatabaseAuditingEnabled-PASSED.json
│ │ ├── example_SQLServerAuditingRetention90Days/
│ │ │ ├── sqlServerAuditingRetention90Days-2021-05-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED2.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED3.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED2.json
│ │ │ └── sqlServerAuditingRetention90Days-TDE-FAILED.json
│ │ ├── example_SQLServerEmailAlertsEnabled/
│ │ │ ├── sqlServerEmailAlertsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsEnabled-PASSED.json
│ │ ├── example_SQLServerEmailAlertsToAdminsEnabled/
│ │ │ ├── sqlServerEmailAlertsToAdminsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsToAdminsEnabled-PASSED.json
│ │ ├── example_SQLServerHasPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerNoPublicAccess/
│ │ │ ├── sqlServerNoPublicAccess-TDE-FAILED.json
│ │ │ └── sqlServerNoPublicAccess-TDE-PASSED.json
│ │ ├── example_SQLServerThreatDetectionTypes/
│ │ │ ├── sqlServerThreatDetectionTypes-FAILED.json
│ │ │ ├── sqlServerThreatDetectionTypes-PASSED.json
│ │ │ └── sqlServerThreatDetectionTypes-PASSED2.json
│ │ ├── example_SQLServerUsesADAuth/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SecretContentType/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecretExpirationDate/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecurityCenter/
│ │ │ ├── securityCenter-FAILED.json
│ │ │ └── securityCenter-PASSED.json
│ │ ├── example_SkipJsonRegex/
│ │ │ ├── skip1.json
│ │ │ ├── skip2/
│ │ │ │ ├── skip1.json
│ │ │ │ └── skip2.json
│ │ │ └── skip2.json
│ │ ├── example_StorageAccountAzureServicesAccessEnabled/
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-UNKNOWN.json
│ │ │ └── storageAccountAzureServicesAccessEnabled-VARIABLE.json
│ │ ├── example_StorageAccountDefaultNetworkAccessDeny/
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED2.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED2.json
│ │ │ └── storageAccountDefaultNetworkAccessDeny-UNKNOWN.json
│ │ ├── example_StorageAccountDisablePublicAccess/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── PASSED_2.json
│ │ ├── example_StorageAccountLoggingQueueServiceEnabled/
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed.json
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed2.json
│ │ │ └── exampleStorageAccountLoggingQueueServiceEnabled-PASSED.json
│ │ ├── example_StorageAccountMinimumTlsVersion/
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail1.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail2.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail3.json
│ │ │ └── exampleStorageAccountMinimumTlsVersion-passed.json
│ │ ├── example_StorageAccountName/
│ │ │ ├── camelCase.json
│ │ │ ├── kebabCase.json
│
================================================
FILE CONTENTS
================================================
================================================
FILE: .cfnlintrc
================================================
templates:
- tests/cloudformation/checks/resource/aws/**/*.json
- tests/cloudformation/checks/resource/aws/**/*.yaml
ignore_templates:
- tests/cloudformation/checks/resource/aws/unused/*
# https://github.com/aws-cloudformation/cfn-python-lint/issues/1577
- tests/cloudformation/checks/resource/aws/example_AthenaWorkgroupConfiguration/*
# added resource with Properties, which is not supported by cfn-lint
- tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml
# includes tests with booleans as strings
- tests/cloudformation/checks/resource/aws/example_ECRImageScanning/*
- tests/cloudformation/checks/resource/aws/example_ALBDropHttpHeaders/*
- tests/cloudformation/checks/resource/aws/example_ELBv2AccessLogs/*
- tests/cloudformation/checks/resource/aws/example_RedShiftSSL/*
- tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/*
- tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription/*
- tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription
- tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress22/SecurityGroupUnrestrictedIngress22-UNKNOWN.yaml
- tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress80/SecurityGroupUnrestrictedIngress80-UNKNOWN.yaml
- tests/cloudformation/checks/resource/*
- tests/cloudformation/checks/resource/aws/example_IAMStarActionPolicyDocument/cfn_bad_iam_pass.yaml
- tests/cloudformation/checks/resource/aws/example_IAMRoleAllowAssumeFromAccount/UNKNOWN.yml
- tests/cloudformation/checks/resource/aws/example_cloudfrontDistribution/CloudfrontDistributionEncryption-UNKNOWN.yaml
- tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-FAILED.yaml
ignore_checks:
- W
================================================
FILE: .coveragerc
================================================
[run]
branch = True
[report]
omit =
tests/*
*/.pytest_cache/*
*/.local/*
docs/*
hooks/*
================================================
FILE: .dockerignore
================================================
bin/
checkov/
docs/
integration_tests/
tests/
================================================
FILE: .flake8
================================================
# can be moved to pyproject.toml some day
# https://github.com/PyCQA/flake8/issues/234
[flake8]
max-line-length = 120
# E203,E501 don't work with black together
ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
select = C,E,F,W,B,B9,A,TC
extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
[flake8:local-plugins]
extension =
CCE = flake8_plugins.flake8_class_attributes_plugin.flake8_class_attributes.checker:ClassAttributesChecker
paths =
. flake8_plugins/flake8_class_attributes_plugin/flake8_class_attributes
================================================
FILE: .github/ISSUE_TEMPLATE/best_practices_issue.md
================================================
---
name: Best practices improvement
about: Issues that will help achieve best practices using checkov.
title: ''
labels: 'best practices'
assignees: ''
---
**Describe the issue**
If it is related to an existing check, please note the relevant check ID.
Also, explain the logic for this addition / change.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/checks_issue.md
================================================
---
name: Checks Issue
about: Create an issue regarding a check (existing or missing)
title: ''
labels: 'checks'
assignees: ''
---
**Describe the issue**
If it is related to an existing check, please note the relevant check ID.
Also, explain the logic for this addition / change.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/crash_report.md
================================================
---
name: Crash report
about: Create an issue for cases causing checkov to crash
title: ''
labels: 'crash'
assignees: ''
---
**Describe the issue**
Explain what you expected to happen when checkov crashed.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Exception Trace**
Please share the trace for the exception and all relevant output by checkov.
To maximize the understanding, please run checkov with LOG_LEVEL set to debug
as follows:
```sh
LOG_LEVEL=DEBUG checkov ...
```
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here (e.g. code snippets).
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Feature requests or requests for enhancements that are not bugs.
title: ''
labels: 'contribution requested'
assignees: ''
---
**Describe the feature**
Explain the feature in detail. Note that feature requests are always reviewed, but prioritized based on popularity, effort, and impact. We also welcome contributions.
**Examples**
Please share an example code sample (in the IaC of your choice) + expected inputs and outputs from Checkov + the expected outcomes.
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/graph_issue.md
================================================
---
name: Graph Issue
about: Create an issue regarding the graph creation and querying
title: ''
labels: 'graph'
assignees: ''
---
**Describe the issue**
Please explain what is missing or malfunctioning in the graph (creation or querying).
Also detail what is the expected behavior for this use case.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here (e.g. code snippets).
================================================
FILE: .github/ISSUE_TEMPLATE/integrations_issue.md
================================================
---
name: Integrations Issue
about: Create an issue regarding the integration of checkov with other tools.
title: ''
labels: 'integrations'
assignees: ''
---
**Describe the issue**
If an existing integration is malfunctioning, please describe the current state and
what you expect to be happening.
For new integrations, please share an example use case this integration will help
checkov support.
================================================
FILE: .github/ISSUE_TEMPLATE/languages_issue.md
================================================
---
name: Languages Issue
about: Create an issue regarding the frameworks and languages supported by checkov
title: ''
labels: 'languages'
assignees: ''
---
**Describe the issue**
Describe the framework / feature that is missing in a supported framework that you
would like to add and explain what the use case is.
**Example Value**
Please share an example check / use case that this issue will allow checkov to support.
================================================
FILE: .github/ISSUE_TEMPLATE/noise_issue.md
================================================
---
name: Noise Issue
about: Create an issue regarding checkov's output and noise it generates.
title: ''
labels: 'noise'
assignees: ''
---
**Describe the issue**
Please explain the use case that leads to this noise being generated.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/outputs_issue.md
================================================
---
name: Outputs Issue
about: Create an issue regarding checkov's output (addition or fix)
title: ''
labels: 'outputs'
assignees: ''
---
**Describe the issue**
If regarding an existing output (json, junit-xml etc.) please note what is the current state
and what is the expected state. For new outputs - please describe the use case to add it.
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/skips_issue.md
================================================
---
name: Skipping Issue
about: Create an issue regarding checkov's skipping mechanism
title: ''
labels: 'skips'
assignees: ''
---
**Describe the issue**
Please explain the functionality that is missing for you, what you did and
what was the actual output.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
**By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.**
[//]: # "
# PR Title
We use the title to create changelog automatically and therefore only allow specific prefixes
- break: to indicate a breaking change, this supersedes any of the other types
- feat: to indicate new features or checks
- fix: to indicate a bugfix or handling of edge cases of existing checks
- docs: to indicate an update to our documentation
- chore: to indicate adjustments to workflow files or dependency updates
- platform: to indicate a change needed for the platform
Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.
#
Allowed prefixs:
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
#
ex.
feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance
"
## Description
*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
Fixes # (issue)
## New/Edited policies (Delete if not relevant)
### Description
*Include a description of what makes it a violation and any relevant external links.*
### Fix
*How does someone fix the issue in code and/or in runtime?*
## Checklist:
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have added tests that prove my feature, policy, or fix is effective and works
- [ ] New and existing tests pass locally with my changes
================================================
FILE: .github/actionlint.yaml
================================================
self-hosted-runner:
labels:
- public
================================================
FILE: .github/checkov.yaml
================================================
enable-secret-scan-all-files: true
framework:
- secrets
quiet: true
skip-path:
- docs
- tests/arm/checks/resource/example_AzureScaleSetPassword/FAILED.json
- tests/arm/checks/resource/example_AzureScaleSetPassword/UNKNOWN.json
- tests/arm/checks/resource/example_StorageAccountAzureServicesAccessEnabled/storageAccountAzureServicesAccessEnabled-FAILED2.json
- tests/arm/checks/resource/example_StorageAccountDefaultNetworkAccessDeny/storageAccountDefaultNetworkAccessDeny-FAILED2.json
- tests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf
- tests/common/utils/conftest.py
- tests/common/utils/test_secrets_utils.py
- tests/sca_image/conftest.py
- tests/sca_package_2/conftest.py
- tests/secrets
- tests/terraform/checks/provider
- tests/terraform/parser/resources/plan_tags/tfplan.json
- tests/terraform/runner/resources/plan/tfplan.json
- tests/terraform/runner/tf_plan_skip_check_regex/resource/skip_directory/tfplan2.json
- tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
- tests/terraform/runner/tfplan2.json
- tests/unit/test_secrets.py
- tests/terraform/runner/resources/example/example.tf
- tests/terraform/graph
- tests/terraform/checks
- /checkov/secrets/plugins/entropy_keyword_combinator.py
- /checkov/secrets/plugins/detector_utils.py
- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
- /cdk_integration_tests/src/typescript
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- tests/terraform/runner/resources/plan_with_providers
summary-position: bottom
================================================
FILE: .github/codeql-config.yml
================================================
name: "CodeQL config"
paths-ignore:
- tests
================================================
FILE: .github/dependabot.yml
================================================
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
================================================
FILE: .github/exclude-patterns.txt
================================================
checkov/terraform/module_loading/loaders/github_access_token_loader.py
checkov/terraform/module_loading/loaders/git_loader.py
docs/2.Basics/Scanning Credentials and Secrets.md
docs/5.Contribution/New-Provider.md
github_action_resources/entrypoint.sh
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/cloudformation/checks/resource/aws/example_EC2Credentials/EC2Credentials-FAILED.yaml
tests/cloudformation/checks/resource/aws/example_AWSCredentials/EC2Credentials-FAILED.yaml
tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml
tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/FAIL.yaml
tests/cloudformation/graph/checks/resources/LambdaFunction/template.yaml
tests/common/suppressions_resources/suppressions.tf
tests/secrets/.*
tests/common/utils/test_secrets_utils.py
tests/terraform/runner/resources/example/example.tf
tests/terraform/checks/resource/aws/example_EC2Credentials/main.tf
tests/terraform/checks/resource/aws/example_LambdaEnvironmentCredentials/main.tf
tests/terraform/checks/provider/aws/test_credentials.py
tests/terraform/checks/resource/aws/test_EC2Credentials.py
tests/terraform/checks/provider/ncp/test_credentials.py
tests/terraform/checks/provider/openstack/test_credentials.py
tests/terraform/module_loading/test_registry.py
tests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf
tests/unit/test_secrets.py
tests/terraform/runner/resources/plan/tfplan.json
tests/terraform/parser/resources/plan_tags/tfplan.json
tests/terraform/image_referencer/resources/aws/batch_tfplan.json
tests/helm/runner/resources/schema-registry
tests/common/utils/conftest.py
tests/terraform/runner/resources/get_graph_resource_entity_config/main.tf
tests/terraform/runner/tf_plan_skip_check_regex/resource/.*
tests/terraform/runner/tfplan2.json
tests/terraform/runner/resources/plan_with_providers/tfplan.json
tests/terraform/runner/resources/plan_with_providers/main.tf
.*Scans.md
.*Pipfile.lock
================================================
FILE: .github/pr-title-checker-config.json
================================================
{
"LABEL": {
"name": "title needs adjustment",
"color": "EEEEEE"
},
"CHECKS": {
"prefixes": [
"chore: "
],
"regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
},
"MESSAGES": {
"success": "PR title is valid",
"failure": "PR title is invalid",
"notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
}
}
================================================
FILE: .github/release-changelog-config.json
================================================
{
"categories": [
{
"title": "## Breaking Change",
"labels": ["break"]
},
{
"title": "## Feature",
"labels": ["feat"]
},
{
"title": "## Bug Fix",
"labels": ["fix"]
},
{
"title": "## Platform",
"labels": ["platform"]
},
{
"title": "## Documentation",
"labels": ["docs"]
}
],
"sort": {
"order": "ASC",
"on_property": "title"
},
"template": "${{CHANGELOG}}",
"pr_template": "- ${{TITLE}} - [#${{NUMBER}}](${{URL}})",
"empty_template": "- no noteworthy changes",
"label_extractor": [
{
"pattern": "([^\\(]+)\\(.+\\): .+",
"on_property": "title",
"target": "$1"
}
],
"transformers": [
{
"pattern": "([^\\(]+)\\(?([^\\)]+)?\\)?: (.+)",
"target": "- **$2:** $3"
}
],
"max_pull_requests": 100,
"max_back_track_time_days": 7
}
================================================
FILE: .github/stale.yml
================================================
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 180
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 14
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- nostale
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Comment to post when marking as stale. Set to `false` to disable
markComment: >
Thanks for contributing to Checkov!
We've automatically marked this issue as stale to keep our issues list tidy,
because it has not had any activity for 6 months.
It will be closed in 14 days if no further activity occurs.
Commenting on this issue will remove the stale tag.
If you want to talk through the issue or help us understand the priority and context,
feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!
# Comment to post when removing the stale label.
# unmarkComment: >
# Your comment here.
# Comment to post when closing a stale Issue or Pull Request.
closeComment: >
Closing issue due to inactivity.
If you feel this is in error, please re-open, or reach out to the community via slack:
codifiedsecurity.slack.com
Thanks!
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
# Limit to only `issues` or `pulls`
# only: issues
# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
# pulls:
# daysUntilStale: 30
# markComment: >
# This pull request has been automatically marked as stale because it has not had
# recent activity. It will be closed if no further activity occurs. Thank you
# for your contributions.
# issues:
# exemptLabels:
# - confirmed
================================================
FILE: .github/workflows/build.yml
================================================
name: build
on:
workflow_dispatch:
inputs:
versionBump:
description: 'The part of the version to bump'
required: true
default: 'patch'
type: choice
options:
- patch
- minor
- major
push:
branches:
- main
paths-ignore:
- 'docs/**'
- 'INTHEWILD.md'
- 'README.md'
- 'CHANGELOG.md'
- '.github/**'
- checkov/version.py
- kubernetes/requirements.txt
- coverage.svg
- '.swm/**'
- '.pre-commit-config.yaml'
permissions:
contents: read
concurrency:
group: 'build'
cancel-in-progress: true
jobs:
security:
uses: ./.github/workflows/security-shared.yml
secrets: inherit
integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
- name: Run integration tests
run: |
pipenv run pytest integration_tests
integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
- name: Run integration tests
run: |
pipenv run pytest integration_tests
prisma-tests:
runs-on: [ self-hosted, public, linux, x64 ]
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Run checkov with Prisma creds
env:
PRISMA_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt
grep "prismacloud.io" checkov_report_prisma.txt
exit $?
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
continue-on-error: true # for now it is ok to fail
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
run: |
pipenv run pytest sast_integration_tests
sast-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
continue-on-error: true # for now it is ok to fail
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
run: |
pipenv run pytest sast_integration_tests
unit-tests:
timeout-minutes: 30
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
- name: Test with pytest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
IS_TEST: true
run: |
pipenv run python -m pytest tests
bump-version:
needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
# IMPORTANT: this permission is mandatory for trusted publishing to pypi
id-token: write
timeout-minutes: 30
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install
- name: Calculate version
run: |
git fetch --tags --force
latest_tag="$(git tag --sort=v:refname | tail -n 1)"
echo "latest tag: $latest_tag"
if [[ -z "${{ inputs.versionBump }}" ]]
then
version="patch"
else
version="${{ inputs.versionBump }}"
fi
case $version in
minor)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b+1 , 0)}')
;;
major)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a+1, 0 , 0)}')
;;
patch)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
;;
esac
echo "new tag: $new_tag"
echo "version=$new_tag" >> "$GITHUB_OUTPUT"
# grab major version for later image tag usage
major_version=$(echo "${new_tag}" | head -c1)
echo "major_version=$major_version" >> "$GITHUB_OUTPUT"
id: calculateVersion
- name: version
env:
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
run: |
## update docs
export PYTHONPATH='.'
# change the doc links to proper markdown versions
export CHECKOV_CREATE_MARKDOWN_HYPERLINKS='True'
git pull
for i in cloudformation terraform kubernetes serverless arm dockerfile secrets github_configuration gitlab_configuration bitbucket_configuration github_actions gitlab_ci bicep openapi bitbucket_pipelines argo_workflows circleci_pipelines azure_pipelines ansible all
do
export scansdoc="docs/5.Policy Index/$i.md"
echo "---" > "$scansdoc"
echo "layout: default" >> "$scansdoc"
echo "title: $i resource scans" >> "$scansdoc"
echo "nav_order: 1" >> "$scansdoc"
echo "---" >> "$scansdoc"
echo "" >> "$scansdoc"
echo "# $i resource scans (auto generated)" >> "$scansdoc"
echo "" >> "$scansdoc"
pipenv run python checkov/main.py --list --framework "$i" >> "$scansdoc"
done
#add cloudformation scans to serverless
export scansdoc="docs/5.Policy Index/serverless.md"
pipenv run python checkov/main.py --list --framework cloudformation >> "$scansdoc"
git add "docs/5.Policy Index/*"
git commit --reuse-message="HEAD@{1}" || echo "No changes to commit"
git config --global user.name 'GitHub Actions Bot'
git config --global user.email 'actions@github.com'
new_tag=${{ steps.calculateVersion.outputs.version }}
echo "new tag: $new_tag"
## update python version
echo "version = '$new_tag'" > 'checkov/version.py'
echo "checkov==$new_tag" > 'kubernetes/requirements.txt'
git commit --reuse-message="HEAD@{1}" checkov/version.py kubernetes/requirements.txt || echo "No changes to commit"
git push origin
git tag $new_tag
git push --tags
id: version
- name: create python package
run: |
pipenv run python setup.py sdist bdist_wheel
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1
- name: sleep and wait for package to refresh
run: |
sleep 2m
outputs:
version: ${{ steps.calculateVersion.outputs.version }}
major_version: ${{ steps.calculateVersion.outputs.major_version }}
publish-checkov-dockerhub:
needs: bump-version
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
permissions:
contents: read
id-token: write # Enable OIDC
packages: write
with:
image_name_dockerhub: bridgecrew/checkov
image_name_ghcr: ghcr.io/${{ github.repository }}
image_tag_full: ${{ needs.bump-version.outputs.version }}
image_tag_short: ${{ needs.bump-version.outputs.major_version }}
runner: "['self-hosted', 'public', 'linux', 'x64']"
secrets:
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
publish-checkov-k8s-dockerhub:
needs: bump-version
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
permissions:
contents: read
id-token: write # Enable OIDC
packages: write
with:
image_name_dockerhub: bridgecrew/checkov-k8s
image_name_ghcr: ghcr.io/${{ github.repository }}-k8s
image_tag_full: ${{ needs.bump-version.outputs.version }}
image_tag_short: ${{ needs.bump-version.outputs.major_version }}
dockerfile_path: kubernetes/Dockerfile
runner: "['self-hosted', 'public', 'linux', 'x64']"
secrets:
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
update-bridgecrew-projects:
needs: publish-checkov-dockerhub
runs-on: [self-hosted, public, linux, x64]
environment: release
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: update checkov release
run: |
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}"
# trigger checkov-action update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/checkov-action/dispatches --data '{"event_type": "build"}'
# trigger bridgecrew-py update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/bridgecrew-py/dispatches --data '{"event_type": "build"}'
# trigger whorf update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/whorf/dispatches --data '{"event_type": "release"}'
================================================
FILE: .github/workflows/codeql-analysis.yml
================================================
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '17 4 * * 2'
workflow_dispatch:
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: [self-hosted, public, linux, x64]
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: '3.10'
- name: Setup python for CodeQL
run: |
python -m pip install --no-cache-dir --upgrade pip pipenv
echo "CODEQL_PYTHON=$(which python)" >> "$GITHUB_ENV"
- name: Check Pipfile.lock changed
uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v13
id: changed_files
with:
files: Pipfile.lock
- name: Setup dependencies if they changed
if: steps.changed_files.outputs.files_changed == 'true'
run: |
pipenv lock -r > requirements.txt
pip install -r requirements.txt
- name: Initialize CodeQL
uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v2
with:
languages: python
setup-python-dependencies: false
config-file: ./.github/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v2
================================================
FILE: .github/workflows/coverage.yaml
================================================
name: Coverage
on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
permissions:
contents: read
jobs:
update-coverage:
runs-on: [ self-hosted, public, linux, x64 ]
permissions:
contents: write
environment: release
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
pipenv run pip install pytest
- name: Test with pytest
run: |
pipenv run pytest --cov-report term --cov=checkov tests
pipenv run python -m coverage_badge -o coverage.svg -f
git commit -m "Update coverage" coverage.svg || echo "No changes to commit"
================================================
FILE: .github/workflows/jekyll-gh-pages.yml
================================================
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
name: Deploy Jekyll with GitHub Pages dependencies preinstalled
on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false
jobs:
# Build job
build:
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v3
- name: Build with Jekyll
uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1
with:
source: ./docs
destination: ./_site
- name: Upload artifact
uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v2
# Deployment job
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: [self-hosted, public, linux, x64]
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v2
================================================
FILE: .github/workflows/nightly.yml
================================================
name: Nightly Run
on:
schedule:
# daily at 23:00 UTC
- cron: "0 23 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
github-release:
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GH_PAT_SECRET }}
- name: Prepare Release
id: prepare_release
run: |
# grab latest release and tag to compare and decide to create a new one
create_release=true
latest_gh_release=$(curl -s "https://api.github.com/repos/${{ github.repository }}/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')
latest_tag=$(git describe --abbrev=0 --tags)
if [ "$latest_gh_release" = "$latest_tag" ]
then
create_release=false
fi
echo "create_release=$create_release" >> "$GITHUB_OUTPUT"
echo "latest_release_version=$latest_gh_release" >> "$GITHUB_OUTPUT"
echo "version=$latest_tag" >> "$GITHUB_OUTPUT"
- name: Build GitHub Release changelog
if: steps.prepare_release.outputs.create_release == 'true'
id: build_github_release
uses: mikepenz/release-changelog-builder-action@5f3409748e2230350e149a7f7b5b8e9bcd785d44 # v3
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}
with:
configuration: ".github/release-changelog-config.json"
fromTag: ${{ steps.prepare_release.outputs.latest_release_version }}
toTag: ${{ steps.prepare_release.outputs.version }}
- name: Create GitHub Release
if: steps.build_github_release.outputs.changelog != ''
uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
id: create_github_release
with:
tag_name: ${{ steps.prepare_release.outputs.version }}
name: ${{ steps.prepare_release.outputs.version }}
body: ${{ steps.build_github_release.outputs.changelog }}
- name: Update CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1
with:
latest-version: ${{ steps.prepare_release.outputs.version }}
release-notes: ${{ steps.build_github_release.outputs.changelog }}
- name: Commit updated CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
with:
commit_message: "chore: update release notes"
file_pattern: CHANGELOG.md
outputs:
upload_url: ${{ steps.create_github_release.outputs.upload_url }}
version: ${{ steps.prepare_release.outputs.version }}
build-release-artifacts:
strategy:
matrix:
include:
- os: macos-latest
name: darwin
suffix: ''
- os: ubuntu-latest
name: linux
suffix: ''
- os: windows-latest
name: windows
suffix: '.exe'
needs: [github-release]
if: needs.github-release.outputs.upload_url != ''
runs-on: ${{ matrix.os }}
permissions:
contents: write
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: Windows - Test executable
if: matrix.os == 'windows-latest'
shell: bash
# make sure it doesn't crash
run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud
- name: Windows - zip artifact
if: matrix.os == 'windows-latest'
run: tar.exe -a -c -f checkov.zip dist\\checkov.exe
- name: Linux/Mac - Test executable
if: matrix.os != 'windows-latest'
# make sure it doesn't crash
run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud
- name: Linux/Mac - zip artifact
if: matrix.os != 'windows-latest'
run: zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_${{ matrix.name }}_X86_64.zip
asset_content_type: application/zip
build-release-artifact-linux-arm:
needs: [ github-release ]
if: needs.github-release.outputs.upload_url != ''
runs-on: [self-hosted, public, linux, arm64]
container:
image: arm64v8/python:3.9
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: zip artifact
run: |
apt-get update
apt install zip
zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_linux_arm64.zip
asset_content_type: application/zip
================================================
FILE: .github/workflows/pipenv-update.yml
================================================
name: pipenv-update
on:
schedule:
- cron: '8 22 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
pipenv-update:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
pull-requests: write
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
pipenv update
git add -u
git commit -m "update pipenv packages"
env:
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v5
with:
token: ${{ secrets.PAT_TOKEN }}
title: '[AUTO-PR] Update pipenv packages'
body: |
bump pipenv packages
- Auto-generated by [pipenv-update github action](https://github.com/bridgecrewio/checkov/blob/main/.github/workflows/pipenv-update.yml)
labels: automated pr
branch: pipenvfix
branch-suffix: timestamp
================================================
FILE: .github/workflows/pr-test.yml
================================================
name: PR Test
on: pull_request
permissions:
contents: read
jobs:
lint:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main
with:
python-version: "3.9"
danger-check:
runs-on: [ self-hosted, public, linux, x64 ]
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Install Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
with:
node-version: "16"
- name: Install and run DangerJS
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
npm install -g danger
danger ci --verbose --failOnErrors
cfn-lint:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Get changed CFN test files
id: changed-files-specific
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44
with:
files: tests/cloudformation/checks/resource/aws/**/*
- name: Filter YAML and JSON files
if: steps.changed-files-specific.outputs.any_changed == 'true'
id: filter-files
run: |
YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} \
| tr ' ' '\n' \
| grep -E '\.ya?ml$|\.json$' \
| grep -v 'sam\.yaml$' \
| tr '\n' ' ')
if [ -n "$YAML_JSON_FILES" ]; then
echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
fi
- name: Install cfn-lint & Lint Cloudformation templates
if: env.YAML_JSON_FILES != ''
run: |
pip install -U cfn-lint
for file in $YAML_JSON_FILES; do
cfn-lint "$file" -i W
done
mypy:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
with:
python-version: "3.9"
unit-tests:
strategy:
fail-fast: true
matrix:
python: ["3.9", "3.10", "3.11", "3.12", "3.13"]
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
if [ "${{ matrix.python }}" = "3.12" ] || [ "${{ matrix.python }}" = "3.13" ]; then
# needed for numpy
python -m pip install --no-cache-dir --upgrade pipenv==2024.4.0
else
python -m pip install --no-cache-dir --upgrade pipenv
fi
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
if [ "${{ matrix.python }}" = "3.12" ] || [ "${{ matrix.python }}" = "3.13" ]; then
echo "patching >3.12 issues"
pipenv run pip install setuptools
# needed for numpy
pipenv install --skip-lock --dev -v
else
pipenv install --dev -v
fi
# list all dependencies to get a better view about installed package versions
pipenv run pip list
- name: Unit tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pipenv run python -m pytest tests
integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1" # the tests break starting v4 as checkov cannot support it, needs to be investigated
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
sast-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
cdk-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
cdk-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
performance-tests:
env:
PYTHON_VERSION: "3.9"
working-directory: ./performance_tests
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
# 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version
pipenv run pip install pytest pytest-benchmark py
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone terraform-aws-components
run: git clone --branch 0.182.0 https://github.com/cloudposse/terraform-aws-components.git
working-directory: ${{ env.working-directory }}
- name: Clone aws-cloudformation-templates
run: git clone --branch 0.0.1 https://github.com/awslabs/aws-cloudformation-templates.git
working-directory: ${{ env.working-directory }}
- name: Clone kubernetes-yaml-templates
run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git
working-directory: ${{ env.working-directory }}
# TODO: migrate to separate performance tests
# - name: Clone Python-Mini-Projects
# run: git clone https://github.com/alimoustafa2000/Python-Mini-Projects.git
# working-directory: ${{ env.working-directory }}
# - name: Clone NodeJs
# run: git clone https://github.com/harshitbansal373/NodeJs.git
# working-directory: ${{ env.working-directory }}
# - name: Clone Mini-Project-using-Java
# run: git clone https://github.com/ikanurfitriani/Mini-Project-using-Java.git
# working-directory: ${{ env.working-directory }}
- name: Run performance tests
run: |
pipenv run pytest
working-directory: ${{ env.working-directory }}
dogfood-tests:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
WORKING_DIRECTORY: ./dogfood_tests
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Run dogfood tests
run: |
pipenv run pytest
working-directory: ${{ env.WORKING_DIRECTORY }}
eval-keys-test:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Get changed Python files
id: changed-files
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44
with:
files: checkov/**/*.py
- name: Validate 'BaseResourceCheck' use contains eval keys
if: steps.changed-files.outputs.any_changed == 'true'
run: |
# Define an array of exceptions (files to skip)
EXCEPTIONS=(
"base_resource_check.py"
"VPCDefaultNetwork.py"
"IAMUserNotUsedForAccess.py" # Whole Resource type check
)
echo "Changed files:"
echo "${{ steps.changed-files.outputs.all_changed_files }}"
EXIT_CODE=0
IFS=$'\n' # Change Internal Field Separator to handle spaces in filenames too
for file in $(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ',' '\n'); do
# Check if the file is in the list of exceptions
SKIP_FILE="false"
for exception in "${EXCEPTIONS[@]}"; do
# If the file ends with one of the exception file names, skip it
if [[ "$file" == *"$exception" ]]; then
echo "Skipping $file (allowed exception)"
SKIP_FILE="true"
break
fi
done
# Only run checks if not in exceptions list
if [[ "$SKIP_FILE" == "false" ]]; then
# If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys'
if grep -q "BaseResourceCheck" "$file"; then
if ! grep -q "get_inspected_key" "$file" && ! grep -q "evaluated_keys" "$file"; then
echo "ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'"
EXIT_CODE=1
fi
fi
fi
done
unset IFS # Restore IFS to default
# Fail the job if any file violated the rule
if [ "$EXIT_CODE" -ne 0 ]; then
echo "One or more files did not satisfy the requirement."
exit 1
fi
================================================
FILE: .github/workflows/pr-title.yml
================================================
name: PR Title
on:
pull_request:
branches:
- main
types: [opened, edited, reopened, synchronize]
permissions:
contents: read
jobs:
validate:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
steps:
- uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
configuration_path: ".github/pr-title-checker-config.json"
================================================
FILE: .github/workflows/security-shared.yml
================================================
# !!! Important !!!
# This a reusable workflow and is used in the PR and push to main branch flow separately
# to be able to protect it behind a manual approval in the PR flow
name: security-shared
on:
workflow_call:
permissions:
contents: read
jobs:
bandit:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: security test
uses: jpetrucciani/bandit-check@74c5ecc4297e374c7e9283bc81f649287bb14f34 # v1
with:
path: 'checkov'
trufflehog-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: detect secrets
uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9
with:
scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
checkov-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Scan for secrets
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.PRISMA_KEY_API2 }}
prisma-api-url: ${{ secrets.PRISMA_API_URL_2 }}
config_file: .github/checkov.yaml
================================================
FILE: .github/workflows/security.yml
================================================
# !!! Important !!!
# any change to this workflow will not take into effect on the same PR and only after,
# because of security implications from target 'pull_request_target'
name: security
on:
pull_request_target: # this is needed to use the API key in a PR
branches:
- main
permissions:
contents: read
jobs:
start-security-scan:
runs-on: ubuntu-latest
environment: scan-security
steps:
- run: echo start security scan # just needs a simple step to better control the follow-up jobs
security:
needs: start-security-scan
uses: ./.github/workflows/security-shared.yml
secrets: inherit
================================================
FILE: .gitignore
================================================
# Created by .ignore support plugin (hsz.mobi)
### Python template
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
*__pycache__/
# Python tests residuals
tests/sca_package_2/examples/obj*
# Terraform
*.tfstate*
*.terraform*
*.tfbackend
# git
*.orig
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
.vscode/
*.egg-info/
.installed.cfg
*.egg
.DS_Store
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
.hypothesis/
.external_modules/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# IPython Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# dotenv
.env
# virtualenv
venv/
ENV/
# Spyder project settings
.spyderproject
# Rope project settings
.ropeproject
### VirtualEnv template
# Virtualenv
# http://iamzed.com/2009/05/07/a-primer-on-virtualenv/
[Ii]nclude
[Ll]ib
[Ll]ib64
[Ll]ocal
[Ss]cripts
pyvenv.cfg
.venv
pip-selfcheck.json
### JetBrains template
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff:
.idea/workspace.xml
.idea/tasks.xml
.idea/dictionaries
.idea/vcs.xml
.idea/jsLibraryMappings.xml
# Sensitive or high-churn files:
.idea/dataSources.ids
.idea/dataSources.xml
.idea/dataSources.local.xml
.idea/sqlDataSources.xml
.idea/dynamic.xml
.idea/uiDesigner.xml
# Gradle:
.idea/gradle.xml
.idea/libraries
# Mongo Explorer plugin:
.idea/mongoSettings.xml
.idea/
## File-based project format:
*.iws
## Plugin-specific files:
# IntelliJ
/out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
# Checkov baseline file
.checkov.baseline
# pytest-benchmarks output directory
.benchmarks/
# test assets that get created locally (20* refers to the start of a date, so this covers us for 78 years)
tests/20*
# vim
.*.sw?
.vim/
.vimspector.json
!tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance
tests/common/runner_registry/packages_csv_results/
tests/console
# sast go mod
checkov/sast_core/vendor
*.prof
================================================
FILE: .gitmodules
================================================
[submodule "checkov/sast/sast_core"]
path = checkov/sast/sast_core
url = git@github.com:bridgecrewio/SAST-Core.git
================================================
FILE: .gitpod.Dockerfile
================================================
FROM gitpod/workspace-python
RUN pyenv install 3.10.14
RUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
chmod 700 get_kustomize.sh; \
mkdir -p /usr/local/bin; \
sudo sh -c './get_kustomize.sh 4.5.2 /usr/local/bin'; \
rm ./get_kustomize.sh
================================================
FILE: .gitpod.yml
================================================
# This configuration file was automatically generated by Gitpod.
# Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file)
# and commit this file to your remote git repository to share the goodness with others.
tasks:
- name: Pipenv Environment And Dev
init: |
pipenv sync --dev
pipenv run python -m coverage run -m pytest tests
image:
file: .gitpod.Dockerfile
github:
prebuilds:
# enable for the master/default branch (defaults to true)
master: true
# enable for all branches in this repo (defaults to false)
branches: true
# enable for pull requests coming from this repo (defaults to true)
pullRequests: true
# enable for pull requests coming from forks (defaults to false)
pullRequestsFromForks: true
# add a "Review in Gitpod" button as a comment to pull requests (defaults to true)
addComment: true
# add a "Review in Gitpod" button to pull requests (defaults to false)
addBadge: false
# add a label once the prebuild is ready to pull requests (defaults to false)
addLabel: prebuilt-in-gitpod
================================================
FILE: .pre-commit-config.yaml
================================================
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: debug-statements
- repo: https://github.com/PyCQA/flake8
rev: 6.1.0
hooks:
- id: flake8
language_version: python3.9
additional_dependencies:
- dlint
- flake8-bugbear
- flake8-type-checking
- repo: https://github.com/isidentical/teyit # unit test formatter
rev: 0.4.3
hooks:
- id: teyit
language_version: python3.9
- repo: https://github.com/rhysd/actionlint
rev: v1.6.26
hooks:
- id: actionlint-docker
# SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.
args: ["-ignore", "SC2129"]
- repo: https://github.com/Madoshakalaka/pipenv-setup # Pipfile to setup.py sync checker
rev: v3.2.0
hooks:
- id: pipenv-setup
language_version: python3.9
entry: pipenv-setup check
args: []
additional_dependencies:
- vistir<0.7.0 # can be removed, when v4.0.0 of pipenv-setup comes out
- plette<1.0.0 # Solve issue of import error for plette.models
- repo: https://github.com/seddonym/import-linter # checks the import dependencies between each other
rev: v1.12.1
hooks:
- id: import-linter
language_version: python3.9
args: ["--show-timings"]
================================================
FILE: .pre-commit-hooks.yaml
================================================
---
# For use with pre-commit.
# See usage instructions at http://pre-commit.com
- id: checkov
name: Checkov
description: This hook runs checkov.
entry: checkov -d .
language: python
pass_filenames: false
always_run: false
files: \.tf$
exclude: \.+.terraform\/.*$
require_serial: true
- id: checkov_container
name: Checkov
description: This hook runs checkov.
entry: --tty bridgecrew/checkov:latest -d .
args: []
language: docker_image
pass_filenames: false
always_run: false
files: \.tf$
exclude: \.+.terraform\/.*$
require_serial: true
- id: checkov_diff
name: Checkov Diff
description: This hook runs checkov against all changed files.
entry: checkov --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: python
require_serial: true
- id: checkov_diff_container
name: Checkov Diff
description: This hook runs checkov against all changed files.
entry: --tty bridgecrew/checkov:latest --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: docker_image
require_serial: true
- id: checkov_secrets
name: Checkov Secrets
description: This hook looks for secrets with checkov.
entry: checkov --framework secrets --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: python
always_run: true
require_serial: true
- id: checkov_secrets_container
name: Checkov Secrets
description: This hook looks for secrets with checkov.
entry: --tty bridgecrew/checkov:latest --framework secrets --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: docker_image
always_run: true
require_serial: true
================================================
FILE: .swm/creating-a-solver.gm0ti.sw.md
================================================
---
id: gm0ti
name: Creating a Solver
file_version: 1.0.2
app_version: 0.9.4-0
file_blobs:
checkov/common/checks_infra/solvers/complex_solvers/not_solver.py: 60e9301de2a35a51b0464babaf537104d82cf00a
checkov/common/checks_infra/checks_parser.py: 50130edc6639275b43dbd287572972b826eee687
checkov/common/checks_infra/solvers/complex_solvers/__init__.py: 2e25b8e1f51406fe5e2995019eb6046fdf3650f2
checkov/common/graph/checks_infra/solvers/base_solver.py: e84d471f6fc2e8ef12d82fa061784c57a7915d5c
checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py: 186dd8805259132d32936fafc19c389d452869c4
checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py: 38df2db8112768f7ee10facc3feac82b84affc32
checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py: 5aa38478ce1174ea46d2cff94ec52358e8595369
checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py: 0d44d643a7ba2f1fc78fa86ad53b46c47e546ee1
checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py: 334cc79488dc5f5f52e3d66ef9b24e3ad89f1e99
---
A Solver is a major component in our system. This document will describe what it is and how to add a new one.
A Solver is a graph operator that impelements a certain piece of logic, such as AttributeEquals, GreaterThan, Exists and more. There are also more complext solvers such as the `And` solver which implement logic between two or more solvers
When we add a new Solver, we create a class that inherits from `BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6).
Some examples of `BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6)s are `OrConnectionSolver`[<sup id="Z1oapTp">↓</sup>](#f-Z1oapTp), `AnyResourceSolver`[<sup id="Z7ghIg">↓</sup>](#f-Z7ghIg), `NotContainsAttributeSolver`[<sup id="Z136myH">↓</sup>](#f-Z136myH), and `NotEndingWithAttributeSolver`[<sup id="923Qq">↓</sup>](#f-923Qq). Note: some of these examples inherit indirectly from `BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6).
> **NOTE: Inherit from** `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)
>
> Most `BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6)s inherit directly from `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X) and almost none inherit directly from `BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6). In this document we demonstrate inheriting from `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X).
## TL;DR - How to Add a `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)
1. Create a new class inheriting from `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)
* Place the file under `📄 checkov/common/checks_infra/solvers/complex_solvers`, e.g. `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R) is defined in `📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py`.
2. Define `operator`[<sup id="Z1HozjT">↓</sup>](#f-Z1HozjT).
3. Implement `__init__`[<sup id="ZDc3b7">↓</sup>](#f-ZDc3b7), `_get_operation`[<sup id="Z1IWbj3">↓</sup>](#f-Z1IWbj3), and `get_operation`[<sup id="I3t5K">↓</sup>](#f-I3t5K).
4. Update `📄 checkov/common/checks_infra/checks_parser.py`.
5. Update `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`.
6. **Profit** 💰
## Example Walkthrough - `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R)
We'll follow the implementation of `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R) for this example.
A `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R) is a solver that inverts the logic of the solvers within it
## Steps to Adding a new `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)
### 1\. Inherit from `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X).
All `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)s are defined in files under `📄 checkov/common/checks_infra/solvers/complex_solvers`.
<br/>
We first need to define our class in the relevant file, and inherit from `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X):
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 5 from checkov.common.checks_infra.solvers.complex_solvers.base_complex_solver import BaseComplexSolver
⬜ 6
⬜ 7
🟩 8 class NotSolver(BaseComplexSolver):
⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
```
<br/>
> **Note**: the class name should end with "Solver".
### 2\. Define `operator`[<sup id="Z1HozjT">↓</sup>](#f-Z1HozjT)
`BaseSolver`[<sup id="2wxET6">↓</sup>](#f-2wxET6)s should define this variable:
* `operator`[<sup id="Z1HozjT">↓</sup>](#f-Z1HozjT)
<br/>
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 6
⬜ 7
⬜ 8 class NotSolver(BaseComplexSolver):
🟩 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
⬜ 12 if len(solvers) != 1:
```
<br/>
### 3\. Implement `__init__`[<sup id="ZDc3b7">↓</sup>](#f-ZDc3b7), `_get_operation`[<sup id="Z1IWbj3">↓</sup>](#f-Z1IWbj3), and `get_operation`[<sup id="I3t5K">↓</sup>](#f-I3t5K)
Here is how we do it for `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R):
Implement `__init__`[<sup id="ZDc3b7">↓</sup>](#f-ZDc3b7).
<br/>
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 8 class NotSolver(BaseComplexSolver):
⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
🟩 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
🟩 12 if len(solvers) != 1:
🟩 13 raise Exception('The "not" operator must have exactly one child')
🟩 14 super().__init__(solvers, resource_types)
⬜ 15
⬜ 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
⬜ 17 if len(args) != 1:
```
<br/>
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 13 raise Exception('The "not" operator must have exactly one child')
⬜ 14 super().__init__(solvers, resource_types)
⬜ 15
🟩 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
🟩 17 if len(args) != 1:
🟩 18 raise Exception('The "not" operator must have exactly one child')
🟩 19 return not args[0]
⬜ 20
⬜ 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
⬜ 22 return not self.solvers[0].get_operation(vertex)
```
<br/>
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 18 raise Exception('The "not" operator must have exactly one child')
⬜ 19 return not args[0]
⬜ 20
🟩 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
🟩 22 return not self.solvers[0].get_operation(vertex)
⬜ 23
```
<br/>
## Update additional files with the new class
Every time we add new `BaseComplexSolver`[<sup id="10523X">↓</sup>](#f-10523X)s, we reference them in a few locations.
We will still look at `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R) as our example.
<br/>
4\. Update `📄 checkov/common/checks_infra/checks_parser.py`, as we do with `NotSolver`[<sup id="Z2wW09R">↓</sup>](#f-Z2wW09R) here:
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/checks_parser.py
```python
⬜ 19 NotEndingWithAttributeSolver,
⬜ 20 AndSolver,
⬜ 21 OrSolver,
🟩 22 NotSolver,
⬜ 23 ConnectionExistsSolver,
⬜ 24 ConnectionNotExistsSolver,
⬜ 25 AndConnectionSolver,
```
<br/>
In addition, in the same file:
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/checks_parser.py
```python
⬜ 93 operators_to_complex_solver_classes: dict[str, Type[BaseComplexSolver]] = {
⬜ 94 "and": AndSolver,
⬜ 95 "or": OrSolver,
🟩 96 "not": NotSolver,
⬜ 97 }
⬜ 98
⬜ 99 operator_to_connection_solver_classes: dict[str, Type[BaseConnectionSolver]] = {
```
<br/>
4\. We modify `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`, for example:
<!-- NOTE-swimm-snippet: the lines below link your snippet to Swimm -->
### 📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py
```python
⬜ 1 from checkov.common.checks_infra.solvers.complex_solvers.or_solver import OrSolver # noqa
⬜ 2 from checkov.common.checks_infra.solvers.complex_solvers.and_solver import AndSolver # noqa
🟩 3 from checkov.common.checks_infra.solvers.complex_solvers.not_solver import NotSolver # noqa
⬜ 4
```
<br/>
<!-- THIS IS AN AUTOGENERATED SECTION. DO NOT EDIT THIS SECTION DIRECTLY -->
### Swimm Note
<span id="f-ZDc3b7">__init__</span>[^](#ZDc3b7) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L11
```python
def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
```
<span id="f-Z1IWbj3">_get_operation</span>[^](#Z1IWbj3) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L16
```python
def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
```
<span id="f-Z7ghIg">AnyResourceSolver</span>[^](#Z7ghIg) - "checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py" L7
```python
class AnyResourceSolver(BaseAttributeSolver):
```
<span id="f-10523X">BaseComplexSolver</span>[^](#10523X) - "checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py" L9
```python
class BaseComplexSolver(BaseSolver):
```
<span id="f-2wxET6">BaseSolver</span>[^](#2wxET6) - "checkov/common/graph/checks_infra/solvers/base_solver.py" L9
```python
class BaseSolver:
```
<span id="f-I3t5K">get_operation</span>[^](#I3t5K) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L21
```python
def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
```
<span id="f-Z136myH">NotContainsAttributeSolver</span>[^](#Z136myH) - "checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py" L7
```python
class NotContainsAttributeSolver(ContainsAttributeSolver):
```
<span id="f-923Qq">NotEndingWithAttributeSolver</span>[^](#923Qq) - "checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py" L7
```python
class NotEndingWithAttributeSolver(EndingWithAttributeSolver):
```
<span id="f-Z2wW09R">NotSolver</span>[^](#Z2wW09R) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L8
```python
class NotSolver(BaseComplexSolver):
```
<span id="f-Z1HozjT">operator</span>[^](#Z1HozjT) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L9
```python
operator = Operators.NOT # noqa: CCE003 # a static attribute
```
<span id="f-Z1oapTp">OrConnectionSolver</span>[^](#Z1oapTp) - "checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py" L11
```python
class OrConnectionSolver(ComplexConnectionSolver):
```
<br/>
This file was generated by Swimm. [Click here to view it in the app](https://app.swimm.io/repos/Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==/docs/gm0ti).
================================================
FILE: .swm/swimm.json
================================================
{
"repo_id": "Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==",
"configuration": {
"swmd": true
}
}
================================================
FILE: CHANGELOG.md
================================================
# CHANGELOG
## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.510...HEAD)
## [3.2.510](https://github.com/bridgecrewio/checkov/compare/3.2.508...3.2.510) - 2026-03-18
### Bug Fix
- **terraform:** support modern TLS security policies in CKV_AWS_206 - [#7466](https://github.com/bridgecrewio/checkov/pull/7466)
- **terraform:** update CKV_AWS_339 supported EKS Kubernetes versions - [#7465](https://github.com/bridgecrewio/checkov/pull/7465)
- **terraform:** update CKV_GCP_79 latest Postgres version from 17 to 18 - [#7464](https://github.com/bridgecrewio/checkov/pull/7464)
## [3.2.508](https://github.com/bridgecrewio/checkov/compare/3.2.507...3.2.508) - 2026-03-08
### Bug Fix
- **secrets:** eliminate race condition in secrets scanner when running concurrently with other scanners - [#7456](https://github.com/bridgecrewio/checkov/pull/7456)
## [3.2.507](https://github.com/bridgecrewio/checkov/compare/3.2.506...3.2.507) - 2026-03-05
### Bug Fix
- **secrets:** add _thread_safe_transient_settings( to secret runner - [#7455](https://github.com/bridgecrewio/checkov/pull/7455)
## [3.2.506](https://github.com/bridgecrewio/checkov/compare/3.2.505...3.2.506) - 2026-02-23
### Bug Fix
- **terraform:** return inner module path when dest_dir already exists on Linux - [#7436](https://github.com/bridgecrewio/checkov/pull/7436)
## [3.2.505](https://github.com/bridgecrewio/checkov/compare/3.2.504...3.2.505) - 2026-02-22
### Feature
- **bicep:** revert bump pycep to support better bicep syntax - [#7446](https://github.com/bridgecrewio/checkov/pull/7446)
## [3.2.504](https://github.com/bridgecrewio/checkov/compare/3.2.502...3.2.504) - 2026-02-18
### Feature
- **bicep:** bump pycep to support better bicep syntax - [#7441](https://github.com/bridgecrewio/checkov/pull/7441)
- **terraform:** deprecate dotnet v6 and support v9 and v10 - [#7442](https://github.com/bridgecrewio/checkov/pull/7442)
## [3.2.502](https://github.com/bridgecrewio/checkov/compare/3.2.501...3.2.502) - 2026-02-16
### Feature
- **general:** better shell commands - [#7438](https://github.com/bridgecrewio/checkov/pull/7438)
## [3.2.501](https://github.com/bridgecrewio/checkov/compare/3.2.500...3.2.501) - 2026-02-11
### Bug Fix
- **general:** secret detection in build log files with line prefixes - [#7431](https://github.com/bridgecrewio/checkov/pull/7431)
## [3.2.500](https://github.com/bridgecrewio/checkov/compare/3.2.499...3.2.500) - 2026-02-01
### Bug Fix
- **cloudformation:** render variables in cfn vertices config - [#7423](https://github.com/bridgecrewio/checkov/pull/7423)
## [3.2.499](https://github.com/bridgecrewio/checkov/compare/3.2.497...3.2.499) - 2026-01-25
### Feature
- **general:** Add BC_CA_BUNDLE environment variable support for custom CA certificates - [#7419](https://github.com/bridgecrewio/checkov/pull/7419)
- **secrets:** Override AWS generic check with cortex specific checks - [#7420](https://github.com/bridgecrewio/checkov/pull/7420)
### Bug Fix
- **terraform:** test dates - [#7422](https://github.com/bridgecrewio/checkov/pull/7422)
## [3.2.497](https://github.com/bridgecrewio/checkov/compare/3.2.496...3.2.497) - 2025-12-30
### Bug Fix
- **terraform:** handle file path instead of directory - [#7408](https://github.com/bridgecrewio/checkov/pull/7408)
## [3.2.496](https://github.com/bridgecrewio/checkov/compare/3.2.495...3.2.496) - 2025-12-28
### Bug Fix
- **terraform:** CKV_GCP_6 - Added special handling for MSSQL SERVER database type - [#7405](https://github.com/bridgecrewio/checkov/pull/7405)
## [3.2.495](https://github.com/bridgecrewio/checkov/compare/3.2.494...3.2.495) - 2025-11-23
### Bug Fix
- **kubernetes:** Fix CKV_K8S_21 - [#7378](https://github.com/bridgecrewio/checkov/pull/7378)
## [3.2.494](https://github.com/bridgecrewio/checkov/compare/3.2.493...3.2.494) - 2025-11-18
### Bug Fix
- **general:** Fixed build workflows of integration test by locking helm version - [#7371](https://github.com/bridgecrewio/checkov/pull/7371)
- **terraform:** Fixed variable rendering of complex variables to avoid changing type - [#7369](https://github.com/bridgecrewio/checkov/pull/7369)
## [3.2.493](https://github.com/bridgecrewio/checkov/compare/3.2.492...3.2.493) - 2025-11-12
### Feature
- **general:** support skips for module for_each and count - [#7368](https://github.com/bridgecrewio/checkov/pull/7368)
## [3.2.492](https://github.com/bridgecrewio/checkov/compare/3.2.491...3.2.492) - 2025-11-10
### Bug Fix
- **terraform:** get_resource_tags handles more cases - [#7365](https://github.com/bridgecrewio/checkov/pull/7365)
## [3.2.491](https://github.com/bridgecrewio/checkov/compare/3.2.490...3.2.491) - 2025-11-09
### Bug Fix
- **terraform:** Graph report tags should be dict - [#7363](https://github.com/bridgecrewio/checkov/pull/7363)
## [3.2.490](https://github.com/bridgecrewio/checkov/compare/3.2.489...3.2.490) - 2025-11-04
### Feature
- **general:** Fix downloading of the external modules when ref is a shortened Git hash - [#7278](https://github.com/bridgecrewio/checkov/pull/7278)
## [3.2.489](https://github.com/bridgecrewio/checkov/compare/3.2.488...3.2.489) - 2025-10-29
### Bug Fix
- **helm:** Check HELM_NAMESPACE env var in CKV_K8S_21 - [#7355](https://github.com/bridgecrewio/checkov/pull/7355)
## [3.2.488](https://github.com/bridgecrewio/checkov/compare/3.2.487...3.2.488) - 2025-10-27
### Feature
- **terraform_plan:** add new cases for foreach in the presence of skips - [#7351](https://github.com/bridgecrewio/checkov/pull/7351)
## [3.2.487](https://github.com/bridgecrewio/checkov/compare/3.2.486...3.2.487) - 2025-10-23
### Bug Fix
- **general:** CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cloudformation - [#7352](https://github.com/bridgecrewio/checkov/pull/7352)
## [3.2.486](https://github.com/bridgecrewio/checkov/compare/3.2.485...3.2.486) - 2025-10-22
### Feature
- **general:** update setuptools version 78.1.1 - [#7347](https://github.com/bridgecrewio/checkov/pull/7347)
## [3.2.485](https://github.com/bridgecrewio/checkov/compare/3.2.484...3.2.485) - 2025-10-20
### Bug Fix
- **general:** fix urllib3 dependency - [#7345](https://github.com/bridgecrewio/checkov/pull/7345)
## [3.2.484](https://github.com/bridgecrewio/checkov/compare/3.2.483...3.2.484) - 2025-10-15
### Bug Fix
- **terraform_plan:** Correctly handle complex types for after_unknown - [#7333](https://github.com/bridgecrewio/checkov/pull/7333)
## [3.2.483](https://github.com/bridgecrewio/checkov/compare/3.2.479...3.2.483) - 2025-10-12
### Feature
- **general:** anchor setuptools to fix metadata version - [#7330](https://github.com/bridgecrewio/checkov/pull/7330)
- **general:** update our publishing job SHA to latest - [#7332](https://github.com/bridgecrewio/checkov/pull/7332)
- **terraform_plan:** fix handling of resource_id for enrichment in tf_plan - [#7329](https://github.com/bridgecrewio/checkov/pull/7329)
## [3.2.479](https://github.com/bridgecrewio/checkov/compare/3.2.477...3.2.479) - 2025-10-09
### Feature
- **general:** upgrade checkov python version 3.9 - [#7326](https://github.com/bridgecrewio/checkov/pull/7326)
- **general:** upgrade checkvo python version - [#7303](https://github.com/bridgecrewio/checkov/pull/7303)
- **terraform:** skip raw tf resource violation - [#7325](https://github.com/bridgecrewio/checkov/pull/7325)
### Bug Fix
- **general:** revert pipfile urllib3 change - [#7324](https://github.com/bridgecrewio/checkov/pull/7324)
## [3.2.477](https://github.com/bridgecrewio/checkov/compare/3.2.474...3.2.477) - 2025-10-08
### Bug Fix
- **terraform_plan:** compute the longest common prefix between two optional vertex - [#7320](https://github.com/bridgecrewio/checkov/pull/7320)
- **terraform_plan:** Don't add values to empty list values in after_unknown - [#7319](https://github.com/bridgecrewio/checkov/pull/7319)
## [3.2.474](https://github.com/bridgecrewio/checkov/compare/3.2.473...3.2.474) - 2025-10-05
### Documentation
- **general:** Add JAVA_FULL_DT environment variable to CLI reference - [#7312](https://github.com/bridgecrewio/checkov/pull/7312)
## [3.2.473](https://github.com/bridgecrewio/checkov/compare/3.2.472...3.2.473) - 2025-09-30
- no noteworthy changes
## [3.2.472](https://github.com/bridgecrewio/checkov/compare/3.2.471...3.2.472) - 2025-09-28
### Feature
- **terraform:** fix foreach module handling - [#7313](https://github.com/bridgecrewio/checkov/pull/7313)
## [3.2.471](https://github.com/bridgecrewio/checkov/compare/3.2.470...3.2.471) - 2025-09-14
### Bug Fix
- **terraform_plan:** fix access to list by str in tf plan under _handle_complex_after_unknown - [#7299](https://github.com/bridgecrewio/checkov/pull/7299)
## [3.2.470](https://github.com/bridgecrewio/checkov/compare/3.2.469...3.2.470) - 2025-09-08
### Bug Fix
- **helm:** Make Helm template detection less aggressive - [#7288](https://github.com/bridgecrewio/checkov/pull/7288)
## [3.2.469](https://github.com/bridgecrewio/checkov/compare/3.2.467...3.2.469) - 2025-09-01
### Feature
- **general:** Control parallelism - [#7286](https://github.com/bridgecrewio/checkov/pull/7286)
## [3.2.467](https://github.com/bridgecrewio/checkov/compare/3.2.466...3.2.467) - 2025-08-27
### Bug Fix
- **serverless:** Fixed bad entity code line generation - [#7285](https://github.com/bridgecrewio/checkov/pull/7285)
## [3.2.466](https://github.com/bridgecrewio/checkov/compare/3.2.464...3.2.466) - 2025-08-25
### Feature
- **terraform:** add aws_vpc_endpoint to RESOURCE_TYPES_JSONIFY - [#7281](https://github.com/bridgecrewio/checkov/pull/7281)
### Bug Fix
- **general:** Add exclusion for plan_with_providers test files in security scanning - [#7282](https://github.com/bridgecrewio/checkov/pull/7282)
## [3.2.464](https://github.com/bridgecrewio/checkov/compare/3.2.461...3.2.464) - 2025-08-20
### Feature
- **secrets:** support suppressions in JSON files - [#7275](https://github.com/bridgecrewio/checkov/pull/7275)
## [3.2.461](https://github.com/bridgecrewio/checkov/compare/3.2.460...3.2.461) - 2025-08-12
### Bug Fix
- **terraform:** Handled git external module loading with sub-directory but without protocol - [#7272](https://github.com/bridgecrewio/checkov/pull/7272)
## [3.2.460](https://github.com/bridgecrewio/checkov/compare/3.2.458...3.2.460) - 2025-08-10
### Bug Fix
- **general:** pin boto3 and botocore versions as failed test in Jenkins - [#7270](https://github.com/bridgecrewio/checkov/pull/7270)
## [3.2.458](https://github.com/bridgecrewio/checkov/compare/3.2.457...3.2.458) - 2025-08-06
### Bug Fix
- **terraform:** Fix conditional expression evaluation - [#7265](https://github.com/bridgecrewio/checkov/pull/7265)
- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7078](https://github.com/bridgecrewio/checkov/pull/7078)
## [3.2.457](https://github.com/bridgecrewio/checkov/compare/3.2.456...3.2.457) - 2025-07-28
### Bug Fix
- **dockerfile:** Use proxy env vars in aiohttp client requests - [#7260](https://github.com/bridgecrewio/checkov/pull/7260)
## [3.2.456](https://github.com/bridgecrewio/checkov/compare/3.2.454...3.2.456) - 2025-07-27
### Bug Fix
- **terraform:** Parse continue as a string rather as a python object - [#7261](https://github.com/bridgecrewio/checkov/pull/7261)
## [3.2.454](https://github.com/bridgecrewio/checkov/compare/3.2.452...3.2.454) - 2025-07-24
### Bug Fix
- **serverless:** Fixed extraction of code lines for serverless resources - [#7259](https://github.com/bridgecrewio/checkov/pull/7259)
## [3.2.452](https://github.com/bridgecrewio/checkov/compare/3.2.451...3.2.452) - 2025-07-23
### Feature
- **general:** Support Py 3.13 on build workflow - [#7222](https://github.com/bridgecrewio/checkov/pull/7222)
## [3.2.451](https://github.com/bridgecrewio/checkov/compare/3.2.450...3.2.451) - 2025-07-14
### Feature
- **terraform:** Support parsing of provider functions - [#7237](https://github.com/bridgecrewio/checkov/pull/7237)
## [3.2.450](https://github.com/bridgecrewio/checkov/compare/3.2.449...3.2.450) - 2025-07-10
### Bug Fix
- **arm:** filter out failed checks with resource names containing un-rendered functions - [#7231](https://github.com/bridgecrewio/checkov/pull/7231)
## [3.2.449](https://github.com/bridgecrewio/checkov/compare/3.2.447...3.2.449) - 2025-07-09
### Bug Fix
- **terraform:** fix cloning external modules from private regsitries - [#7229](https://github.com/bridgecrewio/checkov/pull/7229)
- **terraform:** fix issue 7216 module version parsing issue - [#7224](https://github.com/bridgecrewio/checkov/pull/7224)
## [3.2.447](https://github.com/bridgecrewio/checkov/compare/3.2.446...3.2.447) - 2025-06-26
### Bug Fix
- **terraform:** Added support in restricting to a specific GitHub organization for GithubActionsOIDCTrustPolicy - [#7221](https://github.com/bridgecrewio/checkov/pull/7221)
## [3.2.446](https://github.com/bridgecrewio/checkov/compare/3.2.445...3.2.446) - 2025-06-24
### Feature
- **kubernetes:** include hidden folders in scan - [#7219](https://github.com/bridgecrewio/checkov/pull/7219)
## [3.2.445](https://github.com/bridgecrewio/checkov/compare/3.2.443...3.2.445) - 2025-06-22
### Bug Fix
- **helm:** fix file paths to point to original files and not generated ones - [#7212](https://github.com/bridgecrewio/checkov/pull/7212)
- **secrets:** fix omitting and masking - [#7218](https://github.com/bridgecrewio/checkov/pull/7218)
## [3.2.443](https://github.com/bridgecrewio/checkov/compare/3.2.442...3.2.443) - 2025-06-19
### Bug Fix
- **secrets:** fix omit and masking - [#7213](https://github.com/bridgecrewio/checkov/pull/7213)
## [3.2.442](https://github.com/bridgecrewio/checkov/compare/3.2.440...3.2.442) - 2025-06-15
### Bug Fix
- **secrets:** fix relative path secrets - [#7211](https://github.com/bridgecrewio/checkov/pull/7211)
## [3.2.440](https://github.com/bridgecrewio/checkov/compare/3.2.439...3.2.440) - 2025-06-11
### Feature
- **secrets:** Bump detect secrets - [#7203](https://github.com/bridgecrewio/checkov/pull/7203)
## [3.2.439](https://github.com/bridgecrewio/checkov/compare/3.2.437...3.2.439) - 2025-06-09
### Bug Fix
- **serverless:** Enhance yaml parsing, better support for file expansion - [#7115](https://github.com/bridgecrewio/checkov/pull/7115)
- **terraform:** Better utilization of managed modules (if enabled) - [#7111](https://github.com/bridgecrewio/checkov/pull/7111)
## [3.2.437](https://github.com/bridgecrewio/checkov/compare/3.2.436...3.2.437) - 2025-06-05
### Bug Fix
- **terraform:** Handle explicitly-specified tfvars explicitly - [#7107](https://github.com/bridgecrewio/checkov/pull/7107)
## [3.2.436](https://github.com/bridgecrewio/checkov/compare/3.2.435...3.2.436) - 2025-05-30
### Bug Fix
- **terraform_plan:** Support count in terraform plan files - [#7195](https://github.com/bridgecrewio/checkov/pull/7195)
## [3.2.435](https://github.com/bridgecrewio/checkov/compare/3.2.433...3.2.435) - 2025-05-27
### Bug Fix
- **kubernetes:** Only filter out files that contain Helm built-in variables and functions - [#6922](https://github.com/bridgecrewio/checkov/pull/6922)
- **serverless:** check if start and end line in serverless definitions context - [#7189](https://github.com/bridgecrewio/checkov/pull/7189)
## [3.2.433](https://github.com/bridgecrewio/checkov/compare/3.2.432...3.2.433) - 2025-05-26
### Bug Fix
- **terraform_plan:** add a check to avoid doing get on a none dict object in tfplan scan - [#7180](https://github.com/bridgecrewio/checkov/pull/7180)
## [3.2.432](https://github.com/bridgecrewio/checkov/compare/3.2.429...3.2.432) - 2025-05-22
### Bug Fix
- **terraform:** Multiple fixes - [#7178](https://github.com/bridgecrewio/checkov/pull/7178)
## [3.2.429](https://github.com/bridgecrewio/checkov/compare/3.2.427...3.2.429) - 2025-05-21
### Bug Fix
- **general:** Fix support for git external module syntax 'git::git@' - [#7175](https://github.com/bridgecrewio/checkov/pull/7175)
- **general:** Remove asteval syntax error logs - [#7172](https://github.com/bridgecrewio/checkov/pull/7172)
## [3.2.427](https://github.com/bridgecrewio/checkov/compare/3.2.426...3.2.427) - 2025-05-20
### Feature
- **secrets:** Revert - Bump detect secrets - [#7171](https://github.com/bridgecrewio/checkov/pull/7171)
### Bug Fix
- **terraform:** dont move clone to internal dir - [#7159](https://github.com/bridgecrewio/checkov/pull/7159)
## [3.2.426](https://github.com/bridgecrewio/checkov/compare/3.2.424...3.2.426) - 2025-05-19
### Feature
- **secrets:** Bump detect secrets - [#7158](https://github.com/bridgecrewio/checkov/pull/7158)
- **terraform:** 7 new policies - [#7056](https://github.com/bridgecrewio/checkov/pull/7056)
## [3.2.424](https://github.com/bridgecrewio/checkov/compare/3.2.422...3.2.424) - 2025-05-15
### Feature
- **terraform:** Add SNS check and modify some - [#7154](https://github.com/bridgecrewio/checkov/pull/7154)
### Bug Fix
- **secrets:** Fix for git-history scan by commits - [#7160](https://github.com/bridgecrewio/checkov/pull/7160)
## [3.2.422](https://github.com/bridgecrewio/checkov/compare/3.2.420...3.2.422) - 2025-05-14
### Feature
- **secrets:** git-history allow scan by commits list - [#7155](https://github.com/bridgecrewio/checkov/pull/7155)
### Bug Fix
- **general:** exclude **start_line** and **end_line** from is empty solver - [#7156](https://github.com/bridgecrewio/checkov/pull/7156)
## [3.2.420](https://github.com/bridgecrewio/checkov/compare/3.2.417...3.2.420) - 2025-05-13
### Feature
- **kustomize:** export get kustomize resource id to a function - [#7153](https://github.com/bridgecrewio/checkov/pull/7153)
### Bug Fix
- **general:** Skip bc_api_key in output - [#7148](https://github.com/bridgecrewio/checkov/pull/7148)
- **terraform:** Fixed crash when using variable rendering inside a list of len > 1 - [#7151](https://github.com/bridgecrewio/checkov/pull/7151)
## [3.2.417](https://github.com/bridgecrewio/checkov/compare/3.2.416...3.2.417) - 2025-05-12
### Breaking Change
- **general:** Remove OpenAI - [#7146](https://github.com/bridgecrewio/checkov/pull/7146)
## [3.2.416](https://github.com/bridgecrewio/checkov/compare/3.2.415...3.2.416) - 2025-05-06
### Bug Fix
- **terraform_plan:** use provider name not resource address to fix supported_provider matching - [#7119](https://github.com/bridgecrewio/checkov/pull/7119)
## [3.2.415](https://github.com/bridgecrewio/checkov/compare/3.2.414...3.2.415) - 2025-05-05
### Bug Fix
- **general:** using asteval instead of using eval - [#7116](https://github.com/bridgecrewio/checkov/pull/7116)
## [3.2.414](https://github.com/bridgecrewio/checkov/compare/3.2.413...3.2.414) - 2025-05-01
### Bug Fix
- **terraform:** Fix protocols for CKV2_AWS_74 and fix for CKV2_K8S_5 - [#7134](https://github.com/bridgecrewio/checkov/pull/7134)
## [3.2.413](https://github.com/bridgecrewio/checkov/compare/3.2.411...3.2.413) - 2025-04-29
### Feature
- **terraform:** Add new check for overly permissive SQS policy - [#7125](https://github.com/bridgecrewio/checkov/pull/7125)
### Bug Fix
- **terraform:** support CLI notation in CKV_AZURE_228 for EventHub locations - [#7124](https://github.com/bridgecrewio/checkov/pull/7124)
## [3.2.411](https://github.com/bridgecrewio/checkov/compare/3.2.408...3.2.411) - 2025-04-28
### Feature
- **secrets:** Add support in git history for producer consumer - [#7123](https://github.com/bridgecrewio/checkov/pull/7123)
### Bug Fix
- **general:** Make --download-external-modules Optional[bool] - [#7121](https://github.com/bridgecrewio/checkov/pull/7121)
- **secrets:** Fix test directory tree race - [#7122](https://github.com/bridgecrewio/checkov/pull/7122)
- **terraform:** add aws_elasticache_serverless_cache to CKV2_AWS_5 - [#7079](https://github.com/bridgecrewio/checkov/pull/7079)
## [3.2.408](https://github.com/bridgecrewio/checkov/compare/3.2.407...3.2.408) - 2025-04-24
### Feature
- **terraform:** Over permissive Lambda Cors check (Terraform & Cloudformation) - [#7113](https://github.com/bridgecrewio/checkov/pull/7113)
### Bug Fix
- **general:** base_runner: Properly escape excluded directories that begin with '.' - [#7112](https://github.com/bridgecrewio/checkov/pull/7112)
## [3.2.407](https://github.com/bridgecrewio/checkov/compare/3.2.406...3.2.407) - 2025-04-21
### Feature
- **terraform:** Add new check and update old around cipher suites - [#7108](https://github.com/bridgecrewio/checkov/pull/7108)
## [3.2.406](https://github.com/bridgecrewio/checkov/compare/3.2.404...3.2.406) - 2025-04-17
### Bug Fix
- **kustomize:** handle kustomize file with empty resources section - [#7109](https://github.com/bridgecrewio/checkov/pull/7109)
## [3.2.404](https://github.com/bridgecrewio/checkov/compare/3.2.403...3.2.404) - 2025-04-14
### Bug Fix
- **terraform:** Fix for multiple checks - [#7097](https://github.com/bridgecrewio/checkov/pull/7097)
## [3.2.403](https://github.com/bridgecrewio/checkov/compare/3.2.402...3.2.403) - 2025-04-10
### Feature
- **cloudformation:** Update Lambda Runtime checks - [#7065](https://github.com/bridgecrewio/checkov/pull/7065)
## [3.2.402](https://github.com/bridgecrewio/checkov/compare/3.2.400...3.2.402) - 2025-04-08
### Bug Fix
- **terraform:** Change to valid name - [#7089](https://github.com/bridgecrewio/checkov/pull/7089)
- **terraform:** CKV2_IBM_1 - ignore case for load balancer of type private_path - [#7010](https://github.com/bridgecrewio/checkov/pull/7010)
- **terraform:** rename test FunctionAppsAccessibleOverHttps - [#7085](https://github.com/bridgecrewio/checkov/pull/7085)
### Documentation
- **general:** Add install for debian - [#7083](https://github.com/bridgecrewio/checkov/pull/7083)
## [3.2.400](https://github.com/bridgecrewio/checkov/compare/3.2.398...3.2.400) - 2025-04-07
### Bug Fix
- **general:** typos discovered by codespell - [#7012](https://github.com/bridgecrewio/checkov/pull/7012)
- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7084](https://github.com/bridgecrewio/checkov/pull/7084)
## [3.2.398](https://github.com/bridgecrewio/checkov/compare/3.2.397...3.2.398) - 2025-04-06
### Bug Fix
- **general:** handle connected_node tuple in CustomJSONEncoder for json report (#7062) - [#7063](https://github.com/bridgecrewio/checkov/pull/7063)
## [3.2.397](https://github.com/bridgecrewio/checkov/compare/3.2.396...3.2.397) - 2025-04-04
- no noteworthy changes
## [3.2.396](https://github.com/bridgecrewio/checkov/compare/3.2.395...3.2.396) - 2025-04-01
### Bug Fix
- **terraform:** Fix keeping range a range - [#7073](https://github.com/bridgecrewio/checkov/pull/7073)
## [3.2.395](https://github.com/bridgecrewio/checkov/compare/3.2.394...3.2.395) - 2025-03-31
### Feature
- **serverless:** add check for empty resource attributes - [#7074](https://github.com/bridgecrewio/checkov/pull/7074)
## [3.2.394](https://github.com/bridgecrewio/checkov/compare/3.2.393...3.2.394) - 2025-03-27
### Bug Fix
- **terraform:** Fix CKV2_GCP_12 and a few tests - [#7069](https://github.com/bridgecrewio/checkov/pull/7069)
## [3.2.393](https://github.com/bridgecrewio/checkov/compare/3.2.392...3.2.393) - 2025-03-26
### Bug Fix
- **general:** Updated correct connected_node when creating graph report out of all options - [#7068](https://github.com/bridgecrewio/checkov/pull/7068)
## [3.2.392](https://github.com/bridgecrewio/checkov/compare/3.2.391...3.2.392) - 2025-03-24
### Bug Fix
- **terraform_plan:** Run provider checks against all providers in plan - [#7061](https://github.com/bridgecrewio/checkov/pull/7061)
## [3.2.391](https://github.com/bridgecrewio/checkov/compare/3.2.390...3.2.391) - 2025-03-23
### Bug Fix
- **secrets:** Bump detect-secrets to not flag AZ secrets in plan files - [#7064](https://github.com/bridgecrewio/checkov/pull/7064)
## [3.2.390](https://github.com/bridgecrewio/checkov/compare/3.2.386...3.2.390) - 2025-03-19
### Feature
- **terraform:** add raw tf resource to graph - [#7047](https://github.com/bridgecrewio/checkov/pull/7047)
### Bug Fix
- **general:** Fix a few checks - [#7051](https://github.com/bridgecrewio/checkov/pull/7051)
- **general:** Remove sneaky unicode characters that break a regex and console outputs on Windows - [#6987](https://github.com/bridgecrewio/checkov/pull/6987)
- **terraform:** CKV_AWS_228 - support new AWS Opensearch TLS policy - [#7007](https://github.com/bridgecrewio/checkov/pull/7007)
## [3.2.386](https://github.com/bridgecrewio/checkov/compare/3.2.385...3.2.386) - 2025-03-14
- no noteworthy changes
## [3.2.385](https://github.com/bridgecrewio/checkov/compare/3.2.384...3.2.385) - 2025-03-13
### Bug Fix
- **terraform:** Update all resources - [#7049](https://github.com/bridgecrewio/checkov/pull/7049)
## [3.2.384](https://github.com/bridgecrewio/checkov/compare/3.2.383...3.2.384) - 2025-03-12
### Bug Fix
- **terraform:** Update CKV_ALI_1 - [#7040](https://github.com/bridgecrewio/checkov/pull/7040)
## [3.2.383](https://github.com/bridgecrewio/checkov/compare/3.2.382...3.2.383) - 2025-03-11
### Feature
- **serverless:** add tags enrichment to serverless - [#7044](https://github.com/bridgecrewio/checkov/pull/7044)
### Bug Fix
- **sast:** Fix CKV_AWS_194 policy - [#7048](https://github.com/bridgecrewio/checkov/pull/7048)
## [3.2.382](https://github.com/bridgecrewio/checkov/compare/3.2.381...3.2.382) - 2025-03-06
### Feature
- **secrets:** Bump detect-secrets to remove more lock files - [#7039](https://github.com/bridgecrewio/checkov/pull/7039)
## [3.2.381](https://github.com/bridgecrewio/checkov/compare/3.2.379...3.2.381) - 2025-03-05
### Bug Fix
- **general:** prevent connected_node attribute from being overriden - [#7032](https://github.com/bridgecrewio/checkov/pull/7032)
- **secrets:** ckv_secret_80 filtering fix - [#7037](https://github.com/bridgecrewio/checkov/pull/7037)
## [3.2.379](https://github.com/bridgecrewio/checkov/compare/3.2.378...3.2.379) - 2025-03-03
### Feature
- **terraform:** Add azure DB checks for flexible server private endpoints - [#7030](https://github.com/bridgecrewio/checkov/pull/7030)
## [3.2.378](https://github.com/bridgecrewio/checkov/compare/3.2.377...3.2.378) - 2025-02-27
### Bug Fix
- **secrets:** Remove CKV_SECRET_80 instead of CKV_SECRET_6 - [#7029](https://github.com/bridgecrewio/checkov/pull/7029)
## [3.2.377](https://github.com/bridgecrewio/checkov/compare/3.2.373...3.2.377) - 2025-02-25
### Feature
- **terraform:** adding 3 policies & tests - [#7011](https://github.com/bridgecrewio/checkov/pull/7011)
### Bug Fix
- **cloudformation:** Handle subs in CKV_AWS_384 - [#7022](https://github.com/bridgecrewio/checkov/pull/7022)
- **secrets:** Fix Duplicated Violation in line bug - [#7027](https://github.com/bridgecrewio/checkov/pull/7027)
- **terraform:** Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement - [#7008](https://github.com/bridgecrewio/checkov/pull/7008)
- **terraform:** Handle new resource type for CKV_GCP_73 - [#7023](https://github.com/bridgecrewio/checkov/pull/7023)
## [3.2.373](https://github.com/bridgecrewio/checkov/compare/3.2.372...3.2.373) - 2025-02-24
### Bug Fix
- **terraform:** CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks - [#7002](https://github.com/bridgecrewio/checkov/pull/7002)
## [3.2.372](https://github.com/bridgecrewio/checkov/compare/3.2.370...3.2.372) - 2025-02-18
### Feature
- **terraform:** Add multiple checks - [#7016](https://github.com/bridgecrewio/checkov/pull/7016)
### Bug Fix
- **terraform:** Postgres latest stable version - [#7015](https://github.com/bridgecrewio/checkov/pull/7015)
## [3.2.370](https://github.com/bridgecrewio/checkov/compare/3.2.369...3.2.370) - 2025-02-13
### Bug Fix
- **general:** Handle ECS enhanced container insights - [#7001](https://github.com/bridgecrewio/checkov/pull/7001)
## [3.2.369](https://github.com/bridgecrewio/checkov/compare/3.2.368...3.2.369) - 2025-02-10
### Bug Fix
- **terraform:** Multiple check fixes - [#6999](https://github.com/bridgecrewio/checkov/pull/6999)
## [3.2.368](https://github.com/bridgecrewio/checkov/compare/3.2.366...3.2.368) - 2025-02-06
### Feature
- **general:** fix proxy access from git and registry loader - [#6992](https://github.com/bridgecrewio/checkov/pull/6992)
## [3.2.366](https://github.com/bridgecrewio/checkov/compare/3.2.364...3.2.366) - 2025-02-05
### Bug Fix
- **bicep:** Add bicep specific for CKV_AZURE_25 since ARM implementation fails - [#6996](https://github.com/bridgecrewio/checkov/pull/6996)
- **terraform:** CKV_AZURE_249 & CKV_AWS_358 - better support for OIDC 'repo' detection regex and conditions order - [#6994](https://github.com/bridgecrewio/checkov/pull/6994)
## [3.2.364](https://github.com/bridgecrewio/checkov/compare/3.2.362...3.2.364) - 2025-02-04
### Bug Fix
- **terraform:** CKV_AWS_339 - Add EKS platform version 1.32 to allowed lists of versions - [#6988](https://github.com/bridgecrewio/checkov/pull/6988)
## [3.2.362](https://github.com/bridgecrewio/checkov/compare/3.2.358...3.2.362) - 2025-02-03
### Bug Fix
- **secrets:** Multiple matching groups are being caught as regex separated by | sign - [#6967](https://github.com/bridgecrewio/checkov/pull/6967)
- **secrets:** Remove both random and base64 entropy secrets finding - [#6969](https://github.com/bridgecrewio/checkov/pull/6969)
### Platform
- **general:** Backfill more eval keys - [#6970](https://github.com/bridgecrewio/checkov/pull/6970)
## [3.2.358](https://github.com/bridgecrewio/checkov/compare/3.2.357...3.2.358) - 2025-01-28
### Feature
- **general:** Add env var for policy metadata - [#6979](https://github.com/bridgecrewio/checkov/pull/6979)
## [3.2.357](https://github.com/bridgecrewio/checkov/compare/3.2.355...3.2.357) - 2025-01-23
### Feature
- **general:** initial support for python 3.13 - [#6962](https://github.com/bridgecrewio/checkov/pull/6962)
### Bug Fix
- **terraform:** OIDC checks fixes - [#6964](https://github.com/bridgecrewio/checkov/pull/6964)
## [3.2.355](https://github.com/bridgecrewio/checkov/compare/3.2.353...3.2.355) - 2025-01-22
### Feature
- **terraform:** Update CKV_AWS_358, add CKV_GCP_125 and CKV_AZURE_249 for OIDC claims analysis for GitHub - [#6960](https://github.com/bridgecrewio/checkov/pull/6960)
### Bug Fix
- **terraform:** Accept TLS 1.3 for Azure web apps and web app slots - [#6956](https://github.com/bridgecrewio/checkov/pull/6956)
### Platform
- **terraform:** Add eval keys - [#6929](https://github.com/bridgecrewio/checkov/pull/6929)
## [3.2.353](https://github.com/bridgecrewio/checkov/compare/3.2.352...3.2.353) - 2025-01-15
### Bug Fix
- **general:** Support CVE suppressions with the root file in repo - [#6948](https://github.com/bridgecrewio/checkov/pull/6948)
## [3.2.352](https://github.com/bridgecrewio/checkov/compare/3.2.351...3.2.352) - 2025-01-09
### Feature
- **terraform:** add option to add external_modules_content_cache to terraform build_graph - [#6942](https://github.com/bridgecrewio/checkov/pull/6942)
## [3.2.351](https://github.com/bridgecrewio/checkov/compare/3.2.350...3.2.351) - 2025-01-08
### Bug Fix
- **terraform:** Skip tsconfig in terraform plan - [#6941](https://github.com/bridgecrewio/checkov/pull/6941)
## [3.2.350](https://github.com/bridgecrewio/checkov/compare/3.2.347...3.2.350) - 2025-01-07
### Feature
- **terraform:** add CKV_AZURE_248 - Azure batch account network access restriction - [#6928](https://github.com/bridgecrewio/checkov/pull/6928)
### Bug Fix
- **terraform:** Revert feat(terraform): Add a terraform block check (#6904) - [#6937](https://github.com/bridgecrewio/checkov/pull/6937)
## [3.2.347](https://github.com/bridgecrewio/checkov/compare/3.2.346...3.2.347) - 2025-01-06
### Feature
- **general:** Change behavior where if a config file is missing, run the scan as if there was no config file - [#6926](https://github.com/bridgecrewio/checkov/pull/6926)
### Bug Fix
- **terraform:** Fix for multiple checks - [#6933](https://github.com/bridgecrewio/checkov/pull/6933)
## [3.2.346](https://github.com/bridgecrewio/checkov/compare/3.2.345...3.2.346) - 2025-01-01
### Feature
- **terraform:** add option to add proxy to request - [#6923](https://github.com/bridgecrewio/checkov/pull/6923)
## [3.2.345](https://github.com/bridgecrewio/checkov/compare/3.2.344...3.2.345) - 2024-12-31
### Feature
- **cloudformation:** Add sensitive param check - [#6921](https://github.com/bridgecrewio/checkov/pull/6921)
- **terraform:** add option to add proxy to request - [#6916](https://github.com/bridgecrewio/checkov/pull/6916)
- **terraform:** check cognitive services restrict outbound network - [#6919](https://github.com/bridgecrewio/checkov/pull/6919)
### Bug Fix
- **terraform_json:** support CDKTF output in CKV_TF_3 - [#6918](https://github.com/bridgecrewio/checkov/pull/6918)
## [3.2.344](https://github.com/bridgecrewio/checkov/compare/3.2.342...3.2.344) - 2024-12-21
### Bug Fix
- **kubernetes:** Add to nested resources on k8s graph inherit namespace - [#6912](https://github.com/bridgecrewio/checkov/pull/6912)
## [3.2.342](https://github.com/bridgecrewio/checkov/compare/3.2.339...3.2.342) - 2024-12-18
### Feature
- **serverless:** serverless definitions context - [#6910](https://github.com/bridgecrewio/checkov/pull/6910)
- **serverless:** Serverless graph integration - [#6911](https://github.com/bridgecrewio/checkov/pull/6911)
- **terraform:** Add a terraform block check - [#6904](https://github.com/bridgecrewio/checkov/pull/6904)
## [3.2.339](https://github.com/bridgecrewio/checkov/compare/3.2.336...3.2.339) - 2024-12-17
### Bug Fix
- **general:** Fix jsonpath-key handling for special characters like "/" and reduce log size - [#6907](https://github.com/bridgecrewio/checkov/pull/6907)
- **serverless:** Fix serverless check crash - [#6909](https://github.com/bridgecrewio/checkov/pull/6909)
## [3.2.336](https://github.com/bridgecrewio/checkov/compare/3.2.334...3.2.336) - 2024-12-16
### Feature
- **general:** add cortex:skip for suppressions - [#6908](https://github.com/bridgecrewio/checkov/pull/6908)
### Bug Fix
- **terraform:** fix CKV_AZURE_136 for replicas - [#6895](https://github.com/bridgecrewio/checkov/pull/6895)
- **terraform:** Fix CKV_AZURE_227 for Azure V4 - [#6906](https://github.com/bridgecrewio/checkov/pull/6906)
## [3.2.334](https://github.com/bridgecrewio/checkov/compare/3.2.332...3.2.334) - 2024-12-08
### Feature
- **serverless:** Serverless graph vertices - [#6894](https://github.com/bridgecrewio/checkov/pull/6894)
### Bug Fix
- **secrets:** fix indentation to remove duplications - [#6626](https://github.com/bridgecrewio/checkov/pull/6626)
## [3.2.332](https://github.com/bridgecrewio/checkov/compare/3.2.328...3.2.332) - 2024-12-05
### Feature
- **terraform:** Add multi skip inline suppression - [#6860](https://github.com/bridgecrewio/checkov/pull/6860)
- **terraform:** New bedrock check - [#6892](https://github.com/bridgecrewio/checkov/pull/6892)
### Bug Fix
- **kubernetes:** fix json file parsing - [#6891](https://github.com/bridgecrewio/checkov/pull/6891)
- **terraform:** Fix CKV2_AZURE_31 - [#6893](https://github.com/bridgecrewio/checkov/pull/6893)
## [3.2.328](https://github.com/bridgecrewio/checkov/compare/3.2.327...3.2.328) - 2024-12-04
### Feature
- **serverless:** Serverless refactor for graph implementation - [#6885](https://github.com/bridgecrewio/checkov/pull/6885)
### Documentation
- **general:** docs flags update - [#6888](https://github.com/bridgecrewio/checkov/pull/6888)
## [3.2.327](https://github.com/bridgecrewio/checkov/compare/3.2.326...3.2.327) - 2024-12-03
### Bug Fix
- **terraform:** Convert to graph check - [#6875](https://github.com/bridgecrewio/checkov/pull/6875)
## [3.2.326](https://github.com/bridgecrewio/checkov/compare/3.2.324...3.2.326) - 2024-12-02
### Feature
- **general:** add new CIDR operator - [#6877](https://github.com/bridgecrewio/checkov/pull/6877)
### Bug Fix
- **arm:** Fix resource ID generation to use variables - [#6884](https://github.com/bridgecrewio/checkov/pull/6884)
## [3.2.324](https://github.com/bridgecrewio/checkov/compare/3.2.322...3.2.324) - 2024-12-01
### Bug Fix
- **terraform_plan:** run post_runner after get_enriched_resources for terraform_plan - [#6883](https://github.com/bridgecrewio/checkov/pull/6883)
## [3.2.322](https://github.com/bridgecrewio/checkov/compare/3.2.320...3.2.322) - 2024-11-28
### Feature
- **general:** Update range includes to handle range values - [#6867](https://github.com/bridgecrewio/checkov/pull/6867)
### Bug Fix
- **general:** fix_memory error with adding new env - [#6879](https://github.com/bridgecrewio/checkov/pull/6879)
- **general:** revert comment out ARM test - [#6882](https://github.com/bridgecrewio/checkov/pull/6882)
## [3.2.320](https://github.com/bridgecrewio/checkov/compare/3.2.317...3.2.320) - 2024-11-27
### Feature
- **terraform:** Add new checks to match run checks - [#6868](https://github.com/bridgecrewio/checkov/pull/6868)
### Bug Fix
- **arm:** Fix arm root folder - [#6880](https://github.com/bridgecrewio/checkov/pull/6880)
- **terraform:** Update CKV_AZURE_164 to correct check on trust policy - [#6757](https://github.com/bridgecrewio/checkov/pull/6757)
## [3.2.317](https://github.com/bridgecrewio/checkov/compare/3.2.314...3.2.317) - 2024-11-26
### Feature
- **terraform:** support resource_type attribute - [#6872](https://github.com/bridgecrewio/checkov/pull/6872)
### Bug Fix
- **arm:** Fix arm report resource naming - [#6876](https://github.com/bridgecrewio/checkov/pull/6876)
- **terraform:** Fix two checks and logs - [#6874](https://github.com/bridgecrewio/checkov/pull/6874)
## [3.2.314](https://github.com/bridgecrewio/checkov/compare/3.2.312...3.2.314) - 2024-11-25
### Feature
- **general:** add logs for suppression - [#6873](https://github.com/bridgecrewio/checkov/pull/6873)
### Bug Fix
- **arm:** Fix arm resource naming on integration with Prisma - [#6870](https://github.com/bridgecrewio/checkov/pull/6870)
## [3.2.312](https://github.com/bridgecrewio/checkov/compare/3.2.311...3.2.312) - 2024-11-24
### Bug Fix
- **arm:** Fix arm graph breadcrumbs - [#6869](https://github.com/bridgecrewio/checkov/pull/6869)
## [3.2.311](https://github.com/bridgecrewio/checkov/compare/3.2.307...3.2.311) - 2024-11-21
### Bug Fix
- **cloudformation:** Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - [#6856](https://github.com/bridgecrewio/checkov/pull/6856)
- **secrets:** fix find line - [#6864](https://github.com/bridgecrewio/checkov/pull/6864)
- **secrets:** masking test format - [#6859](https://github.com/bridgecrewio/checkov/pull/6859)
- **secrets:** multiline matches show the secret and not the first line - [#6854](https://github.com/bridgecrewio/checkov/pull/6854)
## [3.2.307](https://github.com/bridgecrewio/checkov/compare/3.2.305...3.2.307) - 2024-11-20
### Bug Fix
- **arm:** Change ARM graph creation log lvl to debug - [#6857](https://github.com/bridgecrewio/checkov/pull/6857)
## [3.2.305](https://github.com/bridgecrewio/checkov/compare/3.2.301...3.2.305) - 2024-11-19
### Feature
- **sca:** support java full dependency tree scan - [#6834](https://github.com/bridgecrewio/checkov/pull/6834)
- **terraform:** Add check - ensure AWS CodeGuru resource contains CMK - [#6851](https://github.com/bridgecrewio/checkov/pull/6851)
### Bug Fix
- **general:** Used jsonpath to update vertex attributes - [#6852](https://github.com/bridgecrewio/checkov/pull/6852)
- **terraform:** Update EKS supported versions - [#6826](https://github.com/bridgecrewio/checkov/pull/6826)
- **terraform:** Update CKV_AZURE_171 to check automatic_upgrade_channel - [#6756](https://github.com/bridgecrewio/checkov/pull/6756)
## [3.2.301](https://github.com/bridgecrewio/checkov/compare/3.2.300...3.2.301) - 2024-11-18
### Bug Fix
- **secrets:** skip empty match - [#6849](https://github.com/bridgecrewio/checkov/pull/6849)
## [3.2.300](https://github.com/bridgecrewio/checkov/compare/3.2.296...3.2.300) - 2024-11-17
### Feature
- **azure:** add new policies for Azure Synapse arm - [#6553](https://github.com/bridgecrewio/checkov/pull/6553)
- **helm:** Made helm + kustomize use the Kubernetes graph registry - [#6847](https://github.com/bridgecrewio/checkov/pull/6847)
- **secrets:** Adding check_id to EnrichedSecret class - [#6842](https://github.com/bridgecrewio/checkov/pull/6842)
- **secrets:** Masking secrets files - [#6848](https://github.com/bridgecrewio/checkov/pull/6848)
### Bug Fix
- **secrets:** add prerun support for singleline - [#6846](https://github.com/bridgecrewio/checkov/pull/6846)
- **terraform:** Update CKV_AZURE_167 to correct check on retention policy - [#6758](https://github.com/bridgecrewio/checkov/pull/6758)
## [3.2.296](https://github.com/bridgecrewio/checkov/compare/3.2.293...3.2.296) - 2024-11-14
### Feature
- **cloudformation:** Support Fn::Sub in cases of using a pseudo parameter - [#6835](https://github.com/bridgecrewio/checkov/pull/6835)
- **terraform:** support resource_type attribute - revert - [#6843](https://github.com/bridgecrewio/checkov/pull/6843)
### Bug Fix
- **terraform:** CKV_GCP_32 (GoogleComputeBlockProjectSSH) Add other common enabling values - [#6663](https://github.com/bridgecrewio/checkov/pull/6663)
## [3.2.293](https://github.com/bridgecrewio/checkov/compare/3.2.291...3.2.293) - 2024-11-13
### Feature
- **terraform:** support resource_type attribute - [#6830](https://github.com/bridgecrewio/checkov/pull/6830)
### Bug Fix
- **general:** fixed mypy issue - [#6838](https://github.com/bridgecrewio/checkov/pull/6838)
## [3.2.291](https://github.com/bridgecrewio/checkov/compare/3.2.287...3.2.291) - 2024-11-12
### Feature
- **general:** remove specific botocore version - [#6796](https://github.com/bridgecrewio/checkov/pull/6796)
### Bug Fix
- **arm:** fix ARM graph block types - [#6824](https://github.com/bridgecrewio/checkov/pull/6824)
- **dockerfile:** Handle heredoc - [#6828](https://github.com/bridgecrewio/checkov/pull/6828)
- **sast:** filter unsupported policies - [#6833](https://github.com/bridgecrewio/checkov/pull/6833)
## [3.2.287](https://github.com/bridgecrewio/checkov/compare/3.2.286...3.2.287) - 2024-11-11
### Bug Fix
- **graph:** fix internal checks loading when adding custom policies in cli - [#6819](https://github.com/bridgecrewio/checkov/pull/6819)
## [3.2.286](https://github.com/bridgecrewio/checkov/compare/3.2.282...3.2.286) - 2024-11-10
### Feature
- **secrets:** Add npm detector - [#6821](https://github.com/bridgecrewio/checkov/pull/6821)
### Bug Fix
- **secrets:** fix empty diff scan - [#6822](https://github.com/bridgecrewio/checkov/pull/6822)
## [3.2.282](https://github.com/bridgecrewio/checkov/compare/3.2.281...3.2.282) - 2024-11-07
### Bug Fix
- **arm:** finish variable rendering and use definitions context - [#6814](https://github.com/bridgecrewio/checkov/pull/6814)
## [3.2.281](https://github.com/bridgecrewio/checkov/compare/3.2.280...3.2.281) - 2024-11-06
### Documentation
- **general:** Update Python versions and add env vars to the docs - [#6812](https://github.com/bridgecrewio/checkov/pull/6812)
## [3.2.280](https://github.com/bridgecrewio/checkov/compare/3.2.278...3.2.280) - 2024-11-05
### Bug Fix
- **arm:** add middleware function for platform integration for Arm definitions - [#6811](https://github.com/bridgecrewio/checkov/pull/6811)
- **secrets:** Update CKV_SECRET_4 to duplication list GENERIC_PRIVATE_KEY - [#6810](https://github.com/bridgecrewio/checkov/pull/6810)
- **terraform:** Add opensearch to CKV2_AWS_5 - [#6807](https://github.com/bridgecrewio/checkov/pull/6807)
## [3.2.278](https://github.com/bridgecrewio/checkov/compare/3.2.277...3.2.278) - 2024-11-04
### Bug Fix
- **arm:** Align arm definitions function arguments - [#6808](https://github.com/bridgecrewio/checkov/pull/6808)
## [3.2.277](https://github.com/bridgecrewio/checkov/compare/3.2.276...3.2.277) - 2024-11-03
### Bug Fix
- **secrets:** add detector for IbmCosHmac - [#6790](https://github.com/bridgecrewio/checkov/pull/6790)
## [3.2.276](https://github.com/bridgecrewio/checkov/compare/3.2.275...3.2.276) - 2024-10-31
### Bug Fix
- **terraform:** Fix possible exception when for_each data has boolean values - [#6733](https://github.com/bridgecrewio/checkov/pull/6733)
## [3.2.275](https://github.com/bridgecrewio/checkov/compare/3.2.271...3.2.275) - 2024-10-30
### Feature
- **arm:** Add arm definition context - [#6801](https://github.com/bridgecrewio/checkov/pull/6801)
### Bug Fix
- **cloudformation:** change parse log level - [#6794](https://github.com/bridgecrewio/checkov/pull/6794)
- **general:** pipenv==2024.0.3 - [#6803](https://github.com/bridgecrewio/checkov/pull/6803)
- **secrets:** omit all secrets value in line - [#6802](https://github.com/bridgecrewio/checkov/pull/6802)
- **terraform:** Security group attached to aws_mskconnect_connector is not recognized - [#6780](https://github.com/bridgecrewio/checkov/pull/6780)
## [3.2.271](https://github.com/bridgecrewio/checkov/compare/3.2.270...3.2.271) - 2024-10-29
### Feature
- **sca:** add enableDotnetCpm env var to sca scan request - [#6786](https://github.com/bridgecrewio/checkov/pull/6786)
## [3.2.270](https://github.com/bridgecrewio/checkov/compare/3.2.269...3.2.270) - 2024-10-28
### Feature
- **arm:** add variable and parameters edges and rendering - [#6787](https://github.com/bridgecrewio/checkov/pull/6787)
- **arm:** arm custom policy support - [#6769](https://github.com/bridgecrewio/checkov/pull/6769)
## [3.2.269](https://github.com/bridgecrewio/checkov/compare/3.2.268...3.2.269) - 2024-10-23
### Bug Fix
- **terraform:** Fix crash when version isn't a float - [#6783](https://github.com/bridgecrewio/checkov/pull/6783)
## [3.2.268](https://github.com/bridgecrewio/checkov/compare/3.2.267...3.2.268) - 2024-10-20
### Feature
- **terraform_plan:** Support after_unknown evaluation of complex attributes - [#6784](https://github.com/bridgecrewio/checkov/pull/6784)
## [3.2.267](https://github.com/bridgecrewio/checkov/compare/3.2.266...3.2.267) - 2024-10-16
- no noteworthy changes
## [3.2.266](https://github.com/bridgecrewio/checkov/compare/3.2.262...3.2.266) - 2024-10-15
### Feature
- **arm:** unsupported module soft fail - [#6775](https://github.com/bridgecrewio/checkov/pull/6775)
## [3.2.262](https://github.com/bridgecrewio/checkov/compare/3.2.258...3.2.262) - 2024-10-14
### Feature
- **terraform:** 2 new checks - [#6764](https://github.com/bridgecrewio/checkov/pull/6764)
- **terraform:** Add s3 data transport check - [#6763](https://github.com/bridgecrewio/checkov/pull/6763)
### Bug Fix
- **helm:** Remove helm target dir after scanning - [#6767](https://github.com/bridgecrewio/checkov/pull/6767)
- **kubernetes:** Handle non-sting params in command - [#6768](https://github.com/bridgecrewio/checkov/pull/6768)
## [3.2.258](https://github.com/bridgecrewio/checkov/compare/3.2.257...3.2.258) - 2024-10-13
### Bug Fix
- **terraform:** Set timeout for parsing Terraform files with hcl2. - [#6759](https://github.com/bridgecrewio/checkov/pull/6759)
## [3.2.257](https://github.com/bridgecrewio/checkov/compare/3.2.256...3.2.257) - 2024-10-06
### Bug Fix
- **ansible:** handle empty tasks - [#6751](https://github.com/bridgecrewio/checkov/pull/6751)
## [3.2.256](https://github.com/bridgecrewio/checkov/compare/3.2.254...3.2.256) - 2024-10-01
### Feature
- **terraform:** New checks - [#6720](https://github.com/bridgecrewio/checkov/pull/6720)
### Bug Fix
- **general:** Fix operator docs - [#6735](https://github.com/bridgecrewio/checkov/pull/6735)
- **sca:** add Pipfile and Pipfile.lock to supported package files list - [#6746](https://github.com/bridgecrewio/checkov/pull/6746)
- **terraform:** extend CKV2_AWS_5 to include DMS Serverless (#6628) - [#6630](https://github.com/bridgecrewio/checkov/pull/6630)
- **terraform:** Remove dataproc.admin from multiple checks - [#6725](https://github.com/bridgecrewio/checkov/pull/6725)
- **terraform:** Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 - [#6687](https://github.com/bridgecrewio/checkov/pull/6687)
### Documentation
- **general:** update README.md - [#6719](https://github.com/bridgecrewio/checkov/pull/6719)
## [3.2.254](https://github.com/bridgecrewio/checkov/compare/3.2.253...3.2.254) - 2024-09-15
### Bug Fix
- **terraform:** Added ssl_mode attribute support to CKV_GCP_6 - [#6703](https://github.com/bridgecrewio/checkov/pull/6703)
## [3.2.253](https://github.com/bridgecrewio/checkov/compare/3.2.251...3.2.253) - 2024-09-12
### Feature
- **general:** allow tool name field to be customised using cli arguments - [#6692](https://github.com/bridgecrewio/checkov/pull/6692)
- **secrets:** Change log level - [#6716](https://github.com/bridgecrewio/checkov/pull/6716)
- **terraform:** Add check for local user in storage - [#6715](https://github.com/bridgecrewio/checkov/pull/6715)
### Bug Fix
- **terraform:** Update CKV_AZURE_228 for automatic calculation - [#6714](https://github.com/bridgecrewio/checkov/pull/6714)
## [3.2.251](https://github.com/bridgecrewio/checkov/compare/3.2.250...3.2.251) - 2024-09-11
### Feature
- **general:** add severity metadata to custom policy - [#6579](https://github.com/bridgecrewio/checkov/pull/6579)
## [3.2.250](https://github.com/bridgecrewio/checkov/compare/3.2.249...3.2.250) - 2024-09-10
### Bug Fix
- **secrets:** fix suppressions and duplications - [#6710](https://github.com/bridgecrewio/checkov/pull/6710)
## [3.2.249](https://github.com/bridgecrewio/checkov/compare/3.2.246...3.2.249) - 2024-09-08
### Feature
- **general:** revert packages read permissions - [#6706](https://github.com/bridgecrewio/checkov/pull/6706)
- **terraform_plan:** remove secret - [#6705](https://github.com/bridgecrewio/checkov/pull/6705)
### Bug Fix
- **secrets:** fix suppression and duplication - [#6701](https://github.com/bridgecrewio/checkov/pull/6701)
- **secrets:** Revert suppression and duplication - [#6708](https://github.com/bridgecrewio/checkov/pull/6708)
- **terraform:** Fix foreach multi attributes in field - [#6707](https://github.com/bridgecrewio/checkov/pull/6707)
## [3.2.246](https://github.com/bridgecrewio/checkov/compare/3.2.245...3.2.246) - 2024-09-05
### Feature
- **sast:** add log level when running sast in windows - [#6704](https://github.com/bridgecrewio/checkov/pull/6704)
## [3.2.245](https://github.com/bridgecrewio/checkov/compare/3.2.242...3.2.245) - 2024-09-04
### Feature
- **kubernetes:** Add policy for git-sync code injection - [#6694](https://github.com/bridgecrewio/checkov/pull/6694)
- **terraform_plan:** add support for provider in tf_plan framework - [#6690](https://github.com/bridgecrewio/checkov/pull/6690)
## [3.2.242](https://github.com/bridgecrewio/checkov/compare/3.2.241...3.2.242) - 2024-09-02
### Feature
- **general:** add support for windows 10 for aiohttp - [#6696](https://github.com/bridgecrewio/checkov/pull/6696)
## [3.2.241](https://github.com/bridgecrewio/checkov/compare/3.2.239...3.2.241) - 2024-09-01
### Feature
- **sast:** remove the env var for Go - [#6697](https://github.com/bridgecrewio/checkov/pull/6697)
### Bug Fix
- **secrets:** add edge case for policy that looks like uuid - [#6698](https://github.com/bridgecrewio/checkov/pull/6698)
## [3.2.239](https://github.com/bridgecrewio/checkov/compare/3.2.238...3.2.239) - 2024-08-29
### Feature
- **general:** Add multiple checks to match runtime checks - [#6680](https://github.com/bridgecrewio/checkov/pull/6680)
## [3.2.238](https://github.com/bridgecrewio/checkov/compare/3.2.236...3.2.238) - 2024-08-27
### Feature
- **terraform:** add support for TF cloudsplaining evaluated_keys - [#6677](https://github.com/bridgecrewio/checkov/pull/6677)
### Bug Fix
- **secrets:** change logs form info to debug - [#6685](https://github.com/bridgecrewio/checkov/pull/6685)
## [3.2.236](https://github.com/bridgecrewio/checkov/compare/3.2.235...3.2.236) - 2024-08-26
- no noteworthy changes
## [3.2.235](https://github.com/bridgecrewio/checkov/compare/3.2.234...3.2.235) - 2024-08-21
### Feature
- **cloudformation:** SAM Globals support with CloudFormation - [#6657](https://github.com/bridgecrewio/checkov/pull/6657)
## [3.2.234](https://github.com/bridgecrewio/checkov/compare/3.2.232...3.2.234) - 2024-08-20
### Feature
- **sast:** Adding support for sast in windows - [#6638](https://github.com/bridgecrewio/checkov/pull/6638)
### Bug Fix
- **secrets:** revert duplications suppressions for secrets - [#6674](https://github.com/bridgecrewio/checkov/pull/6674)
## [3.2.232](https://github.com/bridgecrewio/checkov/compare/3.2.230...3.2.232) - 2024-08-19
### Bug Fix
- **general:** add try except to loads file - [#6668](https://github.com/bridgecrewio/checkov/pull/6668)
- **secrets:** duplications suppressions for secrets - [#6665](https://github.com/bridgecrewio/checkov/pull/6665)
## [3.2.230](https://github.com/bridgecrewio/checkov/compare/3.2.228...3.2.230) - 2024-08-18
### Feature
- **general:** Support multiple frameworks in custom policy - [#6666](https://github.com/bridgecrewio/checkov/pull/6666)
### Bug Fix
- **general:** revert support multiple frameworks in one custom policy - [#6664](https://github.com/bridgecrewio/checkov/pull/6664)
## [3.2.228](https://github.com/bridgecrewio/checkov/compare/3.2.223...3.2.228) - 2024-08-15
### Feature
- **terraform:** Add build policy to match run policy for API Method without Auth or API - [#6637](https://github.com/bridgecrewio/checkov/pull/6637)
### Bug Fix
- **secrets:** remove dups logic - [#6655](https://github.com/bridgecrewio/checkov/pull/6655)
- **secrets:** Revert remove dups - [#6656](https://github.com/bridgecrewio/checkov/pull/6656)
- **terraform:** Don't pass existed resources in non_exists resource checks - [#6653](https://github.com/bridgecrewio/checkov/pull/6653)
## [3.2.223](https://github.com/bridgecrewio/checkov/compare/3.2.221...3.2.223) - 2024-08-13
### Bug Fix
- **secrets:** remove duplications in secrets - [#6648](https://github.com/bridgecrewio/checkov/pull/6648)
- **secrets:** revert fixing duplications - [#6652](https://github.com/bridgecrewio/checkov/pull/6652)
## [3.2.221](https://github.com/bridgecrewio/checkov/compare/3.2.219...3.2.221) - 2024-08-12
### Bug Fix
- **terraform:** evaluate resource with double underscore - [#6642](https://github.com/bridgecrewio/checkov/pull/6642)
## [3.2.219](https://github.com/bridgecrewio/checkov/compare/3.2.217...3.2.219) - 2024-08-05
### Feature
- **general:** support multiple frameworks in one custom policy - [#6587](https://github.com/bridgecrewio/checkov/pull/6587)
- **terraform:** Add run policy for RDS encryption in transit - [#6631](https://github.com/bridgecrewio/checkov/pull/6631)
### Documentation
- **general:** Add OpenTofu - [#6627](https://github.com/bridgecrewio/checkov/pull/6627)
## [3.2.217](https://github.com/bridgecrewio/checkov/compare/3.2.216...3.2.217) - 2024-07-31
- no noteworthy changes
## [3.2.216](https://github.com/bridgecrewio/checkov/compare/3.2.213...3.2.216) - 2024-07-30
### Feature
- **sast:** Verify that all sast policies are parsed correctly - [#6621](https://github.com/bridgecrewio/checkov/pull/6621)
### Bug Fix
- **secrets:** fix secrets duplication - [#6619](https://github.com/bridgecrewio/checkov/pull/6619)
- **secrets:** fix secrets duplication - Revert - [#6623](https://github.com/bridgecrewio/checkov/pull/6623)
## [3.2.213](https://github.com/bridgecrewio/checkov/compare/3.2.209...3.2.213) - 2024-07-29
### Feature
- **arm:** ARM AppServiceInstanceMinimum - CKV_AZURE_212 - [#6502](https://github.com/bridgecrewio/checkov/pull/6502)
- **terraform:** - TF and CFN - Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK - [#6603](https://github.com/bridgecrewio/checkov/pull/6603)
### Bug Fix
- **ansible:** Fix CKV2_ANSIBLE_2 - [#6610](https://github.com/bridgecrewio/checkov/pull/6610)
- **arm:** Support upper and lower disabled for CKV_AZURE_189 - [#6609](https://github.com/bridgecrewio/checkov/pull/6609)
- **dockerfile:** Fix edge case with apt in domain - [#6611](https://github.com/bridgecrewio/checkov/pull/6611)
- **terraform_plan:** Fix parsing other types of provisioners - [#6606](https://github.com/bridgecrewio/checkov/pull/6606)
- **terraform:** add condition for CKV_AWS_353 - [#6607](https://github.com/bridgecrewio/checkov/pull/6607)
- **terraform:** catch unknowns with WAF configs - [#6612](https://github.com/bridgecrewio/checkov/pull/6612)
- **terraform:** Handle default for CKV_GCP_76 - [#6608](https://github.com/bridgecrewio/checkov/pull/6608)
## [3.2.209](https://github.com/bridgecrewio/checkov/compare/3.2.208...3.2.209) - 2024-07-28
### Feature
- **cloudformation:** Enrich cloudsplaining eval keys - [#6602](https://github.com/bridgecrewio/checkov/pull/6602)
### Documentation
- **general:** add --repo-id to relevant examples with API key - [#6605](https://github.com/bridgecrewio/checkov/pull/6605)
## [3.2.208](https://github.com/bridgecrewio/checkov/compare/3.2.204...3.2.208) - 2024-07-25
### Feature
- **general:** filter resource by provider for all resources types - [#6598](https://github.com/bridgecrewio/checkov/pull/6598)
- **secrets:** add CKV_SECRET_192 to GENERIC_PRIVATE_KEY_CHECK_IDS - [#6600](https://github.com/bridgecrewio/checkov/pull/6600)
- **terraform:** Update ckv-aws-8 policy - support unknown statement - [#6596](https://github.com/bridgecrewio/checkov/pull/6596)
### Bug Fix
- **terraform:** Fix resource type for CKV_AZURE_242 - [#6599](https://github.com/bridgecrewio/checkov/pull/6599)
### Platform
- **general:** handle multiple values for the same metadata filter - [#6604](https://github.com/bridgecrewio/checkov/pull/6604)
## [3.2.204](https://github.com/bridgecrewio/checkov/compare/3.2.201...3.2.204) - 2024-07-24
### Feature
- **arm:** add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - [#6496](https://github.com/bridgecrewio/checkov/pull/6496)
### Bug Fix
- **sast:** BCE-36172 fix cdk policies - [#6588](https://github.com/bridgecrewio/checkov/pull/6588)
## [3.2.201](https://github.com/bridgecrewio/checkov/compare/3.2.199...3.2.201) - 2024-07-23
### Feature
- **terraform:** add 14 rules for tencentcloud provider - [#6448](https://github.com/bridgecrewio/checkov/pull/6448)
### Bug Fix
- **secrets:** fix secrets prerun bug - [#6594](https://github.com/bridgecrewio/checkov/pull/6594)
- **terraform:** Exclude String in CKV_AWS_337 - [#6592](https://github.com/bridgecrewio/checkov/pull/6592)
## [3.2.199](https://github.com/bridgecrewio/checkov/compare/3.2.196...3.2.199) - 2024-07-22
### Feature
- **arm:** add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - [#6418](https://github.com/bridgecrewio/checkov/pull/6418)
- **arm:** ARM VnetSingleDNSServer - [#6379](https://github.com/bridgecrewio/checkov/pull/6379)
- **secrets:** Adding the option to prerun before multiline pattern executing - [#6586](https://github.com/bridgecrewio/checkov/pull/6586)
- **secrets:** If the prrun regex found but we already scanned file we already scann… - [#6591](https://github.com/bridgecrewio/checkov/pull/6591)
## [3.2.196](https://github.com/bridgecrewio/checkov/compare/3.2.194...3.2.196) - 2024-07-21
### Feature
- **general:** Add metadata exception filter to GHA - [#6583](https://github.com/bridgecrewio/checkov/pull/6583)
- **general:** Refactor all resource type handling in Checkov - [#6572](https://github.com/bridgecrewio/checkov/pull/6572)
## [3.2.194](https://github.com/bridgecrewio/checkov/compare/3.2.193...3.2.194) - 2024-07-18
### Feature
- **arm:** AKSEncryptionAtHostEnable - [#6575](https://github.com/bridgecrewio/checkov/pull/6575)
- **arm:** AKSEphemeralOSDisks - [#6578](https://github.com/bridgecrewio/checkov/pull/6578)
- **arm:** CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - [#6455](https://github.com/bridgecrewio/checkov/pull/6455)
- **arm:** FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - [#6419](https://github.com/bridgecrewio/checkov/pull/6419)
### Bug Fix
- **general:** fix the right numbers in TestSkipJsonRegexPattern - [#6580](https://github.com/bridgecrewio/checkov/pull/6580)
- **terraform:** Fix title of CKV_AZURE_238 - [#6570](https://github.com/bridgecrewio/checkov/pull/6570)
## [3.2.193](https://github.com/bridgecrewio/checkov/compare/3.2.191...3.2.193) - 2024-07-17
### Bug Fix
- **terraform:** fix failures of no caller on definition context - [#6573](https://github.com/bridgecrewio/checkov/pull/6573)
- **terraform:** TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - [#6577](https://github.com/bridgecrewio/checkov/pull/6577)
## [3.2.191](https://github.com/bridgecrewio/checkov/compare/3.2.190...3.2.191) - 2024-07-16
### Bug Fix
- **general:** fix sca unit tests for python 3.12 - [#6574](https://github.com/bridgecrewio/checkov/pull/6574)
## [3.2.190](https://github.com/bridgecrewio/checkov/compare/3.2.189...3.2.190) - 2024-07-15
- no noteworthy changes
## [3.2.189](https://github.com/bridgecrewio/checkov/compare/3.2.186...3.2.189) - 2024-07-14
### Feature
- **arm:** add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - [#6545](https://github.com/bridgecrewio/checkov/pull/6545)
- **arm:** add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - [#6484](https://github.com/bridgecrewio/checkov/pull/6484)
- **cloudformation:** Update audit_logs valid values - [#6566](https://github.com/bridgecrewio/checkov/pull/6566)
## [3.2.186](https://github.com/bridgecrewio/checkov/compare/3.2.183...3.2.186) - 2024-07-11
### Feature
- **azure:** add new policies for Azure Synapse (tf and arm) - [#6554](https://github.com/bridgecrewio/checkov/pull/6554)
- **bicep:** support bicep custom policy - [#6561](https://github.com/bridgecrewio/checkov/pull/6561)
### Bug Fix
- **arm:** CKV_AZURE_56 just for authsettingsV2 name - [#6557](https://github.com/bridgecrewio/checkov/pull/6557)
- **secrets:** filter secrets that have vault: in them - [#6565](https://github.com/bridgecrewio/checkov/pull/6565)
## [3.2.183](https://github.com/bridgecrewio/checkov/compare/3.2.179...3.2.183) - 2024-07-10
### Feature
- **terraform_plan:** support tf_plan after_unknown enrichment - [#6517](https://github.com/bridgecrewio/checkov/pull/6517)
### Bug Fix
- **secrets:** small fix for filtering - [#6562](https://github.com/bridgecrewio/checkov/pull/6562)
### Platform
- **general:** pass repo ID to runconfig - [#6560](https://github.com/bridgecrewio/checkov/pull/6560)
## [3.2.179](https://github.com/bridgecrewio/checkov/compare/3.2.177...3.2.179) - 2024-07-09
### Feature
- **arm:** add CKV_AZURE_206 to ensure that Storage Accounts use replication - [#6524](https://github.com/bridgecrewio/checkov/pull/6524)
- **arm:** BCE-33785 Support Azure Synapse Analytics policies - [#6513](https://github.com/bridgecrewio/checkov/pull/6513)
## [3.2.177](https://github.com/bridgecrewio/checkov/compare/3.2.175...3.2.177) - 2024-07-08
### Bug Fix
- **sast:** fix cdk policies - [#6552](https://github.com/bridgecrewio/checkov/pull/6552)
## [3.2.175](https://github.com/bridgecrewio/checkov/compare/3.2.174...3.2.175) - 2024-07-07
### Feature
- **arm:** AzureSearchSQLQueryUpdates - [#6543](https://github.com/bridgecrewio/checkov/pull/6543)
## [3.2.174](https://github.com/bridgecrewio/checkov/compare/3.2.171...3.2.174) - 2024-07-04
### Feature
- **arm:** add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - [#6533](https://github.com/bridgecrewio/checkov/pull/6533)
- **arm:** add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - [#6478](https://github.com/bridgecrewio/checkov/pull/6478)
- **arm:** AppServicePlanZoneRedundant - [#6472](https://github.com/bridgecrewio/checkov/pull/6472)
- **arm:** AzureSearchSLAIndex - [#6530](https://github.com/bridgecrewio/checkov/pull/6530)
- **arm:** SQLDatabaseZoneRedundant - [#6515](https://github.com/bridgecrewio/checkov/pull/6515)
- **azure:** add new policies for Azure Synapse - [#6520](https://github.com/bridgecrewio/checkov/pull/6520)
- **general:** update detect secrets package - [#6535](https://github.com/bridgecrewio/checkov/pull/6535)
## [3.2.171](https://github.com/bridgecrewio/checkov/compare/3.2.164...3.2.171) - 2024-07-03
### Feature
- **arm:** add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - [#6532](https://github.com/bridgecrewio/checkov/pull/6532)
- **arm:** add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - [#6523](https://github.com/bridgecrewio/checkov/pull/6523)
- **arm:** add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - [#6486](https://github.com/bridgecrewio/checkov/pull/6486)
- **arm:** add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - [#6279](https://github.com/bridgecrewio/checkov/pull/6279)
- **arm:** CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - [#6498](https://github.com/bridgecrewio/checkov/pull/6498)
- **arm:** DataFactoryNoPublicNetworkAccess - [#6479](https://github.com/bridgecrewio/checkov/pull/6479)
- **arm:** DataLakeStoreEncryption - [#6516](https://github.com/bridgecrewio/checkov/pull/6516)
- **arm:** EventHubNamespaceMinTLS12 - [#6485](https://github.com/bridgecrewio/checkov/pull/6485)
### Bug Fix
- **openapi:** [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - [#6406](https://github.com/bridgecrewio/checkov/pull/6406)
- **terraform_json:** support locals block in CDKTF output - [#6452](https://github.com/bridgecrewio/checkov/pull/6452)
- **terraform:** Deprecate CKV2_AWS_67 - [#6529](https://github.com/bridgecrewio/checkov/pull/6529)
## [3.2.164](https://github.com/bridgecrewio/checkov/compare/3.2.163...3.2.164) - 2024-07-02
### Documentation
- **general:** Add Python note - [#6521](https://github.com/bridgecrewio/checkov/pull/6521)
## [3.2.163](https://github.com/bridgecrewio/checkov/compare/3.2.159...3.2.163) - 2024-07-01
### Feature
- **arm:** add CKV_AZURE_174 to ensure that API management public access is disabled - [#6480](https://github.com/bridgecrewio/checkov/pull/6480)
- **arm:** AppServicePHPVersion - [#6436](https://github.com/bridgecrewio/checkov/pull/6436)
- **arm:** AppServicePublicAccessDisabled - [#6467](https://github.com/bridgecrewio/checkov/pull/6467)
- **arm:** KeyVaultEnablesPurgeProtection - [#6465](https://github.com/bridgecrewio/checkov/pull/6465)
- **arm:** PubsubSpecifyIdentity - [#6483](https://github.com/bridgecrewio/checkov/pull/6483)
## [3.2.159](https://github.com/bridgecrewio/checkov/compare/3.2.156...3.2.159) - 2024-06-30
### Bug Fix
- **arm:** fix CKV_AZURE_78: `siteConfig` object should be under `properties` - [#6477](https://github.com/bridgecrewio/checkov/pull/6477)
- **general:** Mypy issues - [#6510](https://github.com/bridgecrewio/checkov/pull/6510)
- **terraform:** ignore comment out modules - [#6507](https://github.com/bridgecrewio/checkov/pull/6507)
## [3.2.156](https://github.com/bridgecrewio/checkov/compare/3.2.145...3.2.156) - 2024-06-27
### Feature
- **arm:** add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - [#6427](https://github.com/bridgecrewio/checkov/pull/6427)
- **arm:** add CKV_AZURE_137 Ensure ACR admin account is disabled - [#6430](https://github.com/bridgecrewio/checkov/pull/6430)
- **arm:** add CKV_AZURE_139 Ensure ACR set to disable public networking - [#6428](https://github.com/bridgecrewio/checkov/pull/6428)
- **arm:** add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - [#6431](https://github.com/bridgecrewio/checkov/pull/6431)
- **arm:** add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - [#6385](https://github.com/bridgecrewio/checkov/pull/6385)
- **arm:** add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - [#6422](https://github.com/bridgecrewio/checkov/pull/6422)
- **arm:** add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - [#6457](https://github.com/bridgecrewio/checkov/pull/6457)
- **arm:** ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - [#6453](https://github.com/bridgecrewio/checkov/pull/6453)
- **arm:** ARM AppServiceSlotHTTPSOnly - [#6454](https://github.com/bridgecrewio/checkov/pull/6454)
- **arm:** ARM VnetLocalDNS - [#6424](https://github.com/bridgecrewio/checkov/pull/6424)
- **arm:** PostgressSQLGeoBackupEnabled - [#6456](https://github.com/bridgecrewio/checkov/pull/6456)
- **arm:** StorageAccountName - [#6426](https://github.com/bridgecrewio/checkov/pull/6426)
- **secrets:** dont filter secrets - [#6508](https://github.com/bridgecrewio/checkov/pull/6508)
### Bug Fix
- **azure:** fix description of CKV_AZURE_236 - [#6503](https://github.com/bridgecrewio/checkov/pull/6503)
- **kubernetes:** Fix CKV_K8S_31 for CronJobs - [#6506](https://github.com/bridgecrewio/checkov/pull/6506)
- **sca:** fix parsing json with comments - [#6509](https://github.com/bridgecrewio/checkov/pull/6509)
- **terraform:** CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - [#6353](https://github.com/bridgecrewio/checkov/pull/6353)
- **terraform:** remove print from CKV_AWS_364 - [#6504](https://github.com/bridgecrewio/checkov/pull/6504)
## [3.2.145](https://github.com/bridgecrewio/checkov/compare/3.2.144...3.2.145) - 2024-06-25
### Documentation
- **general:** Note for feature requests - [#6497](https://github.com/bridgecrewio/checkov/pull/6497)
## [3.2.144](https://github.com/bridgecrewio/checkov/compare/3.2.141...3.2.144) - 2024-06-23
### Bug Fix
- **kubernetes:** ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - [#6459](https://github.com/bridgecrewio/checkov/pull/6459)
- **terraform:** Add more conditions for CKV_AWS_70 - [#6464](https://github.com/bridgecrewio/checkov/pull/6464)
## [3.2.141](https://github.com/bridgecrewio/checkov/compare/3.2.140...3.2.141) - 2024-06-19
### Bug Fix
- **secrets:** dedup secrets history values - [#6462](https://github.com/bridgecrewio/checkov/pull/6462)
## [3.2.140](https://github.com/bridgecrewio/checkov/compare/3.2.138...3.2.140) - 2024-06-18
### Feature
- **azure:** fix ckv_azure_189 according to docs - [#6413](https://github.com/bridgecrewio/checkov/pull/6413)
### Bug Fix
- **sca:** Support parsing json with comments - [#6466](https://github.com/bridgecrewio/checkov/pull/6466)
### Documentation
- **general:** fix pre-commit link - [#6433](https://github.com/bridgecrewio/checkov/pull/6433)
## [3.2.138](https://github.com/bridgecrewio/checkov/compare/3.2.136...3.2.138) - 2024-06-17
### Feature
- **graph:** support creation of resource type allow/deny lists - [#6451](https://github.com/bridgecrewio/checkov/pull/6451)
### Bug Fix
- **terraform:** Fix name of CKV2_AWS_67 to be more clear - [#6434](https://github.com/bridgecrewio/checkov/pull/6434)
- **terraform:** Fix when apt is in rm statement - [#6437](https://github.com/bridgecrewio/checkov/pull/6437)
- **terraform:** Update CKV_AWS_224 title - [#6435](https://github.com/bridgecrewio/checkov/pull/6435)
## [3.2.136](https://github.com/bridgecrewio/checkov/compare/3.2.133...3.2.136) - 2024-06-13
### Bug Fix
- **arm:** Correct AzureMLWorkspacePrivateEndpoint rule check logic - [#6432](https://github.com/bridgecrewio/checkov/pull/6432)
- **general:** removed references Putin references - [#6445](https://github.com/bridgecrewio/checkov/pull/6445)
## [3.2.133](https://github.com/bridgecrewio/checkov/compare/3.2.130...3.2.133) - 2024-06-10
### Feature
- **general:** add AI_AND_ML to CheckCategories - [#6423](https://github.com/bridgecrewio/checkov/pull/6423)
### Bug Fix
- **sast:** Update CKV IDs for CDK policies - [#6415](https://github.com/bridgecrewio/checkov/pull/6415)
## [3.2.130](https://github.com/bridgecrewio/checkov/compare/3.2.128...3.2.130) - 2024-06-09
### Feature
- **arm:** add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - [#6364](https://github.com/bridgecrewio/checkov/pull/6364)
- **arm:** add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - [#6329](https://github.com/bridgecrewio/checkov/pull/6329)
- **arm:** add CKV_AZURE_163 Enable vulnerability scanning for container images - [#6339](https://github.com/bridgecrewio/checkov/pull/6339)
- **arm:** add MariaDbPublicAccessDisabled convert policy to arm - [#6246](https://github.com/bridgecrewio/checkov/pull/6246)
- **arm:** AKSLocalAdminDisabled - [#6334](https://github.com/bridgecrewio/checkov/pull/6334)
- **arm:** AppServiceFTPSState - [#6363](https://github.com/bridgecrewio/checkov/pull/6363)
- **arm:** AzureServiceFabricClusterProtectionLevel - [#6366](https://github.com/bridgecrewio/checkov/pull/6366)
- **arm:** ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - [#6373](https://github.com/bridgecrewio/checkov/pull/6373)
- **arm:** KeyVaultDisablesPublicNetworkAccess - [#6342](https://github.com/bridgecrewio/checkov/pull/6342)
- **arm:** PostgreSQLServerPublicAccessDisabled - [#6330](https://github.com/bridgecrewio/checkov/pull/6330)
- **terraform:** extract image referencers for AWS SageMaker - [#6408](https://github.com/bridgecrewio/checkov/pull/6408)
### Bug Fix
- **ansible:** add dict check in create_tasks_vertices - [#6417](https://github.com/bridgecrewio/checkov/pull/6417)
## [3.2.128](https://github.com/bridgecrewio/checkov/compare/3.2.125...3.2.128) - 2024-06-06
### Feature
- **azure:** drop support for dotnet v7.0 - [#6383](https://github.com/bridgecrewio/checkov/pull/6383)
- **general:** Image Referencer should not run for CI workflow files - [#6386](https://github.com/bridgecrewio/checkov/pull/6386)
- **secrets:** Add _prioritise_secrets by 3 levels of severity - [#6390](https://github.com/bridgecrewio/checkov/pull/6390)
- **terraform:** add 5 policies - [#6401](https://github.com/bridgecrewio/checkov/pull/6401)
- **terraform:** add 6 policies - [#6396](https://github.com/bridgecrewio/checkov/pull/6396)
- **terraform:** add fix for ckv_aws_300 - [#6404](https://github.com/bridgecrewio/checkov/pull/6404)
- **terraform:** add fix for not contains solver - [#6389](https://github.com/bridgecrewio/checkov/pull/6389)
### Bug Fix
- **ansible:** filter conf if its int or float - [#6409](https://github.com/bridgecrewio/checkov/pull/6409)
- **general:** add try except gihub_action read file - [#6411](https://github.com/bridgecrewio/checkov/pull/6411)
- **general:** bitbucket integration test failure - [#6407](https://github.com/bridgecrewio/checkov/pull/6407)
- **general:** CKV2_AZURE_50 generates false positive azurerm_storage_account violations - [#6391](https://github.com/bridgecrewio/checkov/pull/6391)
- **sast:** add log for sast on windows - [#6397](https://github.com/bridgecrewio/checkov/pull/6397)
## [3.2.125](https://github.com/bridgecrewio/checkov/compare/3.2.124...3.2.125) - 2024-06-03
### Feature
- **arm:** Add check for AzureML workspace not configured with private endpoint - [#6387](https://github.com/bridgecrewio/checkov/pull/6387)
## [3.2.124](https://github.com/bridgecrewio/checkov/compare/3.2.122...3.2.124) - 2024-06-02
### Feature
- **azure:** Add policy to ensure proper AzureML Workspace network access - [#6362](https://github.com/bridgecrewio/checkov/pull/6362)
- **azure:** Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - [#6368](https://github.com/bridgecrewio/checkov/pull/6368)
## [3.2.122](https://github.com/bridgecrewio/checkov/compare/3.2.121...3.2.122) - 2024-06-01
### Feature
- **arm:** AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - [#6282](https://github.com/bridgecrewio/checkov/pull/6282)
## [3.2.121](https://github.com/bridgecrewio/checkov/compare/3.2.119...3.2.121) - 2024-05-31
### Feature
- **terraform:** AWS SageMaker notebook instance KMS Key - [#6374](https://github.com/bridgecrewio/checkov/pull/6374)
- **terraform:** CognitiveServicesConfigureIdentity - new check - [#6378](https://github.com/bridgecrewio/checkov/pull/6378)
- **terraform:** Ensure that Cognitive Services accounts enable local authentication - new check - [#6377](https://github.com/bridgecrewio/checkov/pull/6377)
## [3.2.119](https://github.com/bridgecrewio/checkov/compare/3.2.112...3.2.119) - 2024-05-30
### Feature
- **arm:** add FunctionAppsEnableAuthentication - Checking if a certain field exists - [#6250](https://github.com/bridgecrewio/checkov/pull/6250)
- **terraform:** Add more conditions to CKV_AWS_70 - [#6371](https://github.com/bridgecrewio/checkov/pull/6371)
- **terraform:** Added the CKV2_AWS_68 Check for TF and CFN - [#6369](https://github.com/bridgecrewio/checkov/pull/6369)
### Bug Fix
- **ansible:** set task as ansible vertices config - [#6376](https://github.com/bridgecrewio/checkov/pull/6376)
- **terraform:** for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - [#6372](https://github.com/bridgecrewio/checkov/pull/6372)
## [3.2.112](https://github.com/bridgecrewio/checkov/compare/3.2.108...3.2.112) - 2024-05-29
### Feature
- **terraform:** Add provider address to resources - [#6266](https://github.com/bridgecrewio/checkov/pull/6266)
- **terraform:** Support for count & for_each in data blocks - [#6359](https://github.com/bridgecrewio/checkov/pull/6359)
### Bug Fix
- **terraform:** Fix an issue for loading tfvars + issue in the dynamic rendering - [#6360](https://github.com/bridgecrewio/checkov/pull/6360)
## [3.2.108](https://github.com/bridgecrewio/checkov/compare/3.2.107...3.2.108) - 2024-05-26
### Bug Fix
- **sast:** don't scan hidden files - [#6349](https://github.com/bridgecrewio/checkov/pull/6349)
## [3.2.107](https://github.com/bridgecrewio/checkov/compare/3.2.106...3.2.107) - 2024-05-24
### Bug Fix
- **terraform:** Handle registry modules with a version in CKF_TF_2 - [#6354](https://github.com/bridgecrewio/checkov/pull/6354)
## [3.2.106](https://github.com/bridgecrewio/checkov/compare/3.2.105...3.2.106) - 2024-05-23
### Feature
- **arm:** Ensure Databricks Workspace data plane to control plane co… - [#6319](https://github.com/bridgecrewio/checkov/pull/6319)
- **general:** TF and ARM - Ensure that Databricks Workspaces enable… - [#6313](https://github.com/bridgecrewio/checkov/pull/6313)
- **secrets:** Bump detect-secrets - [#6346](https://github.com/bridgecrewio/checkov/pull/6346)
## [3.2.105](https://github.com/bridgecrewio/checkov/compare/3.2.100...3.2.105) - 2024-05-22
### Feature
- **arm:** add AppServiceJavaVersion - [#6258](https://github.com/bridgecrewio/checkov/pull/6258)
- **arm:** add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - [#6323](https://github.com/bridgecrewio/checkov/pull/6323)
- **arm:** add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - [#6320](https://github.com/bridgecrewio/checkov/pull/6320)
- **arm:** add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - [#6270](https://github.com/bridgecrewio/checkov/pull/6270)
- **arm:** add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - [#6272](https://github.com/bridgecrewio/checkov/pull/6272)
- **arm:** add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - [#6281](https://github.com/bridgecrewio/checkov/pull/6281)
- **arm:** AzureDefenderOStorage - [#6269](https://github.com/bridgecrewio/checkov/pull/6269)
- **arm:** MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - [#6263](https://github.com/bridgecrewio/checkov/pull/6263)
- **arm:** StorageSyncPublicAccessDisabled - [#6331](https://github.com/bridgecrewio/checkov/pull/6331)
- **secrets:** eliminate false positives in entropy keyword combinator detector - [#6327](https://github.com/bridgecrewio/checkov/pull/6327)
### Bug Fix
- **ansible:** fix ansible resource id in local graph - [#6344](https://github.com/bridgecrewio/checkov/pull/6344)
- **secrets:** fix entropy type - [#6347](https://github.com/bridgecrewio/checkov/pull/6347)
## [3.2.100](https://github.com/bridgecrewio/checkov/compare/3.2.98...3.2.100) - 2024-05-21
### Feature
- **sast:** TS-legacy-checks - [#6311](https://github.com/bridgecrewio/checkov/pull/6311)
- **secrets:** entropy limit as env variable - [#6332](https://github.com/bridgecrewio/checkov/pull/6332)
## [3.2.98](https://github.com/bridgecrewio/checkov/compare/3.2.97...3.2.98) - 2024-05-20
### Bug Fix
- **terraform:** Remove invalid CIDRs in CKV2_AWS_44 - [#6301](https://github.com/bridgecrewio/checkov/pull/6301)
## [3.2.97](https://github.com/bridgecrewio/checkov/compare/3.2.95...3.2.97) - 2024-05-19
### Feature
- **arm:** add CKV_AZURE_73 to ensure that Automation account variables are encrypted - [#6271](https://github.com/bridgecrewio/checkov/pull/6271)
- **arm:** add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - [#6280](https://github.com/bridgecrewio/checkov/pull/6280)
- **arm:** add FunctionAppDisallowCORS - password correctness check - [#6248](https://github.com/bridgecrewio/checkov/pull/6248)
- **arm:** ARM FunctionAppHttpVersionLatest policy - [#6244](https://github.com/bridgecrewio/checkov/pull/6244)
- **arm:** CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - [#6273](https://github.com/bridgecrewio/checkov/pull/6273)
- **arm:** MSSQLServerMinTLSVersion - [#6245](https://github.com/bridgecrewio/checkov/pull/6245)
## [3.2.95](https://github.com/bridgecrewio/checkov/compare/3.2.94...3.2.95) - 2024-05-17
### Bug Fix
- **terraform:** handle module source tag ref when it is not the first parameter - [#6314](https://github.com/bridgecrewio/checkov/pull/6314)
## [3.2.94](https://github.com/bridgecrewio/checkov/compare/3.2.92...3.2.94) - 2024-05-16
### Bug Fix
- **sast:** fix random test sast js - [#6315](https://github.com/bridgecrewio/checkov/pull/6315)
### Platform
- **general:** Double-Encode URI for RelayState Parameter - [#6302](https://github.com/bridgecrewio/checkov/pull/6302)
## [3.2.92](https://github.com/bridgecrewio/checkov/compare/3.2.91...3.2.92) - 2024-05-15
### Feature
- **sast:** CDK TypeScript policies - [#6161](https://github.com/bridgecrewio/checkov/pull/6161)
- **terraform:** add check for tf module versioned tag - [#6213](https://github.com/bridgecrewio/checkov/pull/6213)
### Bug Fix
- **secrets:** secret_filter_block_list filter by file name and suffixes - [#6285](https://github.com/bridgecrewio/checkov/pull/6285)
- **secrets:** secret_filter_block_list filter by file name and suffixes 2 - [#6306](https://github.com/bridgecrewio/checkov/pull/6306)
### Platform
- **general:** Fix policy.name to use the spaces as specified on CLI. - [#6296](https://github.com/bridgecrewio/checkov/pull/6296)
## [3.2.91](https://github.com/bridgecrewio/checkov/compare/3.2.90...3.2.91) - 2024-05-12
### Feature
- **secrets:** bump bc-detect-secrets to 1.5.10 - [#6297](https://github.com/bridgecrewio/checkov/pull/6297)
## [3.2.90](https://github.com/bridgecrewio/checkov/compare/3.2.85...3.2.90) - 2024-05-09
### Feature
- **general:** Add deep-analysis to GHA - [#6288](https://github.com/bridgecrewio/checkov/pull/6288)
- **terraform:** Add more hype policies - [#6239](https://github.com/bridgecrewio/checkov/pull/6239)
### Bug Fix
- **ansible:** fix ansible definitions raw type - [#6292](https://github.com/bridgecrewio/checkov/pull/6292)
### Platform
- **ansible:** add set definitions raw to ansible runner - [#6286](https://github.com/bridgecrewio/checkov/pull/6286)
- **general:** Handle SAST suppressions (suppressions V2) - [#6109](https://github.com/bridgecrewio/checkov/pull/6109)
### Documentation
- **general:** add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - [#6291](https://github.com/bridgecrewio/checkov/pull/6291)
- **general:** Update README links for PyPi - [#6231](https://github.com/bridgecrewio/checkov/pull/6231)
## [3.2.85](https://github.com/bridgecrewio/checkov/compare/3.2.84...3.2.85) - 2024-05-08
### Platform
- **ansible:** add missing arg to ansible runner - [#6276](https://github.com/bridgecrewio/checkov/pull/6276)
## [3.2.84](https://github.com/bridgecrewio/checkov/compare/3.2.82...3.2.84) - 2024-05-07
### Feature
- **sast:** Enable cdk ts integraion test - [#6158](https://github.com/bridgecrewio/checkov/pull/6158)
### Bug Fix
- **secrets:** add files for secret to skip - [#6275](https://github.com/bridgecrewio/checkov/pull/6275)
- **terraform:** Update CKV_AWS_31 for RBAC - [#6224](https://github.com/bridgecrewio/checkov/pull/6224)
## [3.2.82](https://github.com/bridgecrewio/checkov/compare/3.2.79...3.2.82) - 2024-05-06
### Feature
- **github:** add summary message in github_failed_only output - [#6131](https://github.com/bridgecrewio/checkov/pull/6131)
- **sast:** add ts checks to python pack - [#6261](https://github.com/bridgecrewio/checkov/pull/6261)
- **sast:** run all cdk integration test - [#6256](https://github.com/bridgecrewio/checkov/pull/6256)
### Bug Fix
- **general:** fix changed serif path - [#6251](https://github.com/bridgecrewio/checkov/pull/6251)
## [3.2.79](https://github.com/bridgecrewio/checkov/compare/3.2.74...3.2.79) - 2024-05-02
### Feature
- **sast:** Add 10 TS CDK - [#6194](https://github.com/bridgecrewio/checkov/pull/6194)
- **sast:** add typescript - DONT MERGE - [#6193](https://github.com/bridgecrewio/checkov/pull/6193)
- **sast:** Filter js files generate by ts - [#6220](https://github.com/bridgecrewio/checkov/pull/6220)
- **secrets:** bump bc-detect-secrets 1.5.9 - [#6205](https://github.com/bridgecrewio/checkov/pull/6205)
- **terraform:** Add GCP policy - [#6177](https://github.com/bridgecrewio/checkov/pull/6177)
- **terraform:** Add resource attributes to jsonify - [#6203](https://github.com/bridgecrewio/checkov/pull/6203)
- **terraform:** Ensure dedicated data endpoints are enabled - [#6188](https://github.com/bridgecrewio/checkov/pull/6188)
- **terraform:** support provider in tf_plan graph - [#6195](https://github.com/bridgecrewio/checkov/pull/6195)
- **terraform:** Update CloudArmorWAFACLCVE202144228.py - [#6217](https://github.com/bridgecrewio/checkov/pull/6217)
### Bug Fix
- **general:** add print to random test - [#6229](https://github.com/bridgecrewio/checkov/pull/6229)
- **general:** fix integration test in build - [#6227](https://github.com/bridgecrewio/checkov/pull/6227)
- **general:** fix integration tests - [#6207](https://github.com/bridgecrewio/checkov/pull/6207)
- **kubernetes:** Update checkov-job.yaml - [#5985](https://github.com/bridgecrewio/checkov/pull/5985)
- **sca:** remove old test for the depracated workflow github-action - [#6232](https://github.com/bridgecrewio/checkov/pull/6232)
- **terraform_plan:** Edges not created because of indexing in resource["address"] when resources in modules use count - [#6145](https://github.com/bridgecrewio/checkov/pull/6145)
- **terraform:** CKV_AWS_23 rule description fixed for clarity - [#5993](https://github.com/bridgecrewio/checkov/pull/5993)
- **terraform:** Fix CKV_AWS_358 to handle plan files - [#6202](https://github.com/bridgecrewio/checkov/pull/6202)
### Platform
- **ansible:** add create_definitions function for ansible framework - [#6225](https://github.com/bridgecrewio/checkov/pull/6225)
### Documentation
- **general:** Fix docs html brackets - [#6051](https://github.com/bridgecrewio/checkov/pull/6051)
- **general:** Remove Python 3.7 - [#6200](https://github.com/bridgecrewio/checkov/pull/6200)
## [3.2.74](https://github.com/bridgecrewio/checkov/compare/3.2.73...3.2.74) - 2024-04-22
### Feature
- **general:** Update range includes to handle lists of ranges and lists of values - [#6192](https://github.com/bridgecrewio/checkov/pull/6192)
## [3.2.73](https://github.com/bridgecrewio/checkov/compare/3.2.72...3.2.73) - 2024-04-21
### Feature
- **sast:** TypeScript cdk policies p7 - [#6186](https://github.com/bridgecrewio/checkov/pull/6186)
## [3.2.72](https://github.com/bridgecrewio/checkov/compare/3.2.71...3.2.72) - 2024-04-19
### Feature
- **bicep:** Add bicep version of policy - [#6191](https://github.com/bridgecrewio/checkov/pull/6191)
## [3.2.71](https://github.com/bridgecrewio/checkov/compare/3.2.70...3.2.71) - 2024-04-18
### Feature
- **sca:** support licenses custom policies enforcement rules - [#6173](https://github.com/bridgecrewio/checkov/pull/6173)
## [3.2.70](https://github.com/bridgecrewio/checkov/compare/3.2.68...3.2.70) - 2024-04-17
### Feature
- **sast:** Add 5 cdk for TS - [#6179](https://github.com/bridgecrewio/checkov/pull/6179)
### Bug Fix
- **sast:** fix skipped_checks paths before upload to the platform - [#6183](https://github.com/bridgecrewio/checkov/pull/6183)
## [3.2.68](https://github.com/bridgecrewio/checkov/compare/3.2.65...3.2.68) - 2024-04-16
### Feature
- **sast:** adding extended code block - [#6178](https://github.com/bridgecrewio/checkov/pull/6178)
- **sca:** using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - [#6174](https://github.com/bridgecrewio/checkov/pull/6174)
### Bug Fix
- **sca:** Revert "feat(sca): using the new api license/get-licenses-violations … - [#6176](https://github.com/bridgecrewio/checkov/pull/6176)
## [3.2.65](https://github.com/bridgecrewio/checkov/compare/3.2.63...3.2.65) - 2024-04-15
### Bug Fix
- **sast:** save suppress_comment for sast inline suppressions - [#6171](https://github.com/bridgecrewio/checkov/pull/6171)
- **secrets:** Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - [#6168](https://github.com/bridgecrewio/checkov/pull/6168)
## [3.2.63](https://github.com/bridgecrewio/checkov/compare/3.2.60...3.2.63) - 2024-04-14
### Feature
- **sast:** CDK TS policies p2 - [#6165](https://github.com/bridgecrewio/checkov/pull/6165)
## [3.2.60](https://github.com/bridgecrewio/checkov/compare/3.2.55...3.2.60) - 2024-04-10
### Feature
- **sast:** Add TS CDK policies 1 - [#6151](https://github.com/bridgecrewio/checkov/pull/6151)
- **sast:** CDK TS policies p3 - [#6157](https://github.com/bridgecrewio/checkov/pull/6157)
### Bug Fix
- **terraform:** Fix conditional expression evaluation logic with compare - [#6160](https://github.com/bridgecrewio/checkov/pull/6160)
- **terraform:** Fixed flaky test for CKV_AWS_356 - [#6162](https://github.com/bridgecrewio/checkov/pull/6162)
## [3.2.55](https://github.com/bridgecrewio/checkov/compare/3.2.53...3.2.55) - 2024-04-08
### Feature
- **sast:** Adding typescript cdk part 6 paz - [#6149](https://github.com/bridgecrewio/checkov/pull/6149)
### Bug Fix
- **sca:** enabling suppression in the cli-output for IR-files and dockerfiles - [#6148](https://github.com/bridgecrewio/checkov/pull/6148)
## [3.2.53](https://github.com/bridgecrewio/checkov/compare/3.2.52...3.2.53) - 2024-04-03
### Feature
- **terraform:** support s3 bucket name for references in graph - [#6134](https://github.com/bridgecrewio/checkov/pull/6134)
## [3.2.52](https://github.com/bridgecrewio/checkov/compare/3.2.51...3.2.52) - 2024-04-03
### Feature
- **general:** Update the releases' zip file names to be generic - [#6141](https://github.com/bridgecrewio/checkov/pull/6141)
## [3.2.51](https://github.com/bridgecrewio/checkov/compare/3.2.50...3.2.51) - 2024-04-02
### Feature
- **general:** add policy metadata filter exception flag - [#6132](https://github.com/bridgecrewio/checkov/pull/6132)
## [3.2.50](https://github.com/bridgecrewio/checkov/compare/3.2.49...3.2.50) - 2024-03-31
### Bug Fix
- **general:** remove limitation of resource and provider in tf.json file - [#6133](https://github.com/bridgecrewio/checkov/pull/6133)
## [3.2.49](https://github.com/bridgecrewio/checkov/compare/3.2.47...3.2.49) - 2024-03-28
### Bug Fix
- **general:** pin the version of schema to <=0.7.5 - [#6125](https://github.com/bridgecrewio/checkov/pull/6125)
## [3.2.47](https://github.com/bridgecrewio/checkov/compare/3.2.45...3.2.47) - 2024-03-26
### Feature
- **secrets:** bump manually bc-detect-secrets - [#6120](https://github.com/bridgecrewio/checkov/pull/6120)
- **terraform:** add fix for when tf_def is a string - [#6121](https://github.com/bridgecrewio/checkov/pull/6121)
## [3.2.45](https://github.com/bridgecrewio/checkov/compare/3.2.44...3.2.45) - 2024-03-25
### Feature
- **terraform:** fix for_each resource handling - [#6119](https://github.com/bridgecrewio/checkov/pull/6119)
## [3.2.44](https://github.com/bridgecrewio/checkov/compare/3.2.43...3.2.44) - 2024-03-24
### Bug Fix
- **sca:** Fix suppression integration crashing if licenseTypes is missing - [#6117](https://github.com/bridgecrewio/checkov/pull/6117)
## [3.2.43](https://github.com/bridgecrewio/checkov/compare/3.2.42...3.2.43) - 2024-03-21
### Bug Fix
- **terraform:** Fixed bug in evaluate_conditional_expression and added zipmap support - [#6106](https://github.com/bridgecrewio/checkov/pull/6106)
## [3.2.42](https://github.com/bridgecrewio/checkov/compare/3.2.39...3.2.42) - 2024-03-20
### Feature
- **sast:** support sast skipped checks - [#6095](https://github.com/bridgecrewio/checkov/pull/6095)
### Bug Fix
- **secrets:** ignore secret check in test file - [#6105](https://github.com/bridgecrewio/checkov/pull/6105)
### Platform
- **general:** handle API errors with more detail - [#6107](https://github.com/bridgecrewio/checkov/pull/6107)
## [3.2.39](https://github.com/bridgecrewio/checkov/compare/3.2.38...3.2.39) - 2024-03-17
### Feature
- **secrets:** fix entropy detector FP - [#6090](https://github.com/bridgecrewio/checkov/pull/6090)
## [3.2.38](https://github.com/bridgecrewio/checkov/compare/3.2.37...3.2.38) - 2024-03-14
### Bug Fix
- **terraform:** prevent side effects when updating variable rendering - [#6087](https://github.com/bridgecrewio/checkov/pull/6087)
## [3.2.37](https://github.com/bridgecrewio/checkov/compare/3.2.36...3.2.37) - 2024-03-13
### Feature
- **terraform:** connect module resource to provider - [#6083](https://github.com/bridgecrewio/checkov/pull/6083)
## [3.2.36](https://github.com/bridgecrewio/checkov/compare/3.2.35...3.2.36) - 2024-03-12
### Bug Fix
- **gha:** make sure to have prisma url - [#6084](https://github.com/bridgecrewio/checkov/pull/6084)
## [3.2.35](https://github.com/bridgecrewio/checkov/compare/3.2.34...3.2.35) - 2024-03-11
### Feature
- **general:** add policy name and guidelines to CSV output - [#6082](https://github.com/bridgecrewio/checkov/pull/6082)
### Bug Fix
- **sast:** add attribute verification - [#6078](https://github.com/bridgecrewio/checkov/pull/6078)
## [3.2.34](https://github.com/bridgecrewio/checkov/compare/3.2.33...3.2.34) - 2024-03-10
### Bug Fix
- **terraform:** Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - [#6072](https://github.com/bridgecrewio/checkov/pull/6072)
## [3.2.33](https://github.com/bridgecrewio/checkov/compare/3.2.32...3.2.33) - 2024-03-08
### Platform
- **general:** improve upload failure logging and log size of failed files - [#6076](https://github.com/bridgecrewio/checkov/pull/6076)
## [3.2.32](https://github.com/bridgecrewio/checkov/compare/3.2.31...3.2.32) - 2024-03-06
### Bug Fix
- **sast:** do not log warning when using skip framework - [#6066](https://github.com/bridgecrewio/checkov/pull/6066)
## [3.2.31](https://github.com/bridgecrewio/checkov/compare/3.2.28...3.2.31) - 2024-03-04
### Bug Fix
- **terraform:** better handling of interpolation rendering in conditional expressions - [#6062](https://github.com/bridgecrewio/checkov/pull/6062)
- **terraform:** Changed a couple of checks from negative to positive check, behavior is the same - [#6063](https://github.com/bridgecrewio/checkov/pull/6063)
## [3.2.28](https://github.com/bridgecrewio/checkov/compare/3.2.26...3.2.28) - 2024-02-28
### Bug Fix
- **sca:** handling unknown severity - [#6055](https://github.com/bridgecrewio/checkov/pull/6055)
- **terraform:** Add Condition exceptions CKV_AWS_70 - [#6044](https://github.com/bridgecrewio/checkov/pull/6044)
- **terraform:** Add k8s 1.29 to CKV_AWS_339 - [#6056](https://github.com/bridgecrewio/checkov/pull/6056)
## [3.2.26](https://github.com/bridgecrewio/checkov/compare/3.2.25...3.2.26) - 2024-02-26
### Bug Fix
- **sast:** fetch sast custom policieis - [#6040](https://github.com/bridgecrewio/checkov/pull/6040)
## [3.2.25](https://github.com/bridgecrewio/checkov/compare/3.2.24...3.2.25) - 2024-02-25
### Feature
- **terraform:** Added support for `try` function in evaluate_terraform - [#6043](https://github.com/bridgecrewio/checkov/pull/6043)
## [3.2.24](https://github
Showing preview only (578K chars total). Download the full file or copy to clipboard to get everything.
gitextract_81zemmz3/
├── .cfnlintrc
├── .coveragerc
├── .dockerignore
├── .flake8
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── best_practices_issue.md
│ │ ├── checks_issue.md
│ │ ├── crash_report.md
│ │ ├── feature_request.md
│ │ ├── graph_issue.md
│ │ ├── integrations_issue.md
│ │ ├── languages_issue.md
│ │ ├── noise_issue.md
│ │ ├── outputs_issue.md
│ │ └── skips_issue.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── actionlint.yaml
│ ├── checkov.yaml
│ ├── codeql-config.yml
│ ├── dependabot.yml
│ ├── exclude-patterns.txt
│ ├── pr-title-checker-config.json
│ ├── release-changelog-config.json
│ ├── stale.yml
│ └── workflows/
│ ├── build.yml
│ ├── codeql-analysis.yml
│ ├── coverage.yaml
│ ├── jekyll-gh-pages.yml
│ ├── nightly.yml
│ ├── pipenv-update.yml
│ ├── pr-test.yml
│ ├── pr-title.yml
│ ├── security-shared.yml
│ └── security.yml
├── .gitignore
├── .gitmodules
├── .gitpod.Dockerfile
├── .gitpod.yml
├── .pre-commit-config.yaml
├── .pre-commit-hooks.yaml
├── .swm/
│ ├── creating-a-solver.gm0ti.sw.md
│ └── swimm.json
├── CHANGELOG.md
├── CNAME
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Dockerfile
├── INTHEWILD.md
├── LICENSE
├── Pipfile
├── README.md
├── SECURITY.md
├── bin/
│ ├── checkov
│ └── checkov.cmd
├── cdk_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── src/
│ │ ├── python/
│ │ │ ├── ALBDropHttpHeaders/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ALBListenerHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAuthorization/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayCacheEnable/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayV2AccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayXray/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncFieldLevelLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AthenaWorkgroupConfiguration/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AuroraEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── BackupVaultEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudFrontTLS12/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudTrailLogValidation/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupRetention/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailMultiRegion/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CodeBuildProjectEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DAXEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBAuditLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBTLS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbGlobalTableRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EC2PublicIP/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImageScanning/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImmutableTags/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRRepositoryEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSClusterContainerInsights/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EFSEncryptionEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EKSSecretsEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBAccessLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBv2AccessLogs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueDataCatalogEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfiguration/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── KinesisStreamEncryptionType/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaDLQConfigured/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentCredentials/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaInVPC/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSMultiAZEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedShiftSSL/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftInEc2ClassicMode/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicPolicy/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketKMSEncryption/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketLogging/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketPublicAccessBlock/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketVersioning/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3IgnorePublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLRead/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLWrite/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3RestrictPublicBuckets/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SNSTopicEncryption/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── SQSQueueEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecretManagerSecretEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecurityGroupRuleDescription/
│ │ │ │ ├── fail__4__.py
│ │ │ │ └── pass.py
│ │ │ ├── TransferServerIsPublic/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WAFEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ └── s3.py
│ │ └── typescript/
│ │ ├── ALBDropHttpHeaders/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ALBListenerHTTPS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAuthorization/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass__2__.ts
│ │ ├── APIGatewayCacheEnable/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayV2AccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayXray/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncFieldLevelLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AthenaWorkgroupConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── AuroraEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── BackupVaultEncrypted/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudFrontTLS12/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudTrailLogValidation/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupRetention/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionLogging/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailMultiRegion/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CodeBuildProjectEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DAXEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DocDBAuditLogs/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBTLS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodbGlobalTableRecovery/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodcRecovery/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EBSEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EC2PublicIP/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── ECRImageScanning/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRImmutableTags/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRRepositoryEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ECSClusterContainerInsights/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── EFSEncryptionEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── EKSSecretsEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBAccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBv2AccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueDataCatalogEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── KinesisStreamEncryptionType/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaDLQConfigured/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentCredentials/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaInVPC/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSMultiAZEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RDSPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedShiftSSL/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftInEc2ClassicMode/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BlockPublicACLs/
│ │ │ ├── fail.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ ├── pass2.ts
│ │ │ └── pass3.ts
│ │ ├── S3BlockPublicPolicy/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BucketEncryption/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketKMSEncryption/
│ │ │ ├── fail2__3__.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketPublicAccessBlock/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketVersioning/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3PublicACLRead/
│ │ │ ├── fail__3__.ts
│ │ │ └── pass.ts
│ │ ├── S3RestrictPublicBuckets/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SNSTopicEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── SQSQueueEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecretManagerSecretEncrypted/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecurityGroupRuleDescription/
│ │ │ ├── fail__4__.ts
│ │ │ └── pass.ts
│ │ ├── TransferServerIsPublic/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── WAFEnabled/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ └── s3.ts
│ ├── test_checks_python.py
│ ├── test_checks_typescript.py
│ └── utils.py
├── checkov/
│ ├── __init__.py
│ ├── ansible/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_ansible_task_check.py
│ │ │ ├── base_ansible_task_value_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── BlockErrorHandling.yaml
│ │ │ │ ├── DnfDisableGpgCheck.yaml
│ │ │ │ ├── DnfSslVerify.yaml
│ │ │ │ ├── DnfValidateCerts.yaml
│ │ │ │ ├── GetUrlHttpsOnly.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms.yaml
│ │ │ │ ├── PanosIPsecProtocols.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet.yaml
│ │ │ │ ├── PanosPolicyDescription.yaml
│ │ │ │ ├── PanosPolicyLogForwarding.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny.yaml
│ │ │ │ ├── PanosPolicyNoDSRI.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml
│ │ │ │ ├── PanosZoneProtectionProfile.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL.yaml
│ │ │ │ ├── UriHttpsOnly.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── registry.py
│ │ │ └── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ ├── EC2PublicIP.py
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated.py
│ │ │ ├── AptForce.py
│ │ │ ├── GetUrlValidateCerts.py
│ │ │ ├── UriValidateCerts.py
│ │ │ ├── YumSslVerify.py
│ │ │ ├── YumValidateCerts.py
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── argo_workflows/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_argo_workflows_check.py
│ │ │ ├── registry.py
│ │ │ └── template/
│ │ │ ├── DefaultServiceAccount.py
│ │ │ ├── RunAsNonRoot.py
│ │ │ └── __init__.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── arm/
│ │ ├── __init__.py
│ │ ├── base_parameter_check.py
│ │ ├── base_registry.py
│ │ ├── base_resource_check.py
│ │ ├── base_resource_negative_value_check.py
│ │ ├── base_resource_value_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── parameter/
│ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ ├── ACRContainerScanEnabled.py
│ │ │ ├── ACREnableImageQuarantine.py
│ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ ├── AKSDashboardDisabled.py
│ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ ├── AKSLoggingEnabled.py
│ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ ├── AKSNetworkPolicy.py
│ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ ├── AKSRbacEnabled.py
│ │ │ ├── AKSUpgradeChannel.py
│ │ │ ├── APIManagementMinTLS12.py
│ │ │ ├── APIManagementPublicAccess.py
│ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ ├── AkSSecretStoreRotation.py
│ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ ├── AppServiceAuthentication.py
│ │ │ ├── AppServiceClientCertificate.py
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ ├── AppServiceDisallowCORS.py
│ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ ├── AppServiceFTPSState.py
│ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ ├── AppServiceIdentity.py
│ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ ├── AppServiceJavaVersion.py
│ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ ├── AppServicePHPVersion.py
│ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ ├── AppServicePythonVersion.py
│ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ ├── AutomationEncrypted.py
│ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ ├── AzureDefenderOnSqlServersVMS.py
│ │ │ ├── AzureDefenderOnStorage.py
│ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ ├── AzureInstanceExtensions.py
│ │ │ ├── AzureInstancePassword.py
│ │ │ ├── AzureMLWorkspacePrivateEndpoint.py
│ │ │ ├── AzureManagedDiscEncryption.py
│ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ ├── AzureScaleSetPassword.py
│ │ │ ├── AzureSearchSLAIndex.py
│ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ ├── AzureSynapseWorkspaceVAisEnabled.py
│ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
│ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ ├── CosmosDBHaveCMK.py
│ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ ├── CustomRoleDefinitionSubscriptionOwner.py
│ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ ├── DataLakeStoreEncryption.py
│ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
│ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ ├── KeyBackedByHSM.py
│ │ │ ├── KeyExpirationDate.py
│ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ ├── LinuxVMUsesSSH.py
│ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ ├── MonitorLogProfileCategories.py
│ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ ├── PubsubSKUSLA.py
│ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ ├── SQLServerAuditingEnabled.py
│ │ │ ├── SQLServerAuditingRetention90Days.py
│ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ ├── SQLServerHasPublicAccessDisabled.py
│ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ ├── SQLServerUsesADAuth.py
│ │ │ ├── SecretContentType.py
│ │ │ ├── SecretExpirationDate.py
│ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ ├── SecurityCenterContactPhone.py
│ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ ├── StorageAccountName.py
│ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ ├── StorageAccountsUseReplication.py
│ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ ├── VMCredsInCustomData.py
│ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ ├── VMStorageOsDisk.py
│ │ │ ├── VnetLocalDNS.py
│ │ │ ├── VnetSingleDNSServer.py
│ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ └── __init__.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── azure_pipelines/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_azure_pipelines_check.py
│ │ │ ├── job/
│ │ │ │ ├── ContainerDigest.py
│ │ │ │ ├── ContainerLatestTag.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SetSecretVariable.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── bicep/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ ├── SQLServerThreatDetectionTypes.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── param/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_param_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ └── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── azure/
│ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ └── __init__.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_resource_check.py
│ │ │ ├── base_resource_value_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── context_definitions.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── azure.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── bitbucket/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ └── branch_restrictions.py
│ ├── bitbucket_pipelines/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── latest_image.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cdk/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── python/
│ │ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ │ ├── APIGatewayXray.yaml
│ │ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ │ ├── AppSyncLogging.yaml
│ │ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ │ ├── AuroraEncryption.yaml
│ │ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ │ ├── CloudFrontTLS12.yaml
│ │ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ │ ├── CloudtrailEncryption.yaml
│ │ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ │ ├── DAXEncryption.yaml
│ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ │ ├── DocDBAuditLogs.yaml
│ │ │ │ ├── DocDBEncryption.yaml
│ │ │ │ ├── DocDBTLS.yaml
│ │ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ │ ├── DynamodbRecovery.yaml
│ │ │ │ ├── EBSEncryption.yaml
│ │ │ │ ├── EC2PublicIP.yaml
│ │ │ │ ├── ECRImageScanning.yaml
│ │ │ │ ├── ECRImmutableTags.yaml
│ │ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ │ ├── ELBAccessLogs.yaml
│ │ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ │ ├── LambdaInVPC.yaml
│ │ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ │ ├── RedShiftSSL.yaml
│ │ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ ├── S3IgnorePublicACLs.yaml
│ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ │ ├── SNSTopicEncryption.yaml
│ │ │ │ ├── SQSQueueEncryption.yaml
│ │ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ │ ├── TransferServerIsPublic.yaml
│ │ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ │ ├── WAFEnabled.yaml
│ │ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ │ └── typescript/
│ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ ├── APIGatewayXray.yaml
│ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ ├── AppSyncLogging.yaml
│ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ ├── AuroraEncryption.yaml
│ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ ├── CloudFrontTLS12.yaml
│ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ ├── CloudtrailEncryption.yaml
│ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ ├── DAXEncryption.yaml
│ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ ├── DocDBAuditLogs.yaml
│ │ │ ├── DocDBEncryption.yaml
│ │ │ ├── DocDBTLS.yaml
│ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ ├── DynamodbRecovery.yaml
│ │ │ ├── EBSEncryption.yaml
│ │ │ ├── EC2PublicIP.yaml
│ │ │ ├── ECRImageScanning.yaml
│ │ │ ├── ECRImmutableTags.yaml
│ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ ├── ELBAccessLogs.yaml
│ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ ├── LambdaInVPC.yaml
│ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ ├── RedShiftSSL.yaml
│ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ ├── S3BucketEncryption.yaml
│ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ ├── S3BucketLogging.yaml
│ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ ├── S3BucketVersioning.yaml
│ │ │ ├── S3PublicACLRead.yaml
│ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ ├── SNSTopicEncryption.yaml
│ │ │ ├── SQSQueueEncryption.yaml
│ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ ├── TransferServerIsPublic.yaml
│ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ ├── WAFEnabled.yaml
│ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ └── base_registry.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── circleci_pipelines/
│ │ ├── __init__.py
│ │ ├── base_circleci_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── DetectImagesUsage.py
│ │ │ ├── ReverseShellNetcat.py
│ │ │ ├── ShellInjection.py
│ │ │ ├── SuspectCurlInScript.py
│ │ │ ├── __init__.py
│ │ │ ├── image_version_not_hash.py
│ │ │ ├── latest_image.py
│ │ │ ├── prevent_development_orbs.py
│ │ │ └── prevent_volatile_orbs.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── shell_injection_list.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cloudformation/
│ │ ├── __init__.py
│ │ ├── cfn_utils.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── resource/
│ │ │ │ ├── BaseCloudsplainingIAMCheck.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── ALBListenerTLS12.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayV2AccessLogging.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AmazonMQBrokerPublicAccess.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── CloudFrontTLS12.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudtrailEncryption.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbGlobalTableRecovery.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── KMSKeyWildCardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── ParameterStoreCredentials.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterPubliclyAccessible.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── S3AccessLogs.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3Encryption.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3PublicACLRead.py
│ │ │ │ │ ├── S3PublicACLWrite.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3Versioning.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ └── registry.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ └── iam_cloudformation_document_to_policy_converter.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── generic_resource_encryption.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── renderer.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── aws.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── cfn_keywords.py
│ │ │ └── cfn_yaml.py
│ │ └── runner.py
│ ├── common/
│ │ ├── __init__.py
│ │ ├── bridgecrew/
│ │ │ ├── __init__.py
│ │ │ ├── bc_source.py
│ │ │ ├── check_type.py
│ │ │ ├── code_categories.py
│ │ │ ├── integration_features/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_integration_feature.py
│ │ │ │ ├── features/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── custom_policies_integration.py
│ │ │ │ │ ├── fixes_integration.py
│ │ │ │ │ ├── licensing_integration.py
│ │ │ │ │ ├── policies_3d_integration.py
│ │ │ │ │ ├── policy_metadata_integration.py
│ │ │ │ │ ├── repo_config_integration.py
│ │ │ │ │ ├── suppressions_integration.py
│ │ │ │ │ └── vulnerabilities_integration.py
│ │ │ │ └── integration_feature_registry.py
│ │ │ ├── licensing.py
│ │ │ ├── platform_errors.py
│ │ │ ├── platform_integration.py
│ │ │ ├── platform_key.py
│ │ │ ├── run_metadata/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_run_metadata_extractor.py
│ │ │ │ ├── ci_variables.py
│ │ │ │ ├── extractors/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── bitbucket.py
│ │ │ │ │ ├── default_extractor.py
│ │ │ │ │ ├── github_actions.py
│ │ │ │ │ ├── gitlab_ci.py
│ │ │ │ │ └── jenkins.py
│ │ │ │ └── registry.py
│ │ │ ├── severities.py
│ │ │ ├── vulnerability_scanning/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_scanner.py
│ │ │ │ ├── integrations/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── docker_image_scanning.py
│ │ │ │ │ ├── package_scanning.py
│ │ │ │ │ └── twistcli.py
│ │ │ │ └── report.py
│ │ │ └── wrapper.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_check_registry.py
│ │ │ ├── enums.py
│ │ │ └── object_registry.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── checks_parser.py
│ │ │ ├── registry.py
│ │ │ ├── resources_types.py
│ │ │ └── solvers/
│ │ │ ├── __init__.py
│ │ │ ├── attribute_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── any_attribute_solver.py
│ │ │ │ ├── base_attribute_solver.py
│ │ │ │ ├── base_number_of_words_attribute_solver.py
│ │ │ │ ├── cidr_range_not_subset_attribute_solver.py
│ │ │ │ ├── cidr_range_subset_attribute_solver.py
│ │ │ │ ├── contains_attribute_solver.py
│ │ │ │ ├── ending_with_attribute_solver.py
│ │ │ │ ├── equals_attribute_solver.py
│ │ │ │ ├── equals_ignore_case_attribute_solver.py
│ │ │ │ ├── exists_attribute_solver.py
│ │ │ │ ├── greater_than_attribute_solver.py
│ │ │ │ ├── greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── intersects_attribute_solver.py
│ │ │ │ ├── is_empty_attribute_solver.py
│ │ │ │ ├── is_false_attribute_solver.py
│ │ │ │ ├── is_not_empty_attribute_solver.py
│ │ │ │ ├── is_true_attribute_solver.py
│ │ │ │ ├── length_equals_attribute_solver.py
│ │ │ │ ├── length_greater_than_attribute_solver.py
│ │ │ │ ├── length_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_less_than_attribute_solver.py
│ │ │ │ ├── length_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_not_equals_attribute_solver.py
│ │ │ │ ├── less_than_attribute_solver.py
│ │ │ │ ├── less_than_or_equal_attribute_solver.py
│ │ │ │ ├── not_contains_attribute_solver.py
│ │ │ │ ├── not_ending_with_attribute_solver.py
│ │ │ │ ├── not_equals_attribute_solver.py
│ │ │ │ ├── not_equals_ignore_case_attribute_solver.py
│ │ │ │ ├── not_exists_attribute_solver.py
│ │ │ │ ├── not_intersects_attribute_solver.py
│ │ │ │ ├── not_regex_match_attribute_solver.py
│ │ │ │ ├── not_starting_with_attribute_solver.py
│ │ │ │ ├── not_subset_attribute_solver.py
│ │ │ │ ├── not_within_attribute_solver.py
│ │ │ │ ├── number_of_words_equals_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_not_equals_attribute_solver.py
│ │ │ │ ├── range_includes_attribute_solver.py
│ │ │ │ ├── range_not_includes_attribute_solver.py
│ │ │ │ ├── regex_match_attribute_solver.py
│ │ │ │ ├── starting_with_attribute_solver.py
│ │ │ │ ├── subset_attribute_solver.py
│ │ │ │ └── within_attribute_solver.py
│ │ │ ├── complex_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_solver.py
│ │ │ │ ├── base_complex_solver.py
│ │ │ │ ├── not_solver.py
│ │ │ │ └── or_solver.py
│ │ │ ├── connections_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_connection_solver.py
│ │ │ │ ├── base_connection_solver.py
│ │ │ │ ├── complex_connection_solver.py
│ │ │ │ ├── connection_exists_solver.py
│ │ │ │ ├── connection_not_exists_solver.py
│ │ │ │ ├── connection_one_exists_solver.py
│ │ │ │ └── or_connection_solver.py
│ │ │ ├── filter_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_filter_solver.py
│ │ │ │ └── within_filter_solver.py
│ │ │ └── resource_solvers/
│ │ │ ├── __init__.py
│ │ │ ├── base_resource_solver.py
│ │ │ ├── exists_resource_solver.py
│ │ │ └── not_exists_resource_solver.py
│ │ ├── comment/
│ │ │ ├── __init__.py
│ │ │ └── enum.py
│ │ ├── goget/
│ │ │ ├── __init__.py
│ │ │ ├── base_getter.py
│ │ │ ├── github/
│ │ │ │ ├── __init__.py
│ │ │ │ └── get_git.py
│ │ │ └── registry/
│ │ │ ├── __init__.py
│ │ │ └── get_registry.py
│ │ ├── graph/
│ │ │ ├── __init__.py
│ │ │ ├── checks_infra/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_parser.py
│ │ │ │ ├── debug.py
│ │ │ │ ├── enums.py
│ │ │ │ ├── registry.py
│ │ │ │ └── solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ └── base_solver.py
│ │ │ ├── db_connectors/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── db_connector.py
│ │ │ │ ├── networkx/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── networkx_db_connector.py
│ │ │ │ └── rustworkx/
│ │ │ │ ├── __init__.py
│ │ │ │ └── rustworkx_db_connector.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── graph_components/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── attribute_names.py
│ │ │ │ │ ├── block_types.py
│ │ │ │ │ ├── blocks.py
│ │ │ │ │ ├── edge.py
│ │ │ │ │ └── generic_resource_encryption_base.py
│ │ │ │ ├── graph_resources_encription_manager.py
│ │ │ │ ├── local_graph.py
│ │ │ │ ├── utils.py
│ │ │ │ └── variable_rendering/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── breadcrumb_metadata.py
│ │ │ │ ├── renderer.py
│ │ │ │ └── vertex_reference.py
│ │ │ └── graph_manager.py
│ │ ├── images/
│ │ │ ├── __init__.py
│ │ │ ├── graph/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_referencer_manager.py
│ │ │ │ └── image_referencer_provider.py
│ │ │ ├── image_referencer.py
│ │ │ └── workflow/
│ │ │ ├── __init__.py
│ │ │ ├── image_referencer_manager.py
│ │ │ └── image_referencer_provider.py
│ │ ├── logger_streams.py
│ │ ├── models/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── enums.py
│ │ ├── output/
│ │ │ ├── __init__.py
│ │ │ ├── baseline.py
│ │ │ ├── common.py
│ │ │ ├── csv.py
│ │ │ ├── cyclonedx.py
│ │ │ ├── cyclonedx_consts.py
│ │ │ ├── extra_resource.py
│ │ │ ├── github_actions_record.py
│ │ │ ├── gitlab_sast.py
│ │ │ ├── graph_record.py
│ │ │ ├── record.py
│ │ │ ├── report.py
│ │ │ ├── sarif.py
│ │ │ ├── secrets_record.py
│ │ │ └── spdx.py
│ │ ├── packaging/
│ │ │ ├── __init__.py
│ │ │ └── version.py
│ │ ├── parallelizer/
│ │ │ ├── __init__.py
│ │ │ └── parallel_runner.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── decoder.py
│ │ │ │ └── errors.py
│ │ │ ├── node.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ ├── loader.py
│ │ │ └── parser.py
│ │ ├── proxy/
│ │ │ ├── __init__.py
│ │ │ └── proxy_client.py
│ │ ├── resource_code_logger_filter.py
│ │ ├── runners/
│ │ │ ├── __init__.py
│ │ │ ├── base_post_runner.py
│ │ │ ├── base_runner.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ └── local_graph.py
│ │ │ ├── graph_manager.py
│ │ │ ├── object_runner.py
│ │ │ └── runner_registry.py
│ │ ├── sast/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── report_types.py
│ │ ├── sca/
│ │ │ ├── __init__.py
│ │ │ ├── commons.py
│ │ │ ├── consts.py
│ │ │ ├── output.py
│ │ │ └── reachability/
│ │ │ ├── __init__.py
│ │ │ ├── package_alias_mapping/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_alias_mapping_strategy.py
│ │ │ │ ├── alias_mapping_creator.py
│ │ │ │ └── nodejs/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── nodejs_alias_mapping_strategy.py
│ │ │ │ └── utils.py
│ │ │ └── sast_contract/
│ │ │ ├── __init__.py
│ │ │ ├── data_fetcher_sast_lib.py
│ │ │ └── models.py
│ │ ├── secrets/
│ │ │ ├── __init__.py
│ │ │ └── consts.py
│ │ ├── typing.py
│ │ ├── util/
│ │ │ ├── __init__.py
│ │ │ ├── banner.py
│ │ │ ├── config_utils.py
│ │ │ ├── consts.py
│ │ │ ├── contextmanagers.py
│ │ │ ├── data_structures_utils.py
│ │ │ ├── decorators.py
│ │ │ ├── deep_merge.py
│ │ │ ├── dockerfile.py
│ │ │ ├── env_vars_config.py
│ │ │ ├── ext_argument_parser.py
│ │ │ ├── file_utils.py
│ │ │ ├── http_utils.py
│ │ │ ├── json_utils.py
│ │ │ ├── oidc_utils.py
│ │ │ ├── parser_utils.py
│ │ │ ├── prompt.py
│ │ │ ├── runner_dependency_handler.py
│ │ │ ├── secrets.py
│ │ │ ├── secrets_omitter.py
│ │ │ ├── stopit/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── signalstop.py
│ │ │ │ ├── threadstop.py
│ │ │ │ └── utils.py
│ │ │ ├── str_utils.py
│ │ │ ├── suppression.py
│ │ │ ├── templates/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data.jinja2
│ │ │ │ ├── init.jinja2
│ │ │ │ ├── provider.jinja2
│ │ │ │ ├── resource.jinja2
│ │ │ │ ├── unittest-python.jinja2
│ │ │ │ └── unittest-terraform.jinja2
│ │ │ ├── tqdm_utils.py
│ │ │ ├── type_forcers.py
│ │ │ ├── update_checker/
│ │ │ │ ├── __init__.py
│ │ │ │ └── update_checker.py
│ │ │ └── var_utils.py
│ │ ├── variables/
│ │ │ ├── __init__.py
│ │ │ └── context.py
│ │ ├── vcs/
│ │ │ ├── __init__.py
│ │ │ ├── base_vcs_dal.py
│ │ │ └── vcs_schema.py
│ │ └── version_manager.py
│ ├── contributor_metrics.py
│ ├── dockerfile/
│ │ ├── __init__.py
│ │ ├── base_dockerfile_check.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── AddExists.py
│ │ │ ├── AliasIsUnique.py
│ │ │ ├── ExposePort22.py
│ │ │ ├── HealthcheckExists.py
│ │ │ ├── MaintainerExists.py
│ │ │ ├── ReferenceLatestTag.py
│ │ │ ├── RootUser.py
│ │ │ ├── RunUsingAPT.py
│ │ │ ├── UpdateNotAlone.py
│ │ │ ├── UserExists.py
│ │ │ ├── WorkdirIsAbsolute.py
│ │ │ ├── __init__.py
│ │ │ └── graph_checks/
│ │ │ ├── EnvGitSslNoVerify.yaml
│ │ │ ├── EnvNodeTlsRejectUnauthorized.yaml
│ │ │ ├── EnvNpmConfigStrictSsl.yaml
│ │ │ ├── EnvPipTrustedHost.yaml
│ │ │ ├── EnvPythonHttpsVerify.yaml
│ │ │ ├── RunApkAllowUntrusted.yaml
│ │ │ ├── RunAptGetAllowUnauthenticated.yaml
│ │ │ ├── RunAptGetForceYes.yaml
│ │ │ ├── RunChpasswd.yaml
│ │ │ ├── RunNpmConfigSetStrictSsl.yaml
│ │ │ ├── RunPipTrustedHost.yaml
│ │ │ ├── RunRpmNoSignature.yaml
│ │ │ ├── RunUnsafeCurl.yaml
│ │ │ ├── RunUnsafeWget.yaml
│ │ │ ├── RunUsingSudo.yaml
│ │ │ ├── RunYumConfigManagerSslVerify.yaml
│ │ │ ├── RunYumNoGpgCheck.yaml
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── manager.py
│ │ │ └── provider.py
│ │ ├── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── docs_generator.py
│ ├── example_runner/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_example_runner_check.py
│ │ │ ├── base_example_runner_job_check.py
│ │ │ ├── job/
│ │ │ │ ├── ExampleCheckTrueFalse.py
│ │ │ │ └── __init__.py
│ │ │ └── job_registry.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── github/
│ │ ├── __init__.py
│ │ ├── base_github_branch_security.py
│ │ ├── base_github_configuration_check.py
│ │ ├── base_github_negative_branch_security.py
│ │ ├── base_github_org_check.py
│ │ ├── base_github_org_security.py
│ │ ├── checks/
│ │ │ ├── 2fa.py
│ │ │ ├── __init__.py
│ │ │ ├── disallow_branch_deletions.py
│ │ │ ├── disallow_force_pushes.py
│ │ │ ├── disallow_inactive_branch_60days.py
│ │ │ ├── dismiss_stale_reviews.py
│ │ │ ├── enforce_branch_protection_admins.py
│ │ │ ├── internal_repository_creation_is_limited.py
│ │ │ ├── ipallowlist.py
│ │ │ ├── minimum_admins_in_org.py
│ │ │ ├── private_repository_creation_is_limited.py
│ │ │ ├── public_repository_creation_is_limited.py
│ │ │ ├── repository_collaborators.py
│ │ │ ├── require_2approvals.py
│ │ │ ├── require_code_owner_reviews.py
│ │ │ ├── require_conversation_resolution.py
│ │ │ ├── require_linear_history.py
│ │ │ ├── require_push_restrictions.py
│ │ │ ├── require_signatures.py
│ │ │ ├── require_status_checks_pr.py
│ │ │ ├── require_strict_base_permissions_repository.py
│ │ │ ├── require_updated_branch_pr.py
│ │ │ ├── require_verified_organization.py
│ │ │ ├── restrict_pr_review_dismissal.py
│ │ │ ├── sso.py
│ │ │ ├── webhooks_https_orgs.py
│ │ │ └── webhooks_https_repos.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── branch.py
│ │ ├── branch_protection.py
│ │ ├── no_branch_protection.py
│ │ ├── org_members.py
│ │ ├── org_security.py
│ │ ├── org_webhooks.py
│ │ ├── organization.py
│ │ ├── repository_collaborators.py
│ │ └── repository_webhooks.py
│ ├── github_actions/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_github_action_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ReadOnlyTopLevelPermissions.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── job/
│ │ │ │ ├── AllowUnsecureCommandsOnJob.py
│ │ │ │ ├── CosignArtifacts.py
│ │ │ │ ├── CosignSBOM.py
│ │ │ │ ├── EmptyWorkflowDispatch.py
│ │ │ │ ├── ReverseShellNetcat.py
│ │ │ │ ├── ShellInjection.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── artifact_build.py
│ │ │ ├── build_actions.py
│ │ │ └── shell_injection_list.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ ├── schemas.py
│ │ └── utils.py
│ ├── gitlab/
│ │ ├── __init__.py
│ │ ├── base_gitlab_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── groups.py
│ │ └── project_approvals.py
│ ├── gitlab_ci/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_gitlab_ci_check.py
│ │ │ ├── job/
│ │ │ │ ├── AvoidDoublePipelines.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── reserved.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── helm/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── helm.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── json_doc/
│ │ ├── __init__.py
│ │ ├── base_json_check.py
│ │ ├── base_registry.py
│ │ ├── enums.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── kubernetes/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ImpersonatePermissions.yaml
│ │ │ │ ├── ModifyServicesStatus.yaml
│ │ │ │ ├── NoCreateNodesProxyOrPodsExec.yaml
│ │ │ │ ├── ReadAllSecrets.yaml
│ │ │ │ ├── RequireAllPodsToHaveNetworkPolicy.yaml
│ │ │ │ ├── RoleBindingPE.yaml
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── base_container_check.py
│ │ │ ├── base_rbac_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_root_container_check.py
│ │ │ ├── base_spec_check.py
│ │ │ ├── base_spec_omitted_or_value_check.py
│ │ │ ├── k8s/
│ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ ├── ApiServerAdmissionControlAlwaysAdmit.py
│ │ │ │ ├── ApiServerAdmissionControlEventRateLimit.py
│ │ │ │ ├── ApiServerAlwaysPullImagesPlugin.py
│ │ │ │ ├── ApiServerAnonymousAuth.py
│ │ │ │ ├── ApiServerAuditLog.py
│ │ │ │ ├── ApiServerAuditLogMaxAge.py
│ │ │ │ ├── ApiServerAuditLogMaxBackup.py
│ │ │ │ ├── ApiServerAuditLogMaxSize.py
│ │ │ │ ├── ApiServerAuthorizationModeNode.py
│ │ │ │ ├── ApiServerAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── ApiServerAuthorizationModeRBAC.py
│ │ │ │ ├── ApiServerBasicAuthFile.py
│ │ │ │ ├── ApiServerEncryptionProviders.py
│ │ │ │ ├── ApiServerEtcdCaFile.py
│ │ │ │ ├── ApiServerEtcdCertAndKey.py
│ │ │ │ ├── ApiServerInsecureBindAddress.py
│ │ │ │ ├── ApiServerInsecurePort.py
│ │ │ │ ├── ApiServerKubeletClientCertAndKey.py
│ │ │ │ ├── ApiServerKubeletHttps.py
│ │ │ │ ├── ApiServerNamespaceLifecyclePlugin.py
│ │ │ │ ├── ApiServerNodeRestrictionPlugin.py
│ │ │ │ ├── ApiServerPodSecurityPolicyPlugin.py
│ │ │ │ ├── ApiServerProfiling.py
│ │ │ │ ├── ApiServerRequestTimeout.py
│ │ │ │ ├── ApiServerSecurePort.py
│ │ │ │ ├── ApiServerSecurityContextDenyPlugin.py
│ │ │ │ ├── ApiServerServiceAccountKeyFile.py
│ │ │ │ ├── ApiServerServiceAccountLookup.py
│ │ │ │ ├── ApiServerServiceAccountPlugin.py
│ │ │ │ ├── ApiServerStrongCryptographicCiphers.py
│ │ │ │ ├── ApiServerTlsCertAndKey.py
│ │ │ │ ├── ApiServerTokenAuthFile.py
│ │ │ │ ├── ApiServerkubeletCertificateAuthority.py
│ │ │ │ ├── CPULimits.py
│ │ │ │ ├── CPURequests.py
│ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ ├── ControllerManagerBindAddress.py
│ │ │ │ ├── DangerousGitSync.py
│ │ │ │ ├── DefaultNamespace.py
│ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ ├── DropCapabilities.py
│ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ ├── EtcdAutoTls.py
│ │ │ │ ├── EtcdCertAndKey.py
│ │ │ │ ├── EtcdClientCertAuth.py
│ │ │ │ ├── EtcdPeerFiles.py
│ │ │ │ ├── HostPort.py
│ │ │ │ ├── ImageDigest.py
│ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ ├── ImageTagFixed.py
│ │ │ │ ├── KubeControllerManagerBlockProfiles.py
│ │ │ │ ├── KubeControllerManagerRootCAFile.py
│ │ │ │ ├── KubeControllerManagerServiceAccountCredentials.py
│ │ │ │ ├── KubeControllerManagerServiceAccountPrivateKeyFile.py
│ │ │ │ ├── KubeControllerManagerTerminatedPods.py
│ │ │ │ ├── KubeletAnonymousAuth.py
│ │ │ │ ├── KubeletAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── KubeletClientCa.py
│ │ │ │ ├── KubeletCryptographicCiphers.py
│ │ │ │ ├── KubeletHostnameOverride.py
│ │ │ │ ├── KubeletKeyFilesSetAppropriate.py
│ │ │ │ ├── KubeletMakeIptablesUtilChains.py
│ │ │ │ ├── KubeletProtectKernelDefaults.py
│ │ │ │ ├── KubeletReadOnlyPort.py
│ │ │ │ ├── KubeletStreamingConnectionIdleTimeout.py
│ │ │ │ ├── KubernetesDashboard.py
│ │ │ │ ├── KubletEventCapture.py
│ │ │ │ ├── KubletRotateCertificates.py
│ │ │ │ ├── LivenessProbe.py
│ │ │ │ ├── MemoryLimits.py
│ │ │ │ ├── MemoryRequests.py
│ │ │ │ ├── MinimizeCapabilities.py
│ │ │ │ ├── MinimizeCapabilitiesPSP.py
│ │ │ │ ├── NginxIngressCVE202125742Alias.py
│ │ │ │ ├── NginxIngressCVE202125742AllSnippets.py
│ │ │ │ ├── NginxIngressCVE202125742Lua.py
│ │ │ │ ├── PeerClientCertAuthTrue.py
│ │ │ │ ├── PodSecurityContext.py
│ │ │ │ ├── PrivilegedContainers.py
│ │ │ │ ├── PrivilegedContainersPSP.py
│ │ │ │ ├── RbacApproveCertificateSigningRequests.py
│ │ │ │ ├── RbacBindRoleBindings.py
│ │ │ │ ├── RbacControlWebhooks.py
│ │ │ │ ├── RbacEscalateRoles.py
│ │ │ │ ├── ReadOnlyFilesystem.py
│ │ │ │ ├── ReadinessProbe.py
│ │ │ │ ├── RootContainers.py
│ │ │ │ ├── RootContainersHighUID.py
│ │ │ │ ├── RootContainersPSP.py
│ │ │ │ ├── RotateKubeletServerCertificate.py
│ │ │ │ ├── SchedulerBindAddress.py
│ │ │ │ ├── SchedulerProfiling.py
│ │ │ │ ├── Seccomp.py
│ │ │ │ ├── SeccompPSP.py
│ │ │ │ ├── Secrets.py
│ │ │ │ ├── ServiceAccountTokens.py
│ │ │ │ ├── ShareHostIPC.py
│ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ ├── ShareHostPID.py
│ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ ├── Tiller.py
│ │ │ │ ├── TillerDeploymentListener.py
│ │ │ │ ├── TillerService.py
│ │ │ │ ├── WildcardRoles.py
│ │ │ │ ├── __init__.py
│ │ │ │ └── k8s_check_utils.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── ResourceKeywordIdentifier.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── edge_builders/
│ │ │ │ ├── K8SEdgeBuilder.py
│ │ │ │ ├── KeywordEdgeBuilder.py
│ │ │ │ ├── LabelSelectorEdgeBuilder.py
│ │ │ │ ├── NetworkPolicyEdgeBuilder.py
│ │ │ │ ├── ServiceAccountEdgeBuilder.py
│ │ │ │ └── __init__.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── k8s.py
│ │ ├── kubernetes_graph_flags.py
│ │ ├── kubernetes_utils.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── k8_json.py
│ │ │ ├── k8_yaml.py
│ │ │ ├── parser.py
│ │ │ └── validatior.py
│ │ ├── runner.py
│ │ └── test/
│ │ └── share-process-namespace.yaml
│ ├── kustomize/
│ │ ├── __init__.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── kustomize.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── logging_init.py
│ ├── main.py
│ ├── openapi/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_openapi_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── generic/
│ │ │ │ ├── ClearTextAPIKey.py
│ │ │ │ ├── GlobalSecurityFieldIsEmpty.py
│ │ │ │ ├── NoMaximumNumberItems.py
│ │ │ │ ├── SecurityOperations.py
│ │ │ │ └── __init__.py
│ │ │ ├── v2/
│ │ │ │ ├── BaseOpenapiCheckV2.py
│ │ │ │ ├── GlobalSchemeDefineHTTP.py
│ │ │ │ ├── GlobalSecurityScopeUndefined.py
│ │ │ │ ├── Oauth2OperationObjectPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionImplicitFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityRequirement.py
│ │ │ │ ├── OperationObjectBasicAuth.py
│ │ │ │ ├── OperationObjectConsumesUndefined.py
│ │ │ │ ├── OperationObjectImplicitFlow.py
│ │ │ │ ├── OperationObjectProducesUndefined.py
│ │ │ │ ├── OperationObjectSecurityScopeUndefined.py
│ │ │ │ ├── PathSchemeDefineHTTP.py
│ │ │ │ ├── SecurityDefinitionBasicAuth.py
│ │ │ │ ├── SecurityDefinitions.py
│ │ │ │ ├── SecurityRequirement.py
│ │ │ │ └── __init__.py
│ │ │ └── v3/
│ │ │ ├── BaseOpenapiCheckV3.py
│ │ │ ├── CleartextOverUnencryptedChannel.py
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── policies_3d/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ └── base_parser.py
│ │ ├── checks_parser.py
│ │ ├── output.py
│ │ ├── record.py
│ │ ├── runner.py
│ │ └── syntax/
│ │ ├── __init__.py
│ │ ├── cves_syntax.py
│ │ ├── iac_syntax.py
│ │ ├── secrets_syntax.py
│ │ └── syntax.py
│ ├── py.typed
│ ├── runner_filter.py
│ ├── sast/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_registry.py
│ │ │ └── registry.py
│ │ ├── common.py
│ │ ├── engines/
│ │ │ ├── __init__.py
│ │ │ ├── base_engine.py
│ │ │ ├── files_filter_manager.py
│ │ │ └── prisma_engine.py
│ │ ├── prisma_models/
│ │ │ ├── __init__.py
│ │ │ ├── library_input.py
│ │ │ └── policies_list.py
│ │ ├── record.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── sca_image/
│ │ ├── __init__.py
│ │ ├── models.py
│ │ └── runner.py
│ ├── sca_package_2/
│ │ ├── __init__.py
│ │ ├── output.py
│ │ ├── runner.py
│ │ └── scanner.py
│ ├── secrets/
│ │ ├── __init__.py
│ │ ├── context_parser.py
│ │ ├── coordinator.py
│ │ ├── git_history_store.py
│ │ ├── git_types.py
│ │ ├── local_secrets_runner.py
│ │ ├── log_prefix_stripper.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ └── multiline_parser.py
│ │ │ ├── multiline_parser.py
│ │ │ ├── single_line_parser.py
│ │ │ ├── terraform/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── multiline_parser.py
│ │ │ │ └── single_line_parser.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ └── multiline_parser.py
│ │ ├── plugins/
│ │ │ ├── __init__.py
│ │ │ ├── custom_regex_detector.py
│ │ │ ├── detector_utils.py
│ │ │ ├── entropy_keyword_combinator.py
│ │ │ └── load_detectors.py
│ │ ├── runner.py
│ │ ├── scan_git_history.py
│ │ └── utils.py
│ ├── serverless/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_function_check.py
│ │ │ ├── complete/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_complete_check.py
│ │ │ │ └── registry.py
│ │ │ ├── custom/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_custom_check.py
│ │ │ │ └── registry.py
│ │ │ ├── function/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AWSCredentials.py
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_function_check.py
│ │ │ │ └── registry.py
│ │ │ ├── layer/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_layer_check.py
│ │ │ │ └── registry.py
│ │ │ ├── package/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_package_check.py
│ │ │ │ └── registry.py
│ │ │ ├── plugin/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_plugin_check.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_provider_check.py
│ │ │ │ └── registry.py
│ │ │ └── service/
│ │ │ ├── __init__.py
│ │ │ ├── base_service_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── context_parser.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── terraform/
│ │ ├── __init__.py
│ │ ├── base_runner.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── data/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMPublicActionsPolicy.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── ResourcePolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ ├── WhoAMI.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_cloudsplaining_data_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── external/
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── GooglePolicyIsPrivate.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ └── OSSBucketPublic.yaml
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ │ ├── ALBProtectedByWAF.yaml
│ │ │ │ │ ├── ALBRedirectsHTTPToHTTPS.yaml
│ │ │ │ │ ├── ALBWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AMRClustersNotOpenToInternet.yaml
│ │ │ │ │ ├── APIGWLoggingLevelsDefinedProperly.yaml
│ │ │ │ │ ├── APIGatewayEndpointsUsesCertificateForAuthentication.yaml
│ │ │ │ │ ├── APIGatewayRequestParameterValidationEnabled.yaml
│ │ │ │ │ ├── APIGatewayWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── APIProtectedByWAF.yaml
│ │ │ │ │ ├── AWSConfigRecorderEnabled.yaml
│ │ │ │ │ ├── AWSNATGatewaysshouldbeutilized.yaml
│ │ │ │ │ ├── AWSSSMParameterShouldBeEncrypted.yaml
│ │ │ │ │ ├── AWS_private_MWAA_environment.yaml
│ │ │ │ │ ├── AWSdisableS3ACL.yaml
│ │ │ │ │ ├── AppLoadBalancerTLS12.yaml
│ │ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ │ ├── AppsyncWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AutoScalingEnableOnDynamoDBTables.yaml
│ │ │ │ │ ├── AutoScallingEnabledELB.yaml
│ │ │ │ │ ├── CLoudFrontS3OriginConfigWithOAI.yaml
│ │ │ │ │ ├── CloudFrontHasCustomSSLCertificate.yaml
│ │ │ │ │ ├── CloudFrontHasResponseHeadersPolicy.yaml
│ │ │ │ │ ├── CloudFrontUsesSecureProtocolsForHTTPS.yaml
│ │ │ │ │ ├── CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ │ ├── CloudtrailHasCloudwatch.yaml
│ │ │ │ │ ├── CodecommitApprovalRulesAttached.yaml
│ │ │ │ │ ├── ConfigRecorderRecordsAllGlobalResources.yaml
│ │ │ │ │ ├── DMSEndpointHaveSSLConfigured.yaml
│ │ │ │ │ ├── EBSAddedBackup.yaml
│ │ │ │ │ ├── EC2InstanceHasIAMRoleAttached.yaml
│ │ │ │ │ ├── EFSAddedBackup.yaml
│ │ │ │ │ ├── EIPAllocatedToVPCAttachedEC2.yaml
│ │ │ │ │ ├── EMRClusterHasSecurityConfiguration.yaml
│ │ │ │ │ ├── ElastiCacheRedisConfiguredAutomaticFailOver.yaml
│ │ │ │ │ ├── ElasticSearchDedicatedMasterEnabled.yaml
│ │ │ │ │ ├── EncryptedEBSVolumeOnlyConnectedToEC2s.yaml
│ │ │ │ │ ├── GuardDutyIsEnabled.yaml
│ │ │ │ │ ├── HTTPNotSendingPasswords.yaml
│ │ │ │ │ ├── IAMGroupHasAtLeastOneUser.yaml
│ │ │ │ │ ├── IAMManagedIAMFullAccessPolicy.yaml
│ │ │ │ │ ├── IAMPolicyNotAllowFullIAMAccess.yaml
│ │ │ │ │ ├── IAMUserHasNoConsoleAccess.yaml
│ │ │ │ │ ├── IAMUsersAreMembersAtLeastOneGroup.yaml
│ │ │ │ │ ├── KmsKeyPolicyIsDefined.yaml
│ │ │ │ │ ├── LBTargetGroup.yaml
│ │ │ │ │ ├── LBWeakCiphers.yaml
│ │ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ │ ├── NeptuneDeletionProtectionEnabled.yaml
│ │ │ │ │ ├── NetworkFirewallHasLogging.yaml
│ │ │ │ │ ├── OpenSearchDomainHasFineGrainedControl.yaml
│ │ │ │ │ ├── PostgresDBHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── PostgresRDSHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── RDSClusterHasBackupPlan.yaml
│ │ │ │ │ ├── RDSEnableCopyTagsToSnapshot.yaml
│ │ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ │ ├── Route53ARecordAttachedResource.yaml
│ │ │ │ │ ├── Route53ZoneEnableDNSSECSigning.yaml
│ │ │ │ │ ├── Route53ZoneHasMatchingQueryLog.yaml
│ │ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ │ ├── S3BucketEventNotifications.yaml
│ │ │ │ │ ├── S3BucketHasPublicAccessBlock.yaml
│ │ │ │ │ ├── S3BucketLifecycle.yaml
│ │ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ │ ├── S3BucketReplicationConfiguration.yaml
│ │ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ │ ├── S3KMSEncryptedByDefault.yaml
│ │ │ │ │ ├── S3NotAllowAccessToAllAuthenticatedUsers.yaml
│ │ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ │ ├── SGAttachedToResource.yaml
│ │ │ │ │ ├── SQSEncryptionCMK.yaml
│ │ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── SecretsAreRotated.yaml
│ │ │ │ │ ├── SubnetHasACL.yaml
│ │ │ │ │ ├── VPCHasFlowLog.yaml
│ │ │ │ │ ├── VPCHasRestrictedSG.yaml
│ │ │ │ │ ├── VPCPeeringRouteTableOverlyPermissive.yaml
│ │ │ │ │ └── WAF2HasLogs.yaml
│ │ │ │ ├── azure/
│ │ │ │ │ ├── AccessToPostgreSQLFromAzureServicesIsDisabled.yaml
│ │ │ │ │ ├── ApplicationGatewayEnablesWAF.yaml
│ │ │ │ │ ├── AzureACR_HTTPSwebhook.yaml
│ │ │ │ │ ├── AzureAKSclusterAzureCNIEnabled.yaml
│ │ │ │ │ ├── AzureActiveDirectoryAdminIsConfigured.yaml
│ │ │ │ │ ├── AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml
│ │ │ │ │ ├── AzureAutomationAccConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureAutomationAccNotOverlyPermissiveNetAccess.yaml
│ │ │ │ │ ├── AzureConfigMSSQLwithAD.yaml
│ │ │ │ │ ├── AzureContainerInstanceconfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── AzureKeyVaultConfigPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureMLWorkspaceHBIPublicNetwork.yaml
│ │ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ │ ├── AzureMSSQLServerHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── AzureMSSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverUsingTLS_1_2.yaml
│ │ │ │ │ ├── AzureMySQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMySQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureNetworkInterfacePublicIPAddressId.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexServerNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzurePostgreSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureRecoveryServicesvaultConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureSQLserverNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ │ ├── AzureSpringCloudTLSDisabled.yaml
│ │ │ │ │ ├── AzureSqlDbEnableTransparentDataEncryption.yaml
│ │ │ │ │ ├── AzureStorageAccConfigSharedKeyAuth.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml
│ │ │ │ │ ├── AzureStorageAccConfig_SAS_expirePolicy.yaml
│ │ │ │ │ ├── AzureStorageAccountEnableSoftDelete.yaml
│ │ │ │ │ ├── AzureSubnetConfigWithNSG.yaml
│ │ │ │ │ ├── AzureSynapseWorkspaceVAisEnabled.yaml
│ │ │ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml
│ │ │ │ │ ├── AzureUnattachedDisksAreEncrypted.yaml
│ │ │ │ │ ├── AzureVMconfigPublicIP_SerialConsoleAccess.yaml
│ │ │ │ │ ├── CognitiveServicesCustomerManagedKey.yaml
│ │ │ │ │ ├── DataExplorerEncryptionUsesCustomKey.yaml
│ │ │ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── MSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── PGSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ │ ├── StorageContainerActivityLogsNotPublic.yaml
│ │ │ │ │ ├── StorageCriticalDataEncryptedCMK.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForBlobService.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForTableService.yaml
│ │ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ │ ├── VAconfiguredToSendReports.yaml
│ │ │ │ │ ├── VAconfiguredToSendReportsToAdmins.yaml
│ │ │ │ │ ├── VAisEnabledInStorageAccount.yaml
│ │ │ │ │ ├── VAsetPeriodicScansOnSQL.yaml
│ │ │ │ │ ├── VMHasBackUpMachine.yaml
│ │ │ │ │ └── VirtualMachinesUtilizingManagedDisks.yaml
│ │ │ │ ├── azuredevops/
│ │ │ │ │ └── ADORepositoryHasMinTwoReviewers.yaml
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── CloudFunctionSecureHTTPTrigger.yaml
│ │ │ │ │ ├── DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml
│ │ │ │ │ ├── GCPAuditLogsConfiguredForAllServicesAndUsers.yaml
│ │ │ │ │ ├── GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── GCPComputeGlobalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPComputeRegionalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPContainerRegistryReposAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPDialogFlowAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxWebhookLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDocumentAIProcessorEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPKMSKeyRingsAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPLogBucketsConfiguredUsingLock.yaml
│ │ │ │ │ ├── GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml
│ │ │ │ │ ├── GCPNetworkDoesNotUseDefaultFirewall.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPProjectHasNoLegacyNetworks.yaml
│ │ │ │ │ ├── GCPTpuV2VmPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIEndpointEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIFeaturestoreEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateIndexEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAITensorboardEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimeEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimePrivate.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceNoPublicIp.yaml
│ │ │ │ │ ├── GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml
│ │ │ │ │ ├── GCRContainerVulnerabilityScanningEnabled.yaml
│ │ │ │ │ ├── GKEClustersAreNotUsingDefaultServiceAccount.yaml
│ │ │ │ │ └── ServiceAccountHasGCPmanagedKey.yaml
│ │ │ │ ├── github/
│ │ │ │ │ └── RepositoryHasBranchProtection.yaml
│ │ │ │ ├── ibm/
│ │ │ │ │ ├── IBM_EnableMFAatAccountLevel.yaml
│ │ │ │ │ ├── IBM_K8sClustersAccessibleViaPrivateEndPt.yaml
│ │ │ │ │ ├── IBM_LoadBalancerforVPCisPrivate.yaml
│ │ │ │ │ ├── IBM_RestrictAPIkeyCreationInAccountSettings.yaml
│ │ │ │ │ ├── IBM_RestrictServiceIDCreationInAccountSettings.yaml
│ │ │ │ │ └── IBM_VPCclassicAccessIsDisabled.yaml
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupRuleDefine.yaml
│ │ │ │ │ ├── AutoScalingEnabledLB.yaml
│ │ │ │ │ └── RouteTablePublicSubnetConnection.yaml
│ │ │ │ └── oci/
│ │ │ │ ├── AdministratorUserNotAssociatedWithAPIKey.yaml
│ │ │ │ ├── OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml
│ │ │ │ ├── OCI_K8EngineClusterPodSecPolicyEnforced.yaml
│ │ │ │ ├── OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml
│ │ │ │ ├── OCI_NFSaccessRestrictedToRootUsers.yaml
│ │ │ │ └── OCI_NSGNotAllowRDP.yaml
│ │ │ ├── module/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_module_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── generic/
│ │ │ │ │ ├── RevisionHash.py
│ │ │ │ │ ├── RevisionVersionTag.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── bridgecrew/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ └── registry.py
│ │ │ ├── resource/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ ├── ALBACLIsUnrestricted.py
│ │ │ │ │ ├── APIGatewayProtocolHTTPS.py
│ │ │ │ │ ├── AbsRDSParameter.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ActionTrailLogAllEvents.py
│ │ │ │ │ ├── ActionTrailLogAllRegions.py
│ │ │ │ │ ├── DiskEncryptedWithCMK.py
│ │ │ │ │ ├── DiskIsEncrypted.py
│ │ │ │ │ ├── K8sEnableNetworkPolicies.py
│ │ │ │ │ ├── K8sNodePoolAutoRepair.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyRotationIsEnabled.py
│ │ │ │ │ ├── LaunchTemplateDisksAreEncrypted.py
│ │ │ │ │ ├── LogAuditRDSEnabled.py
│ │ │ │ │ ├── MongoDBInsideVPC.py
│ │ │ │ │ ├── MongoDBInstanceSSL.py
│ │ │ │ │ ├── MongoDBIsPublic.py
│ │ │ │ │ ├── MongoDBTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── OSSBucketAccessLogs.py
│ │ │ │ │ ├── OSSBucketEncryptedWithCMK.py
│ │ │ │ │ ├── OSSBucketTransferAcceleration.py
│ │ │ │ │ ├── OSSBucketVersioning.py
│ │ │ │ │ ├── RAMPasswordPolicyExpiration.py
│ │ │ │ │ ├── RAMPasswordPolicyLength.py
│ │ │ │ │ ├── RAMPasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── RAMPasswordPolicyMaxLogin.py
│ │ │ │ │ ├── RAMPasswordPolicyNumber.py
│ │ │ │ │ ├── RAMPasswordPolicyReuse.py
│ │ │ │ │ ├── RAMPasswordPolicySymbol.py
│ │ │ │ │ ├── RAMPasswordPolicyUppcaseLetter.py
│ │ │ │ │ ├── RAMSecurityEnforceMFA.py
│ │ │ │ │ ├── RDSInstanceAutoUpgrade.py
│ │ │ │ │ ├── RDSInstanceLogConnections.py
│ │ │ │ │ ├── RDSInstanceLogDisconnections.py
│ │ │ │ │ ├── RDSInstanceLogsEnabled.py
│ │ │ │ │ ├── RDSInstanceSSL.py
│ │ │ │ │ ├── RDSIsPublic.py
│ │ │ │ │ ├── RDSRetention.py
│ │ │ │ │ ├── RDSTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── TLSPoliciesAreSecure.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMCertCreateBeforeDestroy.py
│ │ │ │ │ ├── ACMCertSetLoggingPreference.py
│ │ │ │ │ ├── ALBDesyncMode.py
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── AMICopyIsEncrypted.py
│ │ │ │ │ ├── AMICopyUsesCMK.py
│ │ │ │ │ ├── AMIEncryption.py
│ │ │ │ │ ├── AMILaunchIsShared.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDeploymentCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDomainNameTLS.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEnabled.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEncrypted.py
│ │ │ │ │ ├── APIGatewayMethodSettingsDataTrace.py
│ │ │ │ │ ├── APIGatewayMethodWOAuth.py
│ │ │ │ │ ├── APIGatewayV2RouteDefinesAuthorizationType.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AWSCodeGuruHasCMK.py
│ │ │ │ │ ├── AbsNACLUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedEgress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AppFlowConnectorProfileUsesCMK.py
│ │ │ │ │ ├── AppFlowUsesCMK.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionAtRest.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionInTransit.py
│ │ │ │ │ ├── AthenaDatabaseEncryption.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AthenaWorkgroupEncryption.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── AutoScalingGroupWithPublicAccess.py
│ │ │ │ │ ├── AutoScalingLaunchTemplate.py
│ │ │ │ │ ├── AutoScalingTagging.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BatchJobIsNotPrivileged.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── BedrockGuardrails.py
│ │ │ │ │ ├── CloudFrontGeoRestrictionDisabled.py
│ │ │ │ │ ├── CloudFrontResponseHeaderStrictTransportSecurity.py
│ │ │ │ │ ├── CloudWatchAlarmsEnabled.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudWatchLogGroupRetentionYear.py
│ │ │ │ │ ├── CloudformationStackNotificationArns.py
│ │ │ │ │ ├── CloudfrontDistributionDefaultRoot.py
│ │ │ │ │ ├── CloudfrontDistributionEnabled.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudfrontDistributionOriginFailover.py
│ │ │ │ │ ├── CloudfrontTLS12.py
│ │ │ │ │ ├── CloudsearchDomainEnforceHttps.py
│ │ │ │ │ ├── CloudsearchDomainTLS.py
│ │ │ │ │ ├── CloudtrailDefinesSNSTopic.py
│ │ │ │ │ ├── CloudtrailEnableLogging.py
│ │ │ │ │ ├── CloudtrailEncryptionWithCMK.py
│ │ │ │ │ ├── CloudtrailEventDataStoreUsesCMK.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeArtifactDomainEncryptedWithCMK.py
│ │ │ │ │ ├── CodeBuildPrivilegedMode.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CodePipelineArtifactsEncrypted.py
│ │ │ │ │ ├── CodebuildHasLogs.py
│ │ │ │ │ ├── CodebuildS3LogsEncrypted.py
│ │ │ │ │ ├── CodebuildUsesCMK.py
│ │ │ │ │ ├── CodecommitApprovalsRulesRequireMin2.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── ComprehendEntityRecognizerModelUsesCMK.py
│ │ │ │ │ ├── ComprehendEntityRecognizerVolumeUsesCMK.py
│ │ │ │ │ ├── ConfigConfgurationAggregatorAllRegions.py
│ │ │ │ │ ├── ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py
│ │ │ │ │ ├── ConnectInstanceS3StorageConfigUsesCMK.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DAXEndpointTLS.py
│ │ │ │ │ ├── DBInstanceBackupRetentionPeriod.py
│ │ │ │ │ ├── DBInstanceLogging.py
│ │ │ │ │ ├── DBInstanceMinorUpgrade.py
│ │ │ │ │ ├── DBSnapshotCopyUsesCMK.py
│ │ │ │ │ ├── DBSnapshotsArePrivate.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryption.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryption.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DMSEndpointUsesCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceMinorUpgrade.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DMSS3UsesCMK.py
│ │ │ │ │ ├── DatasyncLocationExposesSecrets.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryptedWithCMK.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBGlobalClusterEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBGlobalTableRecovery.py
│ │ │ │ │ ├── DynamoDBTableReplicaKMSUsesCMK.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EBSSnapshotCopyEncryptedWithCMK.py
│ │ │ │ │ ├── EBSVolumeEncryptedWithCMK.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2DetailedMonitoringEnabled.py
│ │ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSClusterLoggingEnabled.py
│ │ │ │ │ ├── ECSClusterLoggingEncryptedWithCMK.py
│ │ │ │ │ ├── ECSContainerHostProcess.py
│ │ │ │ │ ├── ECSContainerPrivilege.py
│ │ │ │ │ ├── ECSContainerReadOnlyRoot.py
│ │ │ │ │ ├── ECSServiceFargateLatest.py
│ │ │ │ │ ├── ECSServicePublicIP.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── ECSTaskDefinitionRoleCheck.py
│ │ │ │ │ ├── EFSAccessPointRoot.py
│ │ │ │ │ ├── EFSAccessUserIdentity.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPlatformVersion.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBCrossZoneEnable.py
│ │ │ │ │ ├── ELBPolicyUsesSecureProtocols.py
│ │ │ │ │ ├── ELBUsesSSL.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ELBwListenerNotTLSSSL.py
│ │ │ │ │ ├── EMRClusterConfEncryptsEBS.py
│ │ │ │ │ ├── EMRClusterConfEncryptsInTransit.py
│ │ │ │ │ ├── EMRClusterConfEncryptsLocalDisk.py
│ │ │ │ │ ├── EMRClusterIsEncryptedKMS.py
│ │ │ │ │ ├── EMRClusterKerberosAttributes.py
│ │ │ │ │ ├── EMRPubliclyAccessible.py
│ │ │ │ │ ├── Ec2TransitGatewayAutoAccept.py
│ │ │ │ │ ├── ElastiCacheHasCustomSubnet.py
│ │ │ │ │ ├── ElasticBeanstalkUseEnhancedHealthChecks.py
│ │ │ │ │ ├── ElasticBeanstalkUseManagedUpdates.py
│ │ │ │ │ ├── ElasticCacheAutomaticBackup.py
│ │ │ │ │ ├── ElasticCacheAutomaticMinorUpgrades.py
│ │ │ │ │ ├── ElasticacheHasSecurityGroup.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptedWithCMK.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDefaultSG.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainHA.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchEncryptionWithCMK.py
│ │ │ │ │ ├── ElasticsearchInVPC.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── ElasticsearchTLSPolicy.py
│ │ │ │ │ ├── FSXOntapFSEncryptedWithCMK.py
│ │ │ │ │ ├── FSXOpenZFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── FSXWindowsFSEncryptedWithCMK.py
│ │ │ │ │ ├── GlacierVaultAnyPrincipal.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── GuarddutyDetectorEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMStarResourcePolicyDocument.py
│ │ │ │ │ ├── IAMUserNotUsedForAccess.py
│ │ │ │ │ ├── IAMUserRootAccessKeys.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── ImagebuilderComponentEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderDistributionConfigurationEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderImageRecipeEBSEncrypted.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyWildcardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KendraIndexSSEUsesCMK.py
│ │ │ │ │ ├── KeyspacesTableUsesCMK.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamSSE.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamUsesCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptedWithCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── KinesisVideoEncryptedWithCMK.py
│ │ │ │ │ ├── LBCrossZone.py
│ │ │ │ │ ├── LBDeletionProtection.py
│ │ │ │ │ ├── LBTargetGroupsDefinesHealthcheck.py
│ │ │ │ │ ├── LambdaCodeSigningConfigured.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionIsNotPublic.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LambdaXrayEnabled.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── LaunchTemplateMetadataHop.py
│ │ │ │ │ ├── LustreFSEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MQBrokerEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerLogging.py
│ │ │ │ │ ├── MQBrokerMinorAutoUpgrade.py
│ │ │ │ │ ├── MQBrokerNotPubliclyExposed.py
│ │ │ │ │ ├── MQBrokerVersion.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── MWAASchedulerLogsEnabled.py
│ │ │ │ │ ├── MWAAWebserverLogsEnabled.py
│ │ │ │ │ ├── MWAAWorkerLogsEnabled.py
│ │ │ │ │ ├── MemoryDBClusterIntransitEncryption.py
│ │ │ │ │ ├── MemoryDBEncryptionWithCMK.py
│ │ │ │ │ ├── MemoryDBSnapshotEncryptionWithCMK.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncrypted.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── NeptuneDBClustersCopyTagsToSnapshots.py
│ │ │ │ │ ├── NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
│ │ │ │ │ ├── NetworkACLUnrestricted.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress20.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress21.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress22.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress3389.py
│ │ │ │ │ ├── NetworkFirewallDeletionProtection.py
│ │ │ │ │ ├── NetworkFirewallPolicyDefinesCMK.py
│ │ │ │ │ ├── NetworkFirewallUsesCMK.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSCACertIsRecent.py
│ │ │ │ │ ├── RDSClusterActivityStreamEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterAuditLogging.py
│ │ │ │ │ ├── RDSClusterAuroraBacktrack.py
│ │ │ │ │ ├── RDSClusterCopyTags.py
│ │ │ │ │ ├── RDSClusterEncrypted.py
│ │ │ │ │ ├── RDSClusterEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSClusterLogging.py
│ │ │ │ │ ├── RDSClusterSnapshotEncrypted.py
│ │ │ │ │ ├── RDSDeletionProtection.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSHasSecurityGroup.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSInstanceAutoBackupEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstanceDeletionProtection.py
│ │ │ │ │ ├── RDSInstancePerfInsightsEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstancePerformanceInsights.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPostgreSQLLogFDWExtension.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterAllowVersionUpgrade.py
│ │ │ │ │ ├── RedshiftClusterAutoSnap.py
│ │ │ │ │ ├── RedshiftClusterDatabaseName.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterKMSKey.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py
│ │ │ │ │ ├── RedshiftClusterUseEnhancedVPCRouting.py
│ │ │ │ │ ├── RedshiftClusterWithCommonUsernameAndPublicAccess.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── RedshiftServerlessNamespaceKMSKey.py
│ │ │ │ │ ├── RedshitClusterPubliclyAvailable.py
│ │ │ │ │ ├── Route53TransferLock.py
│ │ │ │ │ ├── S3AbortIncompleteUploads.py
│ │ │ │ │ ├── S3AccessPointPubliclyAccessible.py
│ │ │ │ │ ├── S3AllowsAnyPrincipal.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3BucketObjectEncryptedWithCMK.py
│ │ │ │ │ ├── S3BucketObjectLock.py
│ │ │ │ │ ├── S3GlobalViewACL.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3ObjectCopyEncryptedWithCMK.py
│ │ │ │ │ ├── S3ProtectAgainstPolicyLockout.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3SecureDataTransport.py
│ │ │ │ │ ├── SNSCrossAccountAccess.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SNSTopicPolicyAnyPrincipal.py
│ │ │ │ │ ├── SQSOverlyPermissive.py
│ │ │ │ │ ├── SQSPolicy.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SQSQueuePolicyAnyPrincipal.py
│ │ │ │ │ ├── SSMDocumentsArePrivate.py
│ │ │ │ │ ├── SSMParameterUsesCMK.py
│ │ │ │ │ ├── SSMSessionManagerDocumentEncryption.py
│ │ │ │ │ ├── SSMSessionManagerDocumentLogging.py
│ │ │ │ │ ├── SageMakerInternetAccessDisabled.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerDomainEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerEndpointConfigurationEncryption.py
│ │ │ │ │ ├── SagemakerFlowDefinitionUsesKMS.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryption.py
│ │ │ │ │ ├── SagemakerNotebookInCustomVPC.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SagemakerNotebookRoot.py
│ │ │ │ │ ├── SchedulerScheduleUsesCMK.py
│ │ │ │ │ ├── SecretManagerSecret90days.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedEgressAny.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngressAny.py
│ │ │ │ │ ├── SesConfigurationSetDefinesTLS.py
│ │ │ │ │ ├── StateMachineLoggingExecutionHistory.py
│ │ │ │ │ ├── StateMachineXray.py
│ │ │ │ │ ├── SubnetPublicIP.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerAllowsOnlySecureProtocols.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── TransferServerLatestPolicy.py
│ │ │ │ │ ├── UnpatchedAuroraPostgresDB.py
│ │ │ │ │ ├── VPCDefaultNetwork.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WAFHasAnyRules.py
│ │ │ │ │ ├── WAFHasLogs.py
│ │ │ │ │ ├── WAFRuleHasAnyActions.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ │ │ ├── ACRContainerScanEnabled.py
│ │ │ │ │ ├── ACRDedicatedDataEndpointEnabled.py
│ │ │ │ │ ├── ACREnableImageQuarantine.py
│ │ │ │ │ ├── ACREnableRetentionPolicy.py
│ │ │ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ │ │ ├── ACRGeoreplicated.py
│ │ │ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── ACRUseSignedImages.py
│ │ │ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ │ │ ├── AKSDashboardDisabled.py
│ │ │ │ │ ├── AKSEnablesPrivateClusters.py
│ │ │ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ │ │ ├── AKSIsPaidSku.py
│ │ │ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ │ │ ├── AKSLoggingEnabled.py
│ │ │ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ │ │ ├── AKSNetworkPolicy.py
│ │ │ │ │ ├── AKSNodePublicIpDisabled.py
│ │ │ │ │ ├── AKSOnlyCriticalPodsOnSystemNodes.py
│ │ │ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ │ │ ├── AKSRbacEnabled.py
│ │ │ │ │ ├── AKSSecretStoreRotation.py
│ │ │ │ │ ├── AKSUpgradeChannel.py
│ │ │ │ │ ├── AKSUsesAzurePoliciesAddon.py
│ │ │ │ │ ├── AKSUsesDiskEncryptionSet.py
│ │ │ │ │ ├── APIManagementBackendHTTPS.py
│ │ │ │ │ ├── APIManagementCertsEnforced.py
│ │ │ │ │ ├── APIManagementMinTLS12.py
│ │ │ │ │ ├── APIManagementPublicAccess.py
│ │ │ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ │ │ ├── ActiveDirectoryUsedAuthenticationServiceFabric.py
│ │ │ │ │ ├── AppConfigEncryption.py
│ │ │ │ │ ├── AppConfigLocalAuth.py
│ │ │ │ │ ├── AppConfigPublicAccess.py
│ │ │ │ │ ├── AppConfigPurgeProtection.py
│ │ │ │ │ ├── AppConfigSku.py
│ │ │ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ │ │ ├── AppGWUseWAFMode.py
│ │ │ │ │ ├── AppGWUsesHttps.py
│ │ │ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ │ │ ├── AppServiceAlwaysOn.py
│ │ │ │ │ ├── AppServiceAuthentication.py
│ │ │ │ │ ├── AppServiceClientCertificate.py
│ │ │ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ │ │ ├── AppServiceDisallowCORS.py
│ │ │ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ │ │ ├── AppServiceEnvironmentZoneRedundant.py
│ │ │ │ │ ├── AppServiceFTPSState.py
│ │ │ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ │ │ ├── AppServiceIdentity.py
│ │ │ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ │ │ ├── AppServiceJavaVersion.py
│ │ │ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ │ │ ├── AppServicePHPVersion.py
│ │ │ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ │ │ ├── AppServicePythonVersion.py
│ │ │ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ │ │ ├── AppServiceSkuMinimum.py
│ │ │ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ │ │ ├── AppServiceSlotMinTLS.py
│ │ │ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ │ │ ├── AutomationEncrypted.py
│ │ │ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ │ │ ├── AzureContainerGroupDeployedIntoVirtualNetwork.py
│ │ │ │ │ ├── AzureContainerInstanceEnvVarSecureValueType.py
│ │ │ │ │ ├── AzureContainerInstancePublicIPAddressType.py
│ │ │ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureDefenderDisabledForResManager.py
│ │ │ │ │ ├── AzureDefenderOnAppServices.py
│ │ │ │ │ ├── AzureDefenderOnContainerRegistry.py
│ │ │ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ │ │ ├── AzureDefenderOnServers.py
│ │ │ │ │ ├── AzureDefenderOnSqlServerVMS.py
│ │ │ │ │ ├── AzureDefenderOnSqlServers.py
│ │ │ │ │ ├── AzureDefenderOnStorage.py
│ │ │ │ │ ├── AzureFirewallDefinesPolicy.py
│ │ │ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ │ │ ├── AzureFirewallPolicyIDPSDeny.py
│ │ │ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ │ │ ├── AzureInstanceExtensions.py
│ │ │ │ │ ├── AzureInstancePassword.py
│ │ │ │ │ ├── AzureManagedDiskEncryption.py
│ │ │ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ │ │ ├── AzureScaleSetPassword.py
│ │ │ │ │ ├── AzureSearchAllowedIPsNotGlobal.py
│ │ │ │ │ ├── AzureSearchManagedIdentity.py
│ │ │ │ │ ├── AzureSearchPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── AzureSearchSLAIndex.py
│ │ │ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ │ │ ├── AzureServicebusDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureServicebusHasCMK.py
│ │ │ │ │ ├── AzureServicebusIdentityProviderEnabled.py
│ │ │ │ │ ├── AzureServicebusLocalAuthDisabled.py
│ │ │ │ │ ├── AzureServicebusMinTLSVersion.py
│ │ │ │ │ ├── AzureServicebusPublicAccessDisabled.py
│ │ │ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ │ │ ├── CDNDisableHttpEndpoints.py
│ │ │ │ │ ├── CDNEnableHttpsEndpoints.py
│ │ │ │ │ ├── CDNTLSProtocol12.py
│ │ │ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ │ │ ├── CosmosDBHaveCMK.py
│ │ │ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ │ │ ├── CutsomRoleDefinitionSubscriptionOwner.py
│ │ │ │ │ ├── DataExplorerSKUHasSLA.py
│ │ │ │ │ ├── DataExplorerServiceIdentity.py
│ │ │ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ │ │ ├── DataLakeStoreEncryption.py
│ │ │ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ │ │ ├── EventHubNamespaceZoneRedundant.py
│ │ │ │ │ ├── EventgridDomainIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridDomainLocalAuthentication.py
│ │ │ │ │ ├── EventgridDomainNetworkAccess.py
│ │ │ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ │ │ ├── FunctionAppEnableLogging.py
│ │ │ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ │ │ ├── FunctionAppPublicAccessDisabled.py
│ │ │ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IoTNoPublicNetworkAccess.py
│ │ │ │ │ ├── KeyBackedByHSM.py
│ │ │ │ │ ├── KeyExpirationDate.py
│ │ │ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ │ │ ├── KubernetesClusterHTTPApplicationRouting.py
│ │ │ │ │ ├── LinuxVMUsesSSH.py
│ │ │ │ │ ├── MLCCLADisabled.py
│ │ │ │ │ ├── MLComputeClusterMinNodes.py
│ │ │ │ │ ├── MLPublicAccess.py
│ │ │ │ │ ├── MSSQLServerAuditPolicyLogMonitor.py
│ │ │ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ │ │ ├── MonitorLogProfileCategories.py
│ │ │ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── MySQLTreatDetectionEnabled.py
│ │ │ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ │ │ ├── NSGRuleUDPAccessRestricted.py
│ │ │ │ │ ├── NetworkInterfaceEnableIPForwarding.py
│ │ │ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ │ │ ├── OpenAICognitiveServicesRestrictOutboundNetwork.py
│ │ │ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ │ │ ├── PostgreSQLFlexiServerGeoBackupEnabled.py
│ │ │ │ │ ├── PostgreSQLMinTLSVersion.py
│ │ │ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogRetentionEnabled.py
│ │ │ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── PostgresSQLTreatDetectionEnabled.py
│ │ │ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ │ │ ├── PubsubSKUSLA.py
│ │ │ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ │ │ ├── RedisCacheEnableNonSSLPort.py
│ │ │ │ │ ├── RedisCacheMinTLSVersion.py
│ │ │ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ │ │ ├── RedisCacheStandardReplicationEnabled.py
│ │ │ │ │ ├── SQLDatabaseLedgerEnabled.py
│ │ │ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ │ │ ├── SQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ │ │ ├── SecretContentType.py
│ │ │ │ │ ├── SecretExpirationDate.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ │ │ ├── SecurityCenterContactEmails.py
│ │ │ │ │ ├── SecurityCenterContactPhone.py
│ │ │ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ │ │ ├── SignalRSKUSLA.py
│ │ │ │ │ ├── SpringCloudAPIPortalHTTPSOnly.py
│ │ │ │ │ ├── SpringCloudAPIPortalPublicAccessIsDisabled.py
│ │ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ │ │ ├── StorageAccountName.py
│ │ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ │ ├── StorageAccountsUseReplication.py
│ │ │ │ │ ├── StorageBlobRestrictPublicAccess.py
│ │ │ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ │ │ ├── StorageLocalUsers.py
│ │ │ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ │ │ ├── StorageSyncServicePermissiveAccess.py
│ │ │ │ │ ├── SynapseSQLPoolDataEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ │ │ ├── VMAgentIsInstalled.py
│ │ │ │ │ ├── VMCredsInCustomData.py
│ │ │ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ │ │ ├── VMDiskWithPublicAccess.py
│ │ │ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ │ │ ├── VMStorageOsDisk.py
│ │ │ │ │ ├── VnetLocalDNS.py
│ │ │ │ │ ├── VnetSingleDNSServer.py
│ │ │ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_cloudsplaining_resource_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ ├── digitalocean/
│ │ │ │ │ ├── DropletSSHKeys.py
│ │ │ │ │ ├── FirewallIngressOpen.py
│ │ │ │ │ ├── SpacesBucketPublicRead.py
│ │ │ │ │ ├── SpacesBucketVersioning.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── AbsGoogleBasicRoles.py
│ │ │ │ │ ├── AbsGoogleComputeFirewallUnrestrictedIngress.py
│ │ │ │ │ ├── AbsGoogleIAMMemberDefaultServiceAccount.py
│ │ │ │ │ ├── AbsGoogleImpersonationRoles.py
│ │ │ │ │ ├── AbsGooglePostgresqlDatabaseFlags.py
│ │ │ │ │ ├── ArtifactRegistryPrivateRepo.py
│ │ │ │ │ ├── ArtifactRegsitryEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryPrivateTable.py
│ │ │ │ │ ├── BigQueryTableDeletionProtection.py
│ │ │ │ │ ├── BigQueryTableEncryptedWithCMK.py
│ │ │ │ │ ├── BigTableInstanceDeletionProtection.py
│ │ │ │ │ ├── BigTableInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── CloudArmorWAFACLCVE202144228.py
│ │ │ │ │ ├── CloudBuildWorkersArePrivate.py
│ │ │ │ │ ├── CloudFunctionPermissiveIngress.py
│ │ │ │ │ ├── CloudFunctionsShouldNotBePublic.py
│ │ │ │ │ ├── CloudPubSubEncryptedWithCMK.py
│ │ │ │ │ ├── CloudSqlMajorVersion.py
│ │ │ │ │ ├── CloudStorageLogging.py
│ │ │ │ │ ├── CloudStorageSelfLogging.py
│ │ │ │ │ ├── CloudStorageVersioningEnabled.py
│ │ │ │ │ ├── DataFusionPrivateInstance.py
│ │ │ │ │ ├── DataFusionStackdriverLogs.py
│ │ │ │ │ ├── DataFusionStackdriverMonitoring.py
│ │ │ │ │ ├── DataflowJobEncryptedWithCMK.py
│ │ │ │ │ ├── DataflowPrivateJob.py
│ │ │ │ │ ├── DataprocClusterEncryptedWithCMK.py
│ │ │ │ │ ├── DataprocPrivateCluster.py
│ │ │ │ │ ├── DataprocPublicIpCluster.py
│ │ │ │ │ ├── GCPCloudRunPrivateService.py
│ │ │ │ │ ├── GKEAliasIpEnabled.py
│ │ │ │ │ ├── GKEBinaryAuthorization.py
│ │ │ │ │ ├── GKEClientCertificateDisabled.py
│ │ │ │ │ ├── GKEClusterLogging.py
│ │ │ │ │ ├── GKEDisableLegacyAuth.py
│ │ │ │ │ ├── GKEDontUseNodePools.py
│ │ │ │ │ ├── GKEEnableShieldedNodes.py
│ │ │ │ │ ├── GKEEnableVPCFlowLogs.py
│ │ │ │ │ ├── GKEEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── GKEHasLabels.py
│ │ │ │ │ ├── GKEKubernetesRBACGoogleGroups.py
│ │ │ │ │ ├── GKEMasterAuthorizedNetworksEnabled.py
│ │ │ │ │ ├── GKEMetadataServerIsEnabled.py
│ │ │ │ │ ├── GKEMonitoringEnabled.py
│ │ │ │ │ ├── GKENetworkPolicyEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoRepairEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoUpgradeEnabled.py
│ │ │ │ │ ├── GKEPodSecurityPolicyEnabled.py
│ │ │ │ │ ├── GKEPrivateClusterConfig.py
│ │ │ │ │ ├── GKEPrivateNodes.py
│ │ │ │ │ ├── GKEPublicControlPlane.py
│ │ │ │ │ ├── GKEReleaseChannel.py
│ │ │ │ │ ├── GKESecureBootforShieldedNodes.py
│ │ │ │ │ ├── GKEUseCosImage.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── GoogleBigQueryDatasetPublicACL.py
│ │ │ │ │ ├── GoogleCloudDNSKeySpecsRSASHA1.py
│ │ │ │ │ ├── GoogleCloudDNSSECEnabled.py
│ │ │ │ │ ├── GoogleCloudMySqlLocalInfileOff.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlEnablePgaudit.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogCheckpoints.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogConnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogDisconnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogHostname.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogLockWaits.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinDuration.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinErrorStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinMessage.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogTemp.py
│ │ │ │ │ ├── GoogleCloudSqlBackupConfiguration.py
│ │ │ │ │ ├── GoogleCloudSqlDatabasePubliclyAccessible.py
│ │ │ │ │ ├── GoogleCloudSqlDatabaseRequireSsl.py
│ │ │ │ │ ├── GoogleCloudSqlServerContainedDBAuthentication.py
│ │ │ │ │ ├── GoogleCloudSqlServerCrossDBOwnershipChaining.py
│ │ │ │ │ ├── GoogleCloudSqlServerNoPublicIP.py
│ │ │ │ │ ├── GoogleComputeBlockProjectSSH.py
│ │ │ │ │ ├── GoogleComputeBootDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccountFullAccess.py
│ │ │ │ │ ├── GoogleComputeDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeExternalIP.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress20.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress21.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress22.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3306.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3389.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress80.py
│ │ │ │ │ ├── GoogleComputeIPForward.py
│ │ │ │ │ ├── GoogleComputeInstanceOSLogin.py
│ │ │ │ │ ├── GoogleComputeProjectOSLogin.py
│ │ │ │ │ ├── GoogleComputeSSLPolicy.py
│ │ │ │ │ ├── GoogleComputeSerialPorts.py
│ │ │ │ │ ├── GoogleComputeShieldedVM.py
│ │ │ │ │ ├── GoogleFolderBasicRole.py
│ │ │ │ │ ├── GoogleFolderImpersonationRole.py
│ │ │ │ │ ├── GoogleFolderMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleIAMWorkloadIdentityConditional.py
│ │ │ │ │ ├── GoogleKMSKeyIsPublic.py
│ │ │ │ │ ├── GoogleKMSPreventDestroy.py
│ │ │ │ │ ├── GoogleKMSRotationPeriod.py
│ │ │ │ │ ├── GoogleOrgBasicRole.py
│ │ │ │ │ ├── GoogleOrgImpersonationRole.py
│ │ │ │ │ ├── GoogleOrgMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleProjectAdminServiceAccount.py
│ │ │ │ │ ├── GoogleProjectBasicRole.py
│ │ │ │ │ ├── GoogleProjectDefaultNetwork.py
│ │ │ │ │ ├── GoogleProjectImpersonationRole.py
│ │ │ │ │ ├── GoogleProjectMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleRoleServiceAccountUser.py
│ │ │ │ │ ├── GoogleStorageBucketNotPublic.py
│ │ │ │ │ ├── GoogleStorageBucketUniformAccess.py
│ │ │ │ │ ├── GoogleStoragePublicAccessPrevention.py
│ │ │ │ │ ├── GoogleSubnetworkIPV6PrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkLoggingEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkPrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleVertexAINotebookShieldedVM.py
│ │ │ │ │ ├── MemorystoreForRedisAuthEnabled.py
│ │ │ │ │ ├── MemorystoreForRedisInTransitEncryption.py
│ │ │ │ │ ├── PubSubPrivateTopic.py
│ │ │ │ │ ├── SpannerDatabaseDeletionProtection.py
│ │ │ │ │ ├── SpannerDatabaseDropProtection.py
│ │ │ │ │ ├── SpannerDatabaseEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIMetadataStoreEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAINotebookEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── VertexAIPrivateInstance.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── github/
│ │ │ │ │ ├── BranchProtectionRequireSignedCommits.py
│ │ │ │ │ ├── BranchProtectionReviewNumTwo.py
│ │ │ │ │ ├── PrivateRepo.py
│ │ │ │ │ ├── RepositoryEnableVulnerabilityAlerts.py
│ │ │ │ │ ├── SecretsEncrypted.py
│ │ │ │ │ ├── WebhookInsecureSsl.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gitlab/
│ │ │ │ │ ├── ForcePushDisabled.py
│ │ │ │ │ ├── PreventSecretsEnabled.py
│ │ │ │ │ ├── RejectUnsignedCommits.py
│ │ │ │ │ ├── RequireTwoApprovalsToMerge.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── kubernetes/
│ │ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ │ ├── CPULimits.py
│ │ │ │ │ ├── CPURequests.py
│ │ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ │ ├── DangerousGitSync.py
│ │ │ │ │ ├── DefaultNamespace.py
│ │ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ │ ├── DropCapabilities.py
│ │ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ │ ├── HostPort.py
│ │ │ │ │ ├── ImageDigest.py
│ │ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ │ ├── ImageTagFixed.py
│ │ │ │ │ ├── LivenessProbe.py
│ │ │ │ │ ├── MemoryLimits.py
│ │ │ │ │ ├── MemoryRequests.py
│ │ │ │ │ ├── MinimiseCapabilities.py
│ │ │ │ │ ├── MinimiseCapabilitiesPSP.py
│ │ │ │ │ ├── PodSecurityContext.py
│ │ │ │ │ ├── PrivilegedContainer.py
│ │ │ │ │ ├── PrivilegedContainerPSP.py
│ │ │ │ │ ├── ReadinessProbe.py
│ │ │ │ │ ├── ReadonlyRootFilesystem.py
│ │ │ │ │ ├── RootContainerPSP.py
│ │ │ │ │ ├── SeccompPSP.py
│ │ │ │ │ ├── Secrets.py
│ │ │ │ │ ├── ShareHostIPC.py
│ │ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ │ ├── ShareHostPID.py
│ │ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ │ ├── Tiller.py
│ │ │ │ │ ├── TillerService.py
│ │ │ │ │ ├── WildcardRoles.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── authorized_keys.py
│ │ │ │ │ ├── firewall_inbound_policy.py
│ │ │ │ │ ├── firewall_outbound_policy.py
│ │ │ │ │ ├── user_email_set.py
│ │ │ │ │ └── user_username_set.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupInboundRule.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort22.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort3389.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort80.py
│ │ │ │ │ ├── AccessControlGroupOutboundRule.py
│ │ │ │ │ ├── AccessControlGroupRuleDescription.py
│ │ │ │ │ ├── LBListenerUsesSecureProtocols.py
│ │ │ │ │ ├── LBListenerUsingHTTPS.py
│ │ │ │ │ ├── LBNetworkPrivate.py
│ │ │ │ │ ├── LBTargetGroupDefinesHealthCheck.py
│ │ │ │ │ ├── LBTargetGroupUsingHTTPS.py
│ │ │ │ │ ├── LaunchConfigurationEncryptionVPC.py
│ │ │ │ │ ├── NACLInbound20.py
│ │ │ │ │ ├── NACLInbound21.py
│ │ │ │ │ ├── NACLInbound22.py
│ │ │ │ │ ├── NACLInbound3389.py
│ │ │ │ │ ├── NACLInboundCheck.py
│ │ │ │ │ ├── NACLPortCheck.py
│ │ │ │ │ ├── NASEncryptionEnabled.py
│ │ │ │ │ ├── NKSControlPlaneLogging.py
│ │ │ │ │ ├── NKSPublicAccess.py
│ │ │ │ │ ├── RouteTableNATGatewayDefault.py
│ │ │ │ │ ├── ServerEncryptionVPC.py
│ │ │ │ │ ├── ServerPublicIP.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityListUnrestrictedIngress.py
│ │ │ │ │ ├── DataCatalogWithPublicAccess.py
│ │ │ │ │ ├── FileSystemEncryption.py
│ │ │ │ │ ├── IAMPasswordLength.py
│ │ │ │ │ ├── IAMPasswordPolicyLowerCase.py
│ │ │ │ │ ├── IAMPasswordPolicyNumeric.py
│ │ │ │ │ ├── IAMPasswordPolicySpecialCharacters.py
│ │ │ │ │ ├── IAMPasswordPolicyUpperCase.py
│ │ │ │ │ ├── InstanceBootVolumeIntransitEncryption.py
│ │ │ │ │ ├── InstanceMetadataServiceEnabled.py
│ │ │ │ │ ├── InstanceMonitoringEnabled.py
│ │ │ │ │ ├── ObjectStorageEmitEvents.py
│ │ │ │ │ ├── ObjectStorageEncryption.py
│ │ │ │ │ ├── ObjectStoragePublic.py
│ │ │ │ │ ├── ObjectStorageVersioning.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupsIngressStatelessSecurityRules.py
│ │ │ │ │ ├── SecurityListIngress.py
│ │ │ │ │ ├── SecurityListIngressStateless.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress3389.py
│ │ │ │ │ ├── StorageBlockBackupEnabled.py
│ │ │ │ │ ├── StorageBlockEncryption.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── okta/
│ │ │ │ │ ├── TwoFASignOnPolicyRule.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ComputeInstanceAdminPassword.py
│ │ │ │ │ ├── FirewallRuleSetDestinationIP.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── InterfaceMgmtProfileNoHTTP.py
│ │ │ │ │ ├── InterfaceMgmtProfileNoTelnet.py
│ │ │ │ │ ├── NetworkIPsecAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecAuthAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecProtocols.py
│ │ │ │ │ ├── PolicyDescription.py
│ │ │ │ │ ├── PolicyLogForwarding.py
│ │ │ │ │ ├── PolicyLoggingEnabled.py
│ │ │ │ │ ├── PolicyNoApplicationAny.py
│ │ │ │ │ ├── PolicyNoDSRI.py
│ │ │ │ │ ├── PolicyNoServiceAny.py
│ │ │ │ │ ├── PolicyNoSrcAnyDstAny.py
│ │ │ │ │ ├── ZoneProtectionProfile.py
│ │ │ │ │ ├── ZoneUserIDIncludeACL.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── registry.py
│ │ │ │ ├── tencentcloud/
│ │ │ │ │ ├── CBSEncryption.py
│ │ │ │ │ ├── CDBInternetService.py
│ │ │ │ │ ├── CDBIntranetPort.py
│ │ │ │ │ ├── CLBInstanceLog.py
│ │ │ │ │ ├── CLBListenerProtocol.py
│ │ │ │ │ ├── CVMAllocatePublicIp.py
│ │ │ │ │ ├── CVMDisableMonitorService.py
│ │ │ │ │ ├── CVMUseDefaultSecurityGroup.py
│ │ │ │ │ ├── CVMUseDefaultVPC.py
│ │ │ │ │ ├── CVMUserData.py
│ │ │ │ │ ├── TKELogAgentEnabled.py
│ │ │ │ │ ├── TKEPublicIpAssigned.py
│ │ │ │ │ ├── VPCFlowLogConfigEnable.py
│ │ │ │ │ ├── VPCSecurityGroupRuleSet.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── yandexcloud/
│ │ │ │ ├── ComputeInstanceGroupPublicIP.py
│ │ │ │ ├── ComputeInstanceGroupSecurityGroup.py
│ │ │ │ ├── ComputeVMPublicIP.py
│ │ │ │ ├── ComputeVMSecurityGroup.py
│ │ │ │ ├── ComputeVMSerialConsole.py
│ │ │ │ ├── IAMCloudElevatedMembers.py
│ │ │ │ ├── IAMFolderElevatedMembers.py
│ │ │ │ ├── IAMOrganizationElevatedMembers.py
│ │ │ │ ├── IAMPassportAccountUsage.py
│ │ │ │ ├── K8SAutoUpgrade.py
│ │ │ │ ├── K8SEtcdKMSEncryption.py
│ │ │ │ ├── K8SNetworkPolicy.py
│ │ │ │ ├── K8SNodeGroupAutoUpgrade.py
│ │ │ │ ├── K8SNodeGroupPublicIP.py
│ │ │ │ ├── K8SNodeGroupSecurityGroup.py
│ │ │ │ ├── K8SPublicIP.py
│ │ │ │ ├── K8SSecurityGroup.py
│ │ │ │ ├── KMSSymmetricKeyRotation.py
│ │ │ │ ├── MDBPublicIP.py
│ │ │ │ ├── MDBSecurityGroup.py
│ │ │ │ ├── ObjectStorageBucketEncryption.py
│ │ │ │ ├── ObjectStorageBucketPublicAccess.py
│ │ │ │ ├── VPCSecurityGroupAllowAll.py
│ │ │ │ ├── VPCSecurityGroupRuleAllowAll.py
│ │ │ │ └── __init__.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ ├── base_cloudsplaining_iam_scanner.py
│ │ │ ├── consts.py
│ │ │ ├── dependency_path_handler.py
│ │ │ └── iam_terraform_document_to_policy_converter.py
│ │ ├── context_parsers/
│ │ │ ├── __init__.py
│ │ │ ├── base_parser.py
│ │ │ ├── parsers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data_context_parser.py
│ │ │ │ ├── locals_context_parser.py
│ │ │ │ ├── module_context_parser.py
│ │ │ │ ├── provider_context_parser.py
│ │ │ │ ├── resource_context_parser.py
│ │ │ │ └── variable_context_parser.py
│ │ │ ├── registry.py
│ │ │ └── tf_plan/
│ │ │ └── __init__.py
│ │ ├── deep_analysis_plan_graph_manager.py
│ │ ├── evaluation/
│ │ │ ├── __init__.py
│ │ │ └── base_variable_evaluation.py
│ │ ├── graph_builder/
│ │ │ ├── EncryptionCalculation.md
│ │ │ ├── __init__.py
│ │ │ ├── foreach/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_handler.py
│ │ │ │ ├── builder.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── data_handler.py
│ │ │ │ ├── foreach_entity_handler.py
│ │ │ │ ├── module_handler.py
│ │ │ │ ├── resource_handler.py
│ │ │ │ └── utils.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── attribute_names.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ ├── generic_resource_encryption.py
│ │ │ │ └── module.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── evaluate_terraform.py
│ │ │ ├── renderer.py
│ │ │ ├── safe_eval_functions.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ ├── module_loading/
│ │ │ ├── __init__.py
│ │ │ ├── content.py
│ │ │ ├── loader.py
│ │ │ ├── loaders/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── bitbucket_access_token_loader.py
│ │ │ │ ├── bitbucket_loader.py
│ │ │ │ ├── git_loader.py
│ │ │ │ ├── github_access_token_loader.py
│ │ │ │ ├── github_loader.py
│ │ │ │ ├── local_path_loader.py
│ │ │ │ ├── registry_loader.py
│ │ │ │ └── versions_parser.py
│ │ │ ├── module_finder.py
│ │ │ ├── module_params.py
│ │ │ └── registry.py
│ │ ├── modules/
│ │ │ ├── __init__.py
│ │ │ ├── module_objects.py
│ │ │ └── module_utils.py
│ │ ├── parser_functions.py
│ │ ├── parser_utils.py
│ │ ├── plan_parser.py
│ │ ├── plan_runner.py
│ │ ├── plan_utils.py
│ │ ├── runner.py
│ │ ├── tag_providers/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ └── tf_parser.py
│ ├── terraform_json/
│ │ ├── __init__.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── version.py
│ └── yaml_doc/
│ ├── __init__.py
│ ├── base_registry.py
│ ├── base_yaml_check.py
│ ├── enums.py
│ ├── registry.py
│ └── runner.py
├── dangerfile.ts
├── docs/
│ ├── 1.Welcome/
│ │ ├── Feature Descriptions.md
│ │ ├── Migration.md
│ │ ├── Quick Start.md
│ │ ├── Terms and Concepts.md
│ │ └── What is Checkov.md
│ ├── 2.Basics/
│ │ ├── CLI Command Reference.md
│ │ ├── Handling Variables.md
│ │ ├── Hard and soft fail.md
│ │ ├── Installing Checkov.md
│ │ ├── Reviewing Scan Results.md
│ │ ├── Scanning Credentials and Secrets.md
│ │ ├── Suppressing and Skipping Policies.md
│ │ └── Visualizing Checkov Output.md
│ ├── 3.Custom Policies/
│ │ ├── Custom Policies Overview.md
│ │ ├── Examples.md
│ │ ├── Python Custom Policies.md
│ │ ├── Sharing Custom Policies.md
│ │ └── YAML Custom Policies.md
│ ├── 4.Integrations/
│ │ ├── Bitbucket Cloud Pipelines.md
│ │ ├── Docker.md
│ │ ├── GitHub Actions.md
│ │ ├── GitLab CI.md
│ │ ├── Jenkins.md
│ │ ├── Kubernetes.md
│ │ └── pre-commit.md
│ ├── 404.md
│ ├── 5.Policy Index/
│ │ ├── all.md
│ │ ├── ansible.md
│ │ ├── argo_workflows.md
│ │ ├── arm.md
│ │ ├── azure_pipelines.md
│ │ ├── bicep.md
│ │ ├── bitbucket_configuration.md
│ │ ├── bitbucket_pipelines.md
│ │ ├── circleci_pipelines.md
│ │ ├── cloudformation.md
│ │ ├── dockerfile.md
│ │ ├── github_actions.md
│ │ ├── github_configuration.md
│ │ ├── gitlab_ci.md
│ │ ├── gitlab_configuration.md
│ │ ├── kubernetes.md
│ │ ├── openapi.md
│ │ ├── secrets.md
│ │ ├── serverless.md
│ │ └── terraform.md
│ ├── 6.Contribution/
│ │ ├── Contribute New Argo Workflows Policies.md
│ │ ├── Contribute New Azure Pipelines Policies.md
│ │ ├── Contribute New Bitbucket Policies.md
│ │ ├── Contribute New GitHub Policies.md
│ │ ├── Contribute New Gitlab Policies.md
│ │ ├── Contribute New OpenAPI Policies.md
│ │ ├── Contribute New Terraform Provider.md
│ │ ├── Contribute Python-Based Policies.md
│ │ ├── Contribute YAML-based Policies.md
│ │ ├── Contribution New IaC Runner.md
│ │ ├── Contribution Overview.md
│ │ ├── Implementing CI Metadata Extractor.md
│ │ └── Implementing ImageReferencer.md
│ ├── 7.Scan Examples/
│ │ ├── AWS SAM.md
│ │ ├── Ansible.md
│ │ ├── Argo Workflows.md
│ │ ├── Azure ARM templates.md
│ │ ├── Azure Pipelines.md
│ │ ├── Bicep.md
│ │ ├── Bitbucket.md
│ │ ├── CDK.md
│ │ ├── Cloudformation.md
│ │ ├── Dockerfile.md
│ │ ├── Git History.md
│ │ ├── Github.md
│ │ ├── Gitlab.md
│ │ ├── Helm.md
│ │ ├── Kubernetes.md
│ │ ├── Kustomize.md
│ │ ├── OpenAPI.md
│ │ ├── Sca.md
│ │ ├── Serverless Framework.md
│ │ ├── Terraform Plan Scanning.md
│ │ └── Terraform.md
│ ├── 8.Outputs/
│ │ ├── CSV.md
│ │ ├── CycloneDX BOM.md
│ │ ├── GitLab SAST.md
│ │ ├── JUnit XML.md
│ │ └── SARIF.md
│ ├── CNAME
│ ├── Gemfile
│ ├── _config.yml
│ ├── index.md
│ ├── menus.json
│ ├── search.html
│ └── web/
│ ├── css/
│ │ ├── checkov.pyro.css
│ │ ├── normalize.css
│ │ ├── pyro.css
│ │ └── theme.css
│ └── js/
│ └── pyro.js
├── dogfood_tests/
│ ├── pytest.ini
│ └── test_checkov_dogfood.py
├── extra_stubs/
│ ├── boolean/
│ │ ├── __init__.pyi
│ │ └── boolean.py
│ ├── docker/
│ │ ├── __init__.pyi
│ │ ├── client.pyi
│ │ └── models/
│ │ └── images.pyi
│ ├── dockerfile_parse/
│ │ ├── __init__.pyi
│ │ ├── constants.pyi
│ │ └── parser.pyi
│ ├── junit_xml/
│ │ └── __init__.pyi
│ └── license_expression/
│ └── __init__.pyi
├── flake8_plugins/
│ ├── __init__.py
│ └── flake8_class_attributes_plugin/
│ ├── __init__.py
│ ├── flake8_class_attributes/
│ │ ├── __init__.py
│ │ ├── checker.py
│ │ ├── class_members_errors.py
│ │ └── model_parts_info.py
│ └── tests/
│ ├── __init__.py
│ ├── conftest.py
│ ├── test_files/
│ │ ├── __init__.py
│ │ ├── class_attribute_fail.py
│ │ ├── class_const_pass.py
│ │ ├── class_special_attributes_pass.py
│ │ ├── dataclass_skip.py
│ │ └── typing_class_skip.py
│ └── test_handler.py
├── github_action_resources/
│ ├── checkov-problem-matcher-softfail.json
│ ├── checkov-problem-matcher.json
│ └── entrypoint.sh
├── integration_tests/
│ ├── __init__.py
│ ├── example_config_files/
│ │ └── config.yaml
│ ├── example_ext_private_modules/
│ │ └── main.tf
│ ├── example_workflow_file/
│ │ ├── .github/
│ │ │ └── workflows/
│ │ │ └── vulnerable_container.yaml
│ │ └── bitbucket/
│ │ └── bitbucket-pipelines.yml
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── test_checkov_cli_integration_report.py
│ ├── test_checkov_config.py
│ ├── test_checkov_cyclonedx_report.py
│ ├── test_checkov_ext_module_cloning.py
│ ├── test_checkov_json_report.py
│ ├── test_checkov_junit_report.py
│ ├── test_checkov_platform_only_policies.py
│ └── test_checkov_sarif_report.py
├── kubernetes/
│ ├── Dockerfile
│ ├── README.md
│ ├── checkov-job.yaml
│ ├── requirements.txt
│ └── run_checkov.sh
├── mypy.ini
├── performance_tests/
│ ├── __init__.py
│ ├── pytest.ini
│ └── test_checkov_performance.py
├── pyproject.toml
├── sast_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ └── test_checkov_sast_report.py
├── setup.py
└── tests/
├── __init__.py
├── ansible/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── graph_checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── BlockErrorHandling/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfDisableGpgCheck/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfSslVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfValidateCerts/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── GetUrlHttpsOnly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosIPsecProtocols/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyDescription/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogForwarding/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoDSRI/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneProtectionProfile/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ └── UriHttpsOnly/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── test_yaml_policies.py
│ │ ├── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── EC2PublicIP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── AptForce/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── GetUrlValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── UriValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumSslVerify/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── __init__.py
│ │ └── test_python_policies.py
│ ├── examples/
│ │ ├── blocks.yml
│ │ ├── empty_tasks.yml
│ │ ├── k8s_utf16.yaml
│ │ ├── nested_blocks.yml
│ │ ├── no_tasks.yml
│ │ ├── site.yml
│ │ ├── skip.yml
│ │ └── tasks.yml
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ └── test_local_graph.py
│ ├── test_graph_manager.py
│ ├── test_runner.py
│ └── test_utils.py
├── argo_workflows/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ └── template/
│ │ ├── __init__.py
│ │ ├── example_DefaultServiceAccount/
│ │ │ ├── fail_default.yaml
│ │ │ ├── fail_none.yaml
│ │ │ └── pass.yaml
│ │ ├── example_RunAsNonRoot/
│ │ │ ├── fail.yaml
│ │ │ └── pass.yaml
│ │ ├── test_DefaultServiceAccount.py
│ │ └── test_RunAsNonRoot.py
│ ├── examples/
│ │ ├── argo_cd_application.yaml
│ │ ├── hello_world.yaml
│ │ └── scripts_python.yaml
│ └── test_runner.py
├── arm/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── parameter/
│ │ │ ├── __init__.py
│ │ │ ├── test_SecureStringParameterNoHardcodedValue/
│ │ │ │ └── test_parameters.json
│ │ │ └── test_SecureStringParameterNoHardcodedValue.py
│ │ └── resource/
│ │ ├── __init__.py
│ │ ├── example_ACRAdminAccountDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACRAnonymousPullDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ ├── pass4.json
│ │ │ ├── pass5.json
│ │ │ └── pass6.json
│ │ ├── example_ACRContainerScanEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableImageQuarantine/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableZoneRedundancy/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_ACRPublicNetworkAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AKSApiServerAuthorizedIpRanges/
│ │ │ ├── aks-authIPRanges-preview-FAILED-3.json
│ │ │ ├── aks-authIPRanges-preview-FAILED.json
│ │ │ ├── aks-authIPRanges-preview-PASSED.json
│ │ │ ├── aks-authIPRanges-supported-FAILED-2.json
│ │ │ ├── aks-authIPRanges-supported-FAILED.json
│ │ │ ├── aks-authIPRanges-supported-PASSED.json
│ │ │ └── aks-authIPRanges-unsupported-FAILED.json
│ │ ├── example_AKSDashboardDisabled/
│ │ │ ├── AKSDashboardDisabled-FAILED.json
│ │ │ ├── AKSDashboardDisabled-FAILED2.json
│ │ │ ├── AKSDashboardDisabled-FAILED3.json
│ │ │ ├── AKSDashboardDisabled-FAILED4.json
│ │ │ └── AKSDashboardDisabled-PASSED.json
│ │ ├── example_AKSEncryptionAtHostEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── failA1.json
│ │ │ ├── failA2.json
│ │ │ ├── pass.json
│ │ │ └── passA.json
│ │ ├── example_AKSEphemeralOSDisks/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLocalAdminDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLoggingEnabled/
│ │ │ ├── AKSLoggingEnabled-FAILED2.json
│ │ │ ├── aksLoggingEnabled-FAILED.json
│ │ │ ├── aksLoggingEnabled-FAILED3.json
│ │ │ └── aksLoggingEnabled-PASSED.json
│ │ ├── example_AKSMaxPodsMinimum/
│ │ │ ├── agentPoolProfiles_with_maxPods_fail4.json
│ │ │ ├── agentPoolProfiles_with_maxPods_pass.json
│ │ │ ├── agentPoolProfiles_without_maxPods_fail3.json
│ │ │ ├── properties_with_maxPods_fail2.json
│ │ │ ├── properties_with_maxPods_pass1.json
│ │ │ └── properties_without_maxPods_fail.json
│ │ ├── example_AKSNetworkPolicy/
│ │ │ ├── aksNetworkPolicy-FAILED.json
│ │ │ ├── aksNetworkPolicy-FAILED2.json
│ │ │ ├── aksNetworkPolicy-FAILED3.json
│ │ │ ├── aksNetworkPolicy-FAILED4.json
│ │ │ └── aksNetworkPolicy-PASSED.json
│ │ ├── example_AKSPoolTypeIsScaleSet/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AKSRbacEnabled/
│ │ │ ├── aksEnableRbac-FAILED.json
│ │ │ ├── aksEnableRbac-FAILED2.json
│ │ │ ├── aksEnableRbac-FAILED3.json
│ │ │ └── aksEnableRbac-PASSED.json
│ │ ├── example_AKSUpgradeChannel/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementMinTLS12/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementPublicAccess/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIServicesUseVirtualNetwork/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AkSSecretStoreRotation/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AppGWDefinesSecureProtocols/
│ │ │ ├── empty_sslPolicy_fail1.json
│ │ │ ├── with_policyName_fail3.json
│ │ │ ├── with_policyName_pass1.json
│ │ │ ├── with_protocolversion_and_cipher_fail2.json
│ │ │ ├── with_protocolversion_and_cipher_pass.json
│ │ │ └── without_sslPolicy_fail.json
│ │ ├── example_AppGatewayWAFACLCVE202144228/
│ │ │ ├── empty_disabled_rules_pass.json
│ │ │ ├── owasp_3_0_fail.json
│ │ │ ├── owasp_3_1_default_pass.json
│ │ │ ├── owasp_3_1_disabled_different_pass.json
│ │ │ ├── owasp_3_1_disabled_fail.json
│ │ │ ├── owasp_3_2_default_pass.json
│ │ │ └── version_3_1_default_pass.json
│ │ ├── example_AppServiceAuthentication/
│ │ │ ├── appServiceAuthentication-FAILED.json
│ │ │ ├── appServiceAuthentication-PASSED.json
│ │ │ └── appServiceAuthentication-PASSED2.json
│ │ ├── example_AppServiceClientCertificate/
│ │ │ ├── appServiceClientCertificate-FAILED.json
│ │ │ ├── appServiceClientCertificate-FAILED2.json
│ │ │ ├── appServiceClientCertificate-PASSED.json
│ │ │ └── appServiceClientCertificate-PASSED2.json
│ │ ├── example_AppServiceDetailedErrorMessagesEnabled/
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed.json
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed2.json
│ │ │ └── AppServiceDetailedErrorMessagesEnabled-passed.json
│ │ ├── example_AppServiceDisallowCORS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceDotnetFrameworkVersion/
│ │ │ ├── failed.json
│ │ │ └── passed.json
│ │ ├── example_AppServiceEnabledFailedRequest/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ └── AppServiceEnableFailedRequest-passed.json
│ │ ├── example_AppServiceFTPSState/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ └── pass3.json
│ │ ├── example_AppServiceHTTPSOnly/
│ │ │ ├── appServiceHTTPSOnly-FAILED.json
│ │ │ ├── appServiceHTTPSOnly-FAILED2.json
│ │ │ ├── appServiceHTTPSOnly-PASSED.json
│ │ │ └── appServiceHTTPSOnly-PASSED2.json
│ │ ├── example_AppServiceHttpLoggingEnabled/
│ │ │ ├── AppServiceHttpLoggingEnabled-failed.json
│ │ │ ├── AppServiceHttpLoggingEnabled-failed2.json
│ │ │ └── AppServiceHttpLoggingEnabled-passed.json
│ │ ├── example_AppServiceHttps20Enabled/
│ │ │ ├── appServiceHttps20Enabled-FAILED.json
│ │ │ ├── appServiceHttps20Enabled-FAILED2.json
│ │ │ ├── appServiceHttps20Enabled-FAILED3.json
│ │ │ ├── appServiceHttps20Enabled-PASSED.json
│ │ │ └── appServiceHttps20Enabled-PASSED2.json
│ │ ├── example_AppServiceIdentity/
│ │ │ ├── appServiceIdentity-FAILED.json
│ │ │ ├── appServiceIdentity-PASSED.json
│ │ │ └── appServiceIdentity-PASSED2.json
│ │ ├── example_AppServiceIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceInstanceMinimum/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── unknown.json
│ │ │ └── unknown2.json
│ │ ├── example_AppServiceJavaVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceMinTLSVersion/
│ │ │ ├── appServiceMinTLSVersion-FAILED.json
│ │ │ ├── appServiceMinTLSVersion-FAILED2.json
│ │ │ ├── appServiceMinTLSVersion-FAILED3.json
│ │ │ ├── appServiceMinTLSVersion-PASSED.json
│ │ │ └── appServiceMinTLSVersion-PASSED2.json
│ │ ├── example_AppServicePHPVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePlanZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePublicAccessDisabled/
│ │ │ ├── configFail.json
│ │ │ ├── configPass.json
│ │ │ ├── linuxDefault.json
│ │ │ ├── linuxFail.json
│ │ │ ├── linuxPass.json
│ │ │ ├── slotFail.json
│ │ │ ├── slotPass.json
│ │ │ ├── windowsDefault.json
│ │ │ ├── windowsFail.json
│ │ │ └── windowsPass.json
│ │ ├── example_AppServicePythonVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_AppServiceRemoteDebuggingNotEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AppServiceSetHealthCheck/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotDebugDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotHTTPSOnly/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceUsedAzureFiles/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ ├── AppServiceEnableFailedRequest-failed2.json
│ │ │ └── AppServiceUsedAzureFiles-passed.json
│ │ ├── example_AutomationEncrypted/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountEndpointAccessDefaultAction.py/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountUsesKeyVaultEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDataExplorerDoubleEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKeyVaults/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKubernetes/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnSqlServersVMS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnStorage/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureFirewallDenyThreatIntelMode/
│ │ │ ├── CKV_AZURE_216.fail.json
│ │ │ ├── CKV_AZURE_216.fail2.json
│ │ │ └── CKV_AZURE_216.pass.json
│ │ ├── example_AzureFrontDoorEnablesWAF/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstanceExtensions/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstancePassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ ├── UNKNOWN.json
│ │ │ └── UNKNOWN_1.json
│ │ ├── example_AzureMLWorkspacePrivateEndpoint/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AzureManagedDiscEncryption/
│ │ │ ├── azureManagedDiscEncryption-FAILED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED_2.json
│ │ │ └── azureManagedDiscEncryption-PASSED_3.json
│ │ ├── example_AzureManagedDiskEncryptionSet/
│ │ │ ├── azureManagedDiskEncyptionSet-FAILED.json
│ │ │ └── azureManagedDiskEncyptionSet-PASSED.json
│ │ ├── example_AzureScaleSetPassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── UNKNOWN.json
│ │ ├── example_AzureSearchSLAIndex/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSearchSLAQueryUpdates/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureServiceFabricClusterProtectionLevel/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSparkPoolIsolatedComputeEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspaceVAisEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_CognitiveServicesConfigureIdentity/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesDisablesPublicNetwork/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesEnableLocalAuth/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBAccountsRestrictedAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_CosmosDBDisableAccessKeyWrite/
│ │ │ ├── CosmosDBDisableAccessKeyWrite-FAILED.json
│ │ │ └── CosmosDBDisableAccessKeyWrite-PASSED.json
│ │ ├── example_CosmosDBDisablesPublicNetwork/
│ │ │ ├── Fail.json
│ │ │ ├── Fail2.json
│ │ │ ├── Fail3.json
│ │ │ └── Pass.json
│ │ ├── example_CosmosDBHaveCMK/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBLocalAuthDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_CustomRoleDefinitionSubscriptionOwner/
│ │ │ ├── example_customRoleDefinitionSubscriptionOwner-FAILED.json
│ │ │ └── example_customRoleDefinitionSubscriptionOwner-PASSED.json
│ │ ├── example_DataExplorerUsesDiskEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryNoPublicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryUsesGitRepository/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_DataLakeStoreEncryption/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DatabricksWorkspaceIsNotPublic/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventHubNamespaceMinTLS12/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventgridTopicIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicLocalAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_FrontDoorWAFACLCVE202144228/
│ │ │ ├── fail1.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FrontdoorUseWAFMode/
│ │ │ ├── example_FrontdoorUseWAFMode-FAILED.json
│ │ │ └── example_FrontdoorUseWAFMode-PASSED.json
│ │ ├── example_FunctionAppDisallowCORS/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass_with_cors.json
│ │ ├── example_FunctionAppHttpVersionLatest/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_FunctionAppMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FunctionAppsAccessibleOverHttps/
│ │ │ ├── sites_config_fail.json
│ │ │ ├── sites_config_pass.json
│ │ │ ├── sites_config_pass1.json
│ │ │ ├── sites_fail.json
│ │ │ ├── sites_fail1.json
│ │ │ └── sites_pass.json
│ │ ├── example_FunctionAppsEnableAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyBackedByHSM/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyExpirationDate/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultDisablesPublicNetworkAccess/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── fail5.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_KeyVaultEnablesFirewallRulesSettings/
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings-FAILED.json
│ │ │ └── KeyVaultEnablesFirewallRulesSettings-PASSED.json
│ │ ├── example_KeyVaultEnablesPurgeProtection/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultEnablesSoftDelete/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyvaultRecoveryEnabled/
│ │ │ ├── keyvaultRecoveryEnabled-FAILED.json
│ │ │ ├── keyvaultRecoveryEnabled-FAILED2.json
│ │ │ └── keyvaultRecoveryEnabled-PASSED.json
│ │ ├── example_LinuxVMUsesSSH/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MSSQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_MariaDBGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBSSLEnforcementEnabled/
│ │ │ ├── FAILED.json
│ │ │ ├── FAILED_2.json
│ │ │ └── PASSED.json
│ │ ├── example_MonitorLogProfileCategories/
│ │ │ ├── monitorLogProfileCategories-FAILED.json
│ │ │ └── monitorLogProfileCategories-PASSED.json
│ │ ├── example_MonitorLogProfileRetentionDays/
│ │ │ ├── monitorLogProfileRetentionDays-FAILED.json
│ │ │ ├── monitorLogProfileRetentionDays-FAILED2.json
│ │ │ └── monitorLogProfileRetentionDays-PASSED.json
│ │ ├── example_MySQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_MySQLGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerSSLEnforcementEnabled/
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED.json
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED2.json
│ │ │ └── mysqlSSLEnforcementEnabled-PASSED.json
│ │ ├── example_NSGRuleHTTPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleRDPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleSSHAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NetworkWatcherFlowLogPeriod/
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED2.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED3.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED4.json
│ │ │ └── networkWatcherFlowLogPeriod-PASSED.json
│ │ ├── example_PostgreSQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerConnectionThrottlingEnabled/
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-FAILED.json
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-PASSED.json
│ │ │ └── postgreSQL-ConnectionThrottlingEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogCheckpointsEnabled/
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogCheckpointsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogConnectionsEnabled/
│ │ │ ├── postgreSQL-LogConnectionsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogConnectionsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogConnectionsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerPublicAccessDisable/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerSSLEnforcementEnabled/
│ │ │ ├── postgreSQL-SSL-FAILED.json
│ │ │ ├── postgreSQL-SSL-FAILED2.json
│ │ │ └── postgreSQL-SSL-PASSED.json
│ │ ├── example_PostgressSQLGeoBackupEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSKUSLA/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSpecifyIdentity/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_RedisCachePublicNetworkAccessEnabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLDatabaseZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerAuditingEnabled/
│ │ │ ├── sqlServerAuditingEnabled-PASSED.json
│ │ │ ├── sqlServerAuditingEnabled-TDE-FAILED.json
│ │ │ └── sqlServerDatabaseAuditingEnabled-PASSED.json
│ │ ├── example_SQLServerAuditingRetention90Days/
│ │ │ ├── sqlServerAuditingRetention90Days-2021-05-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED2.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED3.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED2.json
│ │ │ └── sqlServerAuditingRetention90Days-TDE-FAILED.json
│ │ ├── example_SQLServerEmailAlertsEnabled/
│ │ │ ├── sqlServerEmailAlertsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsEnabled-PASSED.json
│ │ ├── example_SQLServerEmailAlertsToAdminsEnabled/
│ │ │ ├── sqlServerEmailAlertsToAdminsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsToAdminsEnabled-PASSED.json
│ │ ├── example_SQLServerHasPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerNoPublicAccess/
│ │ │ ├── sqlServerNoPublicAccess-TDE-FAILED.json
│ │ │ └── sqlServerNoPublicAccess-TDE-PASSED.json
│ │ ├── example_SQLServerThreatDetectionTypes/
│ │ │ ├── sqlServerThreatDetectionTypes-FAILED.json
│ │ │ ├── sqlServerThreatDetectionTypes-PASSED.json
│ │ │ └── sqlServerThreatDetectionTypes-PASSED2.json
│ │ ├── example_SQLServerUsesADAuth/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SecretContentType/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecretExpirationDate/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecurityCenter/
│ │ │ ├── securityCenter-FAILED.json
│ │ │ └── securityCenter-PASSED.json
│ │ ├── example_SkipJsonRegex/
│ │ │ ├── skip1.json
│ │ │ ├── skip2/
│ │ │ │ ├── skip1.json
│ │ │ │ └── skip2.json
│ │ │ └── skip2.json
│ │ ├── example_StorageAccountAzureServicesAccessEnabled/
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-UNKNOWN.json
│ │ │ └── storageAccountAzureServicesAccessEnabled-VARIABLE.json
│ │ ├── example_StorageAccountDefaultNetworkAccessDeny/
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED2.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED2.json
│ │ │ └── storageAccountDefaultNetworkAccessDeny-UNKNOWN.json
│ │ ├── example_StorageAccountDisablePublicAccess/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── PASSED_2.json
│ │ ├── example_StorageAccountLoggingQueueServiceEnabled/
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed.json
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed2.json
│ │ │ └── exampleStorageAccountLoggingQueueServiceEnabled-PASSED.json
│ │ ├── example_StorageAccountMinimumTlsVersion/
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail1.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail2.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail3.json
│ │ │ └── exampleStorageAccountMinimumTlsVersion-passed.json
│ │ ├── example_StorageAccountName/
│ │ │ ├── camelCase.json
│ │ │ ├── kebabCase.json
│ │ │ ├── pass.json
│ │ │ ├── passNumber.json
│ │ │ ├── substring.bicep
│ │
Showing preview only (1,699K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (16106 symbols across 4134 files)
FILE: cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py
class MyALBStack (line 4) | class MyALBStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py
class MyALBStack (line 4) | class MyALBStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py
class MyListenerStack (line 4) | class MyListenerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py
class MyListenerStack (line 4) | class MyListenerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 22) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyListenerStack (line 21) | class MyListenerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 22) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayAccessLogging/fail__2__.py
class ServerlessApiWithAccessLogStack (line 48) | class ServerlessApiWithAccessLogStack(core.Stack):
method __init__ (line 50) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayAccessLogging/pass.py
class ServerlessApiWithAccessLogStack (line 51) | class ServerlessApiWithAccessLogStack(core.Stack):
method __init__ (line 53) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayAuthorization/fail__1__.py
class MyApiGatewayMethodStack (line 4) | class MyApiGatewayMethodStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayAuthorization/pass.py
class MyApiGatewayMethodStack (line 4) | class MyApiGatewayMethodStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py
class MyApiGatewayStack (line 4) | class MyApiGatewayStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMApiStack2 (line 23) | class MySAMApiStack2(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py
class MyApiGatewayStack (line 4) | class MyApiGatewayStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMApiStack2 (line 25) | class MySAMApiStack2(core.Stack):
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayV2AccessLogging/fail__2__.py
class MyApiGatewayV2StageStack (line 4) | class MyApiGatewayV2StageStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessHttpApiStack2 (line 23) | class MyServerlessHttpApiStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayV2AccessLogging/pass.py
class MyApiGatewayV2StageStack (line 4) | class MyApiGatewayV2StageStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessHttpApiStack2 (line 27) | class MyServerlessHttpApiStack2(core.Stack):
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayXray/fail__2__.py
class MyApiGatewayStageStack (line 5) | class MyApiGatewayStageStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessApiStack (line 22) | class MyServerlessApiStack(core.Stack):
method __init__ (line 23) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/APIGatewayXray/pass.py
class MyApiGatewayStageStack (line 5) | class MyApiGatewayStageStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessApiStack (line 22) | class MyServerlessApiStack(core.Stack):
method __init__ (line 23) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/fail__1__.py
class AmazonMQStack (line 4) | class AmazonMQStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/pass.py
class AmazonMQStack (line 4) | class AmazonMQStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AppSyncFieldLevelLogs/fail__1__.py
class AppSyncStack (line 4) | class AppSyncStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AppSyncFieldLevelLogs/pass.py
class AppSyncStack (line 4) | class AppSyncStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AppSyncLogging/fail__1__.py
class AppSyncStack (line 4) | class AppSyncStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AppSyncLogging/pass.py
class AppSyncStack (line 4) | class AppSyncStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/fail__1__.py
class AthenaStack (line 4) | class AthenaStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/pass.py
class AthenaStack (line 4) | class AthenaStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py
class MyDBClusterStack (line 4) | class MyDBClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/AuroraEncryption/pass.py
class MyDBClusterStack (line 4) | class MyDBClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py
class MyBackupStack (line 4) | class MyBackupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py
class MyBackupStack (line 4) | class MyBackupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudFrontTLS12/fail__2__.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyCloudFrontDistributionStack2 (line 23) | class MyCloudFrontDistributionStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudFrontTLS12/pass.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudTrailLogValidation/fail__1__.py
class CloudTrailStack (line 5) | class CloudTrailStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudTrailLogValidation/pass.py
class CloudTrailStack (line 5) | class CloudTrailStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py
class MyBadLogGroupStack (line 4) | class MyBadLogGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py
class MyLogGroupStack (line 4) | class MyLogGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupRetention/fail__1__.py
class MyLogGroupStack (line 4) | class MyLogGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupRetention/pass.py
class MyLogGroupStack (line 4) | class MyLogGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudfrontDistributionEncryption/fail__2__.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyCloudFrontDistributionStack2 (line 23) | class MyCloudFrontDistributionStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudfrontDistributionEncryption/pass.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyCloudFrontDistributionStack2 (line 23) | class MyCloudFrontDistributionStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudfrontDistributionLogging/fail__1__.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudfrontDistributionLogging/pass.py
class MyCloudFrontDistributionStack (line 4) | class MyCloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudtrailEncryption/fail__1__.py
class MyCloudTrailTrailStack (line 4) | class MyCloudTrailTrailStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudtrailEncryption/pass.py
class MyCloudTrailTrailStack (line 4) | class MyCloudTrailTrailStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudtrailMultiRegion/fail__1__.py
class MyCloudTrailStack (line 4) | class MyCloudTrailStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CloudtrailMultiRegion/pass.py
class MyCloudTrailStack (line 4) | class MyCloudTrailStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CodeBuildProjectEncryption/fail__1__.py
class MyCodeBuildProjectStack (line 4) | class MyCodeBuildProjectStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/CodeBuildProjectEncryption/pass.py
class MyCodeBuildProjectStack (line 4) | class MyCodeBuildProjectStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyCodeBuildProjectStack2 (line 24) | class MyCodeBuildProjectStack2(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DAXEncryption/fail__1__.py
class DAXClusterStack (line 4) | class DAXClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DAXEncryption/pass.py
class DAXClusterStack (line 4) | class DAXClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/fail__1__.py
class MyDMSReplicationInstanceStack (line 4) | class MyDMSReplicationInstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/pass.py
class MyDMSReplicationInstanceStack (line 4) | class MyDMSReplicationInstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBAuditLogs/fail__1__.py
class DocDBStack (line 4) | class DocDBStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBAuditLogs/pass.py
class DocDBStack (line 4) | class DocDBStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py
class MyDocDBClusterStack (line 4) | class MyDocDBClusterStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBEncryption/pass.py
class MyDocDBClusterStack (line 4) | class MyDocDBClusterStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBTLS/fail__1__.py
class MyDocDBParameterGroupStack (line 4) | class MyDocDBParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DocDBTLS/pass.py
class MyDocDBParameterGroupStack (line 4) | class MyDocDBParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py
class DynamoDBGlobalTableStack (line 4) | class DynamoDBGlobalTableStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py
class DynamoDBGlobalTableStack (line 4) | class DynamoDBGlobalTableStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py
class MyDynamoDBStack (line 4) | class MyDynamoDBStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/DynamodbRecovery/pass.py
class MyDynamoDBStack (line 4) | class MyDynamoDBStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EBSEncryption/fail__1__.py
class MyVolumeStack (line 4) | class MyVolumeStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EBSEncryption/pass.py
class MyVolumeStack (line 4) | class MyVolumeStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EC2PublicIP/fail__2__.py
class MyEC2InstanceStack (line 4) | class MyEC2InstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyEC2LaunchTemplateStack (line 29) | class MyEC2LaunchTemplateStack(core.Stack):
method __init__ (line 30) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EC2PublicIP/pass.py
class MyEC2InstanceStack (line 4) | class MyEC2InstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyEC2LaunchTemplateStack (line 31) | class MyEC2LaunchTemplateStack(core.Stack):
method __init__ (line 32) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py
class MyECRStack (line 4) | class MyECRStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRImageScanning/pass.py
class MyECRStack (line 4) | class MyECRStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py
class MyECRStack (line 4) | class MyECRStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRImmutableTags/pass.py
class MyECRStack (line 4) | class MyECRStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRRepositoryEncrypted/fail__1__.py
class MyECRRepositoryStack (line 4) | class MyECRRepositoryStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECRRepositoryEncrypted/pass.py
class MyECRRepositoryStack (line 4) | class MyECRRepositoryStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py
class MyECSClusterStack (line 6) | class MyECSClusterStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py
class MyECSClusterStack (line 6) | class MyECSClusterStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/fail__1__.py
class MyECSTaskDefinitionStack (line 4) | class MyECSTaskDefinitionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/pass.py
class MyECSTaskDefinitionStack (line 4) | class MyECSTaskDefinitionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EFSEncryptionEnabled/fail__1__.py
class EfsStack (line 4) | class EfsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EFSEncryptionEnabled/pass.py
class EfsStack (line 4) | class EfsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py
class MyEKSClusterStack (line 4) | class MyEKSClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py
class MyEKSClusterStack (line 4) | class MyEKSClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ELBAccessLogs/fail__1__.py
class MyLoadBalancerStack (line 4) | class MyLoadBalancerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ELBAccessLogs/pass.py
class MyLoadBalancerStack (line 4) | class MyLoadBalancerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ELBv2AccessLogs/fail__2__.py
class MyALBWithAccessLogs (line 4) | class MyALBWithAccessLogs(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyALBWithAccessLogs2 (line 24) | class MyALBWithAccessLogs2(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ELBv2AccessLogs/pass.py
class MyALBWithAccessLogs (line 4) | class MyALBWithAccessLogs(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/fail__1__.py
class ElastiCacheReplicationGroupStack (line 4) | class ElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/pass.py
class ElastiCacheReplicationGroupStack (line 4) | class ElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py
class ElastiCacheReplicationGroupStack (line 4) | class ElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py
class ElastiCacheReplicationGroupStack (line 4) | class ElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
class MyElastiCacheReplicationGroupStack (line 4) | class MyElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyElastiCacheReplicationGroupStack2 (line 26) | class MyElastiCacheReplicationGroupStack2(core.Stack):
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
class MyElastiCacheReplicationGroupStack (line 4) | class MyElastiCacheReplicationGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/fail__1__.py
class ElasticsearchStack (line 4) | class ElasticsearchStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/pass.py
class ElasticsearchStack (line 4) | class ElasticsearchStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchDomainLogging/fail__2__.py
class MyElasticsearchDomainStack (line 5) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyOpenSearchDomainStack (line 30) | class MyOpenSearchDomainStack(core.Stack):
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchDomainLogging/pass.py
class MyElasticsearchDomainStack (line 5) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyOpenSearchDomainStack (line 30) | class MyOpenSearchDomainStack(core.Stack):
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchEncryption/fail__1__.py
class MyElasticsearchDomainStack (line 4) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchEncryption/pass.py
class MyElasticsearchDomainStack (line 4) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/fail__1__.py
class MyElasticsearchDomainStack (line 4) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/pass.py
class MyElasticsearchDomainStack (line 4) | class MyElasticsearchDomainStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueDataCatalogEncryption/fail__2__.py
class MyGlueDataCatalogEncryptionSettingsStack (line 4) | class MyGlueDataCatalogEncryptionSettingsStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyGlueDataCatalogEncryptionSettingsStack2 (line 25) | class MyGlueDataCatalogEncryptionSettingsStack2(core.Stack):
method __init__ (line 26) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueDataCatalogEncryption/pass.py
class MyGlueDataCatalogEncryptionSettingsStack (line 4) | class MyGlueDataCatalogEncryptionSettingsStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueSecurityConfiguration/fail__2__.py
class MyGlueSecurityConfigurationStack (line 4) | class MyGlueSecurityConfigurationStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyGlueSecurityConfigurationStack2 (line 30) | class MyGlueSecurityConfigurationStack2(core.Stack):
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueSecurityConfiguration/pass.py
class MyGlueSecurityConfigurationStack (line 4) | class MyGlueSecurityConfigurationStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py
class GlueCrawlerStack (line 4) | class GlueCrawlerStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class GlueDevEndpointStack (line 29) | class GlueDevEndpointStack(core.Stack):
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class GlueJobStack (line 47) | class GlueJobStack(core.Stack):
method __init__ (line 49) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py
class GlueCrawlerStack (line 5) | class GlueCrawlerStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class GlueDevEndpointStack (line 31) | class GlueDevEndpointStack(core.Stack):
method __init__ (line 33) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class GlueJobStack (line 53) | class GlueJobStack(core.Stack):
method __init__ (line 55) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/fail__1__.py
class IAMStack (line 4) | class IAMStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/pass.py
class IAMStack (line 4) | class IAMStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/KinesisStreamEncryptionType/fail__1__.py
class KinesisStreamStack (line 4) | class KinesisStreamStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/KinesisStreamEncryptionType/pass.py
class KinesisStreamStack (line 4) | class KinesisStreamStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py
class MyLambdaStack (line 5) | class MyLambdaStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMLambdaStack (line 29) | class MySAMLambdaStack(core.Stack):
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py
class MyLambdaStack (line 5) | class MyLambdaStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMLambdaStack (line 30) | class MySAMLambdaStack(core.Stack):
method __init__ (line 32) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py
class MyLambdaFunctionStack (line 5) | class MyLambdaFunctionStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessFunctionStack (line 25) | class MyServerlessFunctionStack(core.Stack):
method __init__ (line 26) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py
class MyLambdaFunctionStack (line 5) | class MyLambdaFunctionStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessFunctionStack (line 25) | class MyServerlessFunctionStack(core.Stack):
method __init__ (line 26) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py
class MyLambdaFunctionStack (line 4) | class MyLambdaFunctionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessFunctionStack (line 25) | class MyServerlessFunctionStack(core.Stack):
method __init__ (line 26) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py
class MyLambdaFunctionStack (line 4) | class MyLambdaFunctionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyServerlessFunctionStack (line 26) | class MyServerlessFunctionStack(core.Stack):
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py
class MyLambdaStack (line 5) | class MyLambdaStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyLambdaStack2 (line 20) | class MyLambdaStack2(core.Stack):
method __init__ (line 22) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py
class MyLambdaStack (line 5) | class MyLambdaStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyLambdaStack2 (line 21) | class MyLambdaStack2(core.Stack):
method __init__ (line 23) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py
class MyLambdaStack (line 6) | class MyLambdaStack(core.Stack):
method __init__ (line 8) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMLambdaStack2 (line 23) | class MySAMLambdaStack2(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LambdaInVPC/pass.py
class MyLambdaStack (line 6) | class MyLambdaStack(core.Stack):
method __init__ (line 8) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySAMLambdaStack2 (line 31) | class MySAMLambdaStack2(core.Stack):
method __init__ (line 33) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/fail__1__.py
class MyAutoScalingLaunchConfig (line 4) | class MyAutoScalingLaunchConfig(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/pass.py
class MyAutoScalingLaunchConfig (line 4) | class MyAutoScalingLaunchConfig(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyAutoScalingLaunchConfig (line 26) | class MyAutoScalingLaunchConfig(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py
class MyNeptuneStack (line 4) | class MyNeptuneStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyNeptuneStack2 (line 22) | class MyNeptuneStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py
class MyNeptuneStack (line 4) | class MyNeptuneStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyNeptuneStack2 (line 22) | class MyNeptuneStack2(core.Stack):
method __init__ (line 24) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/fail__1__.py
class RDSStack (line 4) | class RDSStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/pass.py
class RDSStack (line 4) | class RDSStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py
class MyDBInstanceStack (line 4) | class MyDBInstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py
class MyDBInstanceStack (line 4) | class MyDBInstanceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSPubliclyAccessible/fail__1__.py
class RDSStack (line 4) | class RDSStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RDSPubliclyAccessible/pass.py
class RDSStack (line 4) | class RDSStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedShiftSSL/fail__2__.py
class MyRedshiftClusterParameterGroupStack (line 4) | class MyRedshiftClusterParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyRedshiftClusterParameterGroupStack2 (line 26) | class MyRedshiftClusterParameterGroupStack2(core.Stack):
method __init__ (line 27) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedShiftSSL/pass.py
class MyRedshiftClusterParameterGroupStack (line 4) | class MyRedshiftClusterParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 51) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 71) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyRedshiftClusterParameterGroupStack (line 27) | class MyRedshiftClusterParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 51) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 71) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyRedshiftClusterParameterGroupStack (line 50) | class MyRedshiftClusterParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 51) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 71) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyRedshiftClusterParameterGroupStack (line 70) | class MyRedshiftClusterParameterGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 51) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 71) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
class RedshiftClusterStack (line 4) | class RedshiftClusterStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
class RedshiftClusterStack (line 4) | class RedshiftClusterStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterLogging/fail__1__.py
class MyRedshiftClusterStack (line 4) | class MyRedshiftClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterLogging/pass.py
class MyRedshiftClusterStack (line 4) | class MyRedshiftClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
class RedshiftStack (line 4) | class RedshiftStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
class RedshiftStack (line 4) | class RedshiftStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/fail__1__.py
class MyRedshiftClusterStack (line 4) | class MyRedshiftClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/pass.py
class MyRedshiftClusterStack (line 4) | class MyRedshiftClusterStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py
class S3BucketWithBlockPublicAclsStack (line 4) | class S3BucketWithBlockPublicAclsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 21) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class S3BucketWithBlockPublicAclsStack (line 19) | class S3BucketWithBlockPublicAclsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 21) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py
class S3BucketWithBlockPublicAclsStack (line 4) | class S3BucketWithBlockPublicAclsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class S3BucketWithBlockPublicAclsStack (line 26) | class S3BucketWithBlockPublicAclsStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3BlockPublicPolicy/fail__2__.py
class MyS3Stack (line 7) | class MyS3Stack(Stack):
method __init__ (line 9) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3BlockPublicPolicy/pass.py
class MyS3Stack (line 8) | class MyS3Stack(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3BucketEncryption/fail__2__.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketEncryption/pass.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketKMSEncryption/fail__3__.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketKMSEncryption/pass.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketLogging/fail.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketLogging/pass.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketPublicAccessBlock/fail.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketPublicAccessBlock/pass.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketVersioning/fail__2__.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3BucketVersioning/pass.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/python/S3IgnorePublicACLs/fail__2__.py
class MyStack (line 7) | class MyStack(Stack):
method __init__ (line 9) | def __init__(self, scope: Construct, id: str, **kwargs):
FILE: cdk_integration_tests/src/python/S3IgnorePublicACLs/pass.py
class MyStac2 (line 8) | class MyStac2(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs):
FILE: cdk_integration_tests/src/python/S3PublicACLRead/fail__3__.py
class MyS3Stack (line 8) | class MyS3Stack(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3PublicACLRead/pass.py
class MyS3Stack (line 8) | class MyS3Stack(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py
class MyS3Stack (line 8) | class MyS3Stack(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3PublicACLWrite/pass.py
class MyS3Stack (line 8) | class MyS3Stack(Stack):
method __init__ (line 10) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py
class S3BucketWithPublicAccessStack (line 4) | class S3BucketWithPublicAccessStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class PublicS3BucketStack (line 23) | class PublicS3BucketStack(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py
class S3BucketWithPublicAccessStack (line 4) | class S3BucketWithPublicAccessStack(core.Stack):
method __init__ (line 6) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class PublicS3BucketStack (line 23) | class PublicS3BucketStack(core.Stack):
method __init__ (line 25) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SNSTopicEncryption/fail.py
class MyStack (line 10) | class MyStack(Stack):
method __init__ (line 12) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SNSTopicEncryption/pass.py
class MyStack (line 10) | class MyStack(Stack):
method __init__ (line 12) | def __init__(self, scope: Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py
class SqsQueueWithKmsKeyStack (line 3) | class SqsQueueWithKmsKeyStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class SqsQueueWithKmsKeyIdStack (line 20) | class SqsQueueWithKmsKeyIdStack(core.Stack):
method __init__ (line 22) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SQSQueueEncryption/pass.py
class SqsQueueWithKmsKeyStack (line 5) | class SqsQueueWithKmsKeyStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class SqsQueueWithKmsKeyIdStack (line 26) | class SqsQueueWithKmsKeyIdStack(core.Stack):
method __init__ (line 28) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SecretManagerSecretEncrypted/fail__2__.py
class MySecretsStack (line 4) | class MySecretsStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecretsStack2 (line 15) | class MySecretsStack2(core.Stack):
method __init__ (line 16) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SecretManagerSecretEncrypted/pass.py
class MySecretsStack (line 4) | class MySecretsStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py
class MySecurityGroupStack (line 4) | class MySecurityGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupStack (line 30) | class MySecurityGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupIngressStack (line 55) | class MySecurityGroupIngressStack(core.Stack):
method __init__ (line 56) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupEgressStack (line 74) | class MySecurityGroupEgressStack(core.Stack):
method __init__ (line 75) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py
class MySecurityGroupStack (line 4) | class MySecurityGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupStack (line 30) | class MySecurityGroupStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
method __init__ (line 31) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupIngressStack (line 55) | class MySecurityGroupIngressStack(core.Stack):
method __init__ (line 56) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MySecurityGroupEgressStack (line 75) | class MySecurityGroupEgressStack(core.Stack):
method __init__ (line 76) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/TransferServerIsPublic/fail__1__.py
class MyTransferServerStack (line 4) | class MyTransferServerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/TransferServerIsPublic/pass.py
class MyTransferServerStack (line 4) | class MyTransferServerStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
class MyTransferServerStack2 (line 20) | class MyTransferServerStack2(core.Stack):
method __init__ (line 21) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/fail__1__.py
class MyVpcEndpointServiceStack (line 4) | class MyVpcEndpointServiceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/pass.py
class MyVpcEndpointServiceStack (line 4) | class MyVpcEndpointServiceStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WAFEnabled/fail__1__.py
class CloudFrontDistributionStack (line 4) | class CloudFrontDistributionStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WAFEnabled/pass.py
class CloudFrontDistributionStack (line 5) | class CloudFrontDistributionStack(core.Stack):
method __init__ (line 7) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py
class WorkSpacesStack (line 4) | class WorkSpacesStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py
class WorkSpacesStack (line 4) | class WorkSpacesStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py
class WorkSpacesStack (line 4) | class WorkSpacesStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py
class WorkSpacesStack (line 4) | class WorkSpacesStack(core.Stack):
method __init__ (line 5) | def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
FILE: cdk_integration_tests/src/python/s3.py
class AppStack (line 4) | class AppStack(Stack):
method __init__ (line 5) | def __init__(self, app: App, id: str) -> None:
FILE: cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts
class ALBDropHttpHeadersStack (line 5) | class ALBDropHttpHeadersStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts
class ALBDropHttpHeadersStack (line 5) | class ALBDropHttpHeadersStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts
class ALBListenerHTTPSStack (line 5) | class ALBListenerHTTPSStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts
class ALBListenerHTTPSStack (line 5) | class ALBListenerHTTPSStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts
class APIGatewayAccessLoggingStack (line 5) | class APIGatewayAccessLoggingStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts
class APIGatewayAccessLoggingStack (line 5) | class APIGatewayAccessLoggingStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts
class APIGatewayCacheEnableStack (line 5) | class APIGatewayCacheEnableStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts
class APIGatewayCacheEnableStack (line 5) | class APIGatewayCacheEnableStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts
class APIGatewayV2AccessLoggingStack (line 5) | class APIGatewayV2AccessLoggingStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts
class APIGatewayV2AccessLoggingStack (line 5) | class APIGatewayV2AccessLoggingStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts
class APIGatewayXrayStack (line 5) | class APIGatewayXrayStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts
class APIGatewayXrayStack (line 5) | class APIGatewayXrayStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts
class AmazonMQBrokerPublicAccessStack (line 5) | class AmazonMQBrokerPublicAccessStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts
class AmazonMQBrokerPublicAccessStack (line 5) | class AmazonMQBrokerPublicAccessStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts
class AuroraEncryptionStack (line 5) | class AuroraEncryptionStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts
class AuroraEncryptionStack (line 5) | class AuroraEncryptionStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts
class BackupVaultEncryptedStack (line 5) | class BackupVaultEncryptedStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts
class BackupVaultEncryptedStack (line 5) | class BackupVaultEncryptedStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts
class CloudTrailLogValidationStack (line 5) | class CloudTrailLogValidationStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts
class CloudTrailLogValidationStack (line 5) | class CloudTrailLogValidationStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts
class MyLogGroupStack (line 4) | class MyLogGroupStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts
class MyLogGroupStack (line 5) | class MyLogGroupStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts
class MyLogGroupStack (line 4) | class MyLogGroupStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts
class MyLogGroupStack (line 4) | class MyLogGroupStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts
class CloudFrontStack (line 5) | class CloudFrontStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 38) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudFrontStack (line 37) | class CloudFrontStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 38) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts
class CloudFrontStack (line 5) | class CloudFrontStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudFrontStack (line 36) | class CloudFrontStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts
class CloudFrontStack (line 6) | class CloudFrontStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 39) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudFrontStack (line 38) | class CloudFrontStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 39) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts
class CloudFrontStack (line 6) | class CloudFrontStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudFrontStack (line 36) | class CloudFrontStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts
class CloudTrailStack (line 5) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts
class CloudTrailStack (line 5) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 28) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudTrailStack (line 27) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 28) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts
class CloudTrailStack (line 5) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 25) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudTrailStack (line 24) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 25) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts
class CloudTrailStack (line 5) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 25) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CloudTrailStack (line 24) | class CloudTrailStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 25) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts
class CodeBuildStack (line 4) | class CodeBuildStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts
class CodeBuildStack (line 5) | class CodeBuildStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 49) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class CodeBuildStack (line 48) | class CodeBuildStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 49) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts
class DAXClusterStack (line 4) | class DAXClusterStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 28) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class DAXClusterStack (line 27) | class DAXClusterStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 28) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DAXEncryption/pass.ts
class DAXClusterStack (line 4) | class DAXClusterStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts
class DMSStack (line 4) | class DMSStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts
class DMSStack (line 4) | class DMSStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts
class DocDBStack (line 4) | class DocDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 26) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class DocDBStack (line 25) | class DocDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 26) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts
class DocDBStack (line 4) | class DocDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts
class DocDBStack (line 5) | class DocDBStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 33) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class DocDBStack (line 32) | class DocDBStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 33) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts
class DocDBStack (line 5) | class DocDBStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBTLS/fail.ts
class DocDBStack (line 4) | class DocDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DocDBTLS/pass.ts
class DocDBStack (line 4) | class DocDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts
class DynamoDBStack (line 4) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts
class DynamoDBStack (line 4) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts
class DynamoDBStack (line 4) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 31) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class DynamoDBStack (line 30) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 31) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts
class DynamoDBStack (line 4) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 31) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class DynamoDBStack (line 30) | class DynamoDBStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 31) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts
class EC2Stack (line 4) | class EC2Stack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class EC2Stack (line 36) | class EC2Stack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 37) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EBSEncryption/pass.ts
class EC2Stack (line 4) | class EC2Stack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 38) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class EC2Stack (line 37) | class EC2Stack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
method constructor (line 38) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts
class exampleStack (line 7) | class exampleStack extends cdk.Stack {
method constructor (line 8) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts
class exampleStack (line 7) | class exampleStack extends cdk.Stack {
method constructor (line 8) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts
class exampleStack (line 6) | class exampleStack extends cdk.Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts
class MyRedshiftClusterParameterGroupStack (line 4) | class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
class MyRedshiftClusterParameterGroupStack2 (line 27) | class MyRedshiftClusterParameterGroupStack2 extends cdk.Stack {
method constructor (line 28) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts
class MyRedshiftClusterParameterGroupStack (line 4) | class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
method constructor (line 5) | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/fail2__2__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/fail__2__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/pass2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail2__3__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail__3__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/fail2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/pass2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/fail2__2__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/fail__2__.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/pass.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/pass2.ts
class exampleStack (line 5) | class exampleStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts
class S3BucketExampleStack (line 5) | class S3BucketExampleStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts
class S3BucketExampleStack (line 5) | class S3BucketExampleStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts
class S3BucketWithPublicAccessStack (line 5) | class S3BucketWithPublicAccessStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
class PublicS3BucketStack (line 22) | class PublicS3BucketStack extends cdk.Stack {
method constructor (line 23) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts
class S3BucketWithPublicAccessStack (line 5) | class S3BucketWithPublicAccessStack extends cdk.Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
class PublicS3BucketStack (line 17) | class PublicS3BucketStack extends cdk.Stack {
method constructor (line 18) | constructor(scope: Construct, id: string, props?: cdk.StackProps) {
FILE: cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts
class MyStack (line 5) | class MyStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts
class MyStack (line 6) | class MyStack extends Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts
class SqsQueueWithKmsKeyStack (line 5) | class SqsQueueWithKmsKeyStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
class SqsQueueWithKmsKeyIdStack (line 20) | class SqsQueueWithKmsKeyIdStack extends Stack {
method constructor (line 21) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts
class SqsQueueWithKmsKeyStack (line 7) | class SqsQueueWithKmsKeyStack extends Stack {
method constructor (line 8) | constructor(scope: Construct, id: string, props?: {}) {
class SqsQueueWithKmsKeyIdStack (line 30) | class SqsQueueWithKmsKeyIdStack extends Stack {
method constructor (line 31) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts
class MySecretsStack (line 6) | class MySecretsStack extends Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: {}) {
class MySecretsStack2 (line 18) | class MySecretsStack2 extends Stack {
method constructor (line 19) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts
class MySecretsStack (line 6) | class MySecretsStack extends Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts
class MySecurityGroupStack (line 5) | class MySecurityGroupStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupEgressStack (line 26) | class MySecurityGroupEgressStack extends Stack {
method constructor (line 27) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupIngressStack (line 47) | class MySecurityGroupIngressStack extends Stack {
method constructor (line 48) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupEgressStack2 (line 63) | class MySecurityGroupEgressStack2 extends Stack {
method constructor (line 64) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts
class MySecurityGroupStack (line 5) | class MySecurityGroupStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupEgressStack (line 26) | class MySecurityGroupEgressStack extends Stack {
method constructor (line 27) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupIngressStack (line 47) | class MySecurityGroupIngressStack extends Stack {
method constructor (line 48) | constructor(scope: Construct, id: string, props?: {}) {
class MySecurityGroupEgressStack2 (line 64) | class MySecurityGroupEgressStack2 extends Stack {
method constructor (line 65) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts
class MyTransferServerStack (line 5) | class MyTransferServerStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts
class MyTransferServerStack (line 5) | class MyTransferServerStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
class MyTransferServerStack2 (line 17) | class MyTransferServerStack2 extends Stack {
method constructor (line 18) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts
class MyVpcEndpointServiceStack (line 5) | class MyVpcEndpointServiceStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts
class MyVpcEndpointServiceStack (line 5) | class MyVpcEndpointServiceStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts
class CloudFrontDistributionStack (line 5) | class CloudFrontDistributionStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WAFEnabled/pass.ts
class CloudFrontDistributionStack (line 6) | class CloudFrontDistributionStack extends Stack {
method constructor (line 7) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts
class WorkSpacesStack (line 5) | class WorkSpacesStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts
class WorkSpacesStack (line 5) | class WorkSpacesStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts
class WorkSpacesStack (line 5) | class WorkSpacesStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts
class WorkSpacesStack (line 5) | class WorkSpacesStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: {}) {
FILE: cdk_integration_tests/src/typescript/s3.ts
class exampleStack (line 5) | class exampleStack extends Stack {
method constructor (line 6) | constructor(scope: Construct, id: string, props?: StackProps) {
FILE: cdk_integration_tests/test_checks_python.py
function failed_checks (line 11) | def failed_checks() -> Dict[str, List[Dict[str, Any]]]:
function test_CKV_AWS_18_S3BucketLogging (line 16) | def test_CKV_AWS_18_S3BucketLogging(failed_checks):
function test_CKV_AWS_19_S3BucketEncryption (line 20) | def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
function test_CKV_AWS_21_S3BucketVersioning (line 24) | def test_CKV_AWS_21_S3BucketVersioning(failed_checks):
function test_CKV_AWS_145_S3BucketKMSEncryption (line 28) | def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
function test_CKV2_AWS_6_S3BucketPublicAccessBlock (line 32) | def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
function test_CKV_AWS_54_S3BlockPublicPolicy (line 36) | def test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):
function test_CKV_AWS_26_SNSTopicEncryption (line 40) | def test_CKV_AWS_26_SNSTopicEncryption(failed_checks):
function test_CKV_AWS_20_S3PublicACLRead (line 44) | def test_CKV_AWS_20_S3PublicACLRead(failed_checks):
function test_CKV_AWS_55_S3IgnorePublicACLs (line 48) | def test_CKV_AWS_55_S3IgnorePublicACLs(failed_checks):
function test_CKV_AWS_56_S3RestrictPublicBuckets (line 52) | def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):
function test_CKV_AWS_53_S3BlockPublicACLs (line 56) | def test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):
function test_CKV_AWS_57_S3PublicACLWrite (line 60) | def test_CKV_AWS_57_S3PublicACLWrite(failed_checks):
function test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit (line 64) | def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_...
function test_CKV_AWS_116_LambdaDLQConfigured (line 68) | def test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):
function test_CKV_AWS_28_DynamodbRecovery (line 72) | def test_CKV_AWS_28_DynamodbRecovery(failed_checks):
function test_CKV_AWS_158_CloudWatchLogGroupKMSKey (line 76) | def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):
function test_CKV_AWS_3_EBSEncryption (line 80) | def test_CKV_AWS_3_EBSEncryption(failed_checks):
function test_CKV_AWS_120_APIGatewayCacheEnable (line 84) | def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):
function test_CKV_AWS_163_ECRImageScanning (line 88) | def test_CKV_AWS_163_ECRImageScanning(failed_checks):
function test_CKV_AWS_51_ECRImmutableTags (line 92) | def test_CKV_AWS_51_ECRImmutableTags(failed_checks):
function test_CKV_AWS_44_NeptuneClusterStorageEncrypted (line 96) | def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):
function test_CKV_AWS_166_BackupVaultEncrypted (line 100) | def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):
function test_CKV_AWS_74_DocDBEncryption (line 104) | def test_CKV_AWS_74_DocDBEncryption(failed_checks):
function test_CKV_AWS_47_DAXEncryption (line 108) | def test_CKV_AWS_47_DAXEncryption(failed_checks):
function test_CKV_AWS_156_WorkspaceRootVolumeEncrypted (line 112) | def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):
function test_CKV_AWS_155_WorkspaceUserVolumeEncrypted (line 116) | def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):
function test_CKV_AWS_165_DynamodbGlobalTableRecovery (line 120) | def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):
function test_CKV_AWS_27_SQSQueueEncryption (line 124) | def test_CKV_AWS_27_SQSQueueEncryption(failed_checks):
function test_CKV_AWS_195_GlueSecurityConfigurationEnabled (line 128) | def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):
function test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit (line 132) | def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(faile...
function test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest (line 136) | def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_c...
function test_CKV_AWS_43_KinesisStreamEncryptionType (line 140) | def test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):
function test_CKV_AWS_42_EFSEncryptionEnabled (line 144) | def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):
function test_CKV_AWS_193_AppSyncLogging (line 148) | def test_CKV_AWS_193_AppSyncLogging(failed_checks):
function test_CKV_AWS_194_AppSyncFieldLevelLogs (line 152) | def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):
function test_CKV_AWS_104_DocDBAuditLogs (line 156) | def test_CKV_AWS_104_DocDBAuditLogs(failed_checks):
function test_CKV_AWS_82_AthenaWorkgroupConfiguration (line 160) | def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):
function test_CKV_AWS_17_RDSPubliclyAccessible (line 164) | def test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):
function test_CKV_AWS_87_RedshiftClusterPubliclyAccessible (line 168) | def test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):
function test_CKV_AWS_69_AmazonMQBrokerPublicAccess (line 172) | def test_CKV_AWS_69_AmazonMQBrokerPublicAccess(failed_checks):
function test_CKV_AWS_118_RDSEnhancedMonitorEnabled (line 176) | def test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):
function test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles (line 180) | def test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):
function test_CKV_AWS_36_CloudTrailLogValidation (line 184) | def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):
function test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS (line 188) | def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):
function test_CKV_AWS_76_APIGatewayAccessLogging (line 192) | def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):
function test_CKV_AWS_117_LambdaInVPC (line 196) | def test_CKV_AWS_117_LambdaInVPC(failed_checks):
function test_CKV_AWS_68_WAFEnabled (line 200) | def test_CKV_AWS_68_WAFEnabled(failed_checks):
function test_CKV_AWS_64_RedshiftClusterEncryption (line 204) | def test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):
function test_CKV_AWS_78_CodeBuildProjectEncryption (line 208) | def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):
function test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken (line 212) | def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthTo...
function test_CKV_AWS_94_GlueDataCatalogEncryption (line 216) | def test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):
function test_CKV_AWS_99_GlueSecurityConfiguration (line 220) | def test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):
function test_CKV_AWS_105_RedShiftSSL (line 224) | def test_CKV_AWS_105_RedShiftSSL(failed_checks):
function test_CKV_AWS_149_SecretManagerSecretEncrypted (line 228) | def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):
function test_CKV_AWS_59_APIGatewayAuthorization (line 232) | def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):
function test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible (line 236) | def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_chec...
function test_CKV_AWS_34_CloudfrontDistributionEncryption (line 240) | def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):
function test_CKV_AWS_95_APIGatewayV2AccessLogging (line 244) | def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):
function test_CKV_AWS_86_CloudfrontDistributionLogging (line 248) | def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):
function test_CKV_AWS_90_DocDBTLS (line 252) | def test_CKV_AWS_90_DocDBTLS(failed_checks):
function test_CKV_AWS_174_CloudFrontTLS12 (line 256) | def test_CKV_AWS_174_CloudFrontTLS12(failed_checks):
function test_CKV_AWS_71_RedshiftClusterLogging (line 260) | def test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):
function test_CKV_AWS_92_ELBAccessLogs (line 264) | def test_CKV_AWS_92_ELBAccessLogs(failed_checks):
function test_CKV_AWS_67_CloudtrailMultiRegion (line 268) | def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):
function test_CKV_AWS_91_ELBv2AccessLogs (line 272) | def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):
function test_CKV_AWS_164_TransferServerIsPublic (line 276) | def test_CKV_AWS_164_TransferServerIsPublic(failed_checks):
function test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption (line 280) | def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):
function test_CKV_AWS_123_VPCEndpointAcceptanceConfigured (line 284) | def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):
function test_CKV_AWS_35_CloudtrailEncryption (line 288) | def test_CKV_AWS_35_CloudtrailEncryption(failed_checks):
function test_CKV_AWS_154_RedshiftInEc2ClassicMode (line 292) | def test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):
function test_CKV_AWS_84_ElasticsearchDomainLogging (line 296) | def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):
function test_CKV_AWS_136_ECRRepositoryEncrypted (line 300) | def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):
function test_CKV_AWS_66_CloudWatchLogGroupRetention (line 304) | def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):
function test_CKV_AWS_5_ElasticsearchEncryption (line 308) | def test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):
function test_CKV_AWS_73_APIGatewayXray (line 312) | def test_CKV_AWS_73_APIGatewayXray(failed_checks):
function test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption (line 316) | def test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):
function test_CKV_AWS_88_EC2PublicIP (line 320) | def test_CKV_AWS_88_EC2PublicIP(failed_checks):
function test_CKV_AWS_8_LaunchConfigurationEBSEncryption (line 324) | def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):
function test_CKV_AWS_45_LambdaEnvironmentCredentials (line 328) | def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):
function test_CKV_AWS_58_EKSSecretsEncryption (line 332) | def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):
function test_CKV_AWS_65_ECSClusterContainerInsights (line 336) | def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):
function test_CKV_AWS_131_ALBDropHttpHeaders (line 340) | def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):
function test_CKV_AWS_2_ALBListenerHTTPS (line 344) | def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):
function test_CKV_AWS_23_SecurityGroupRuleDescription (line 348) | def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):
function test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings (line 352) | def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):
function test_CKV_AWS_157_RDSMultiAZEnabled (line 356) | def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):
function test_CKV_AWS_96_AuroraEncryption (line 360) | def test_CKV_AWS_96_AuroraEncryption(failed_checks):
FILE: cdk_integration_tests/test_checks_typescript.py
function failed_checks (line 11) | def failed_checks() -> Dict[str, List[Dict[str, Any]]]:
function test_CKV_AWS_131_ALBDropHttpHeaders (line 16) | def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):
function test_CKV_AWS_2_ALBListenerHTTPS (line 21) | def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):
function test_CKV_AWS_59_APIGatewayAuthorization (line 25) | def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):
function test_CKV_AWS_76_APIGatewayAccessLogging (line 30) | def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):
function test_CKV_AWS_120_APIGatewayCacheEnable (line 35) | def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):
function test_CKV_AWS_95_APIGatewayV2AccessLogging (line 40) | def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):
function test_CKV_AWS_73_APIGatewayXray (line 45) | def test_CKV_AWS_73_APIGatewayXray(failed_checks):
function test_CKV_AWS_194_AppSyncFieldLevelLogs (line 49) | def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):
function test_CKV_AWS_193_AppSyncLogging (line 54) | def test_CKV_AWS_193_AppSyncLogging(failed_checks):
function test_CKV_AWS_82_AthenaWorkgroupConfiguration (line 58) | def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):
function test_CKV_AWS_131_AmazonMQBrokerPublicAccess (line 64) | def test_CKV_AWS_131_AmazonMQBrokerPublicAccess(failed_checks):
function test_CKV_AWS_96_AuroraEncryption (line 69) | def test_CKV_AWS_96_AuroraEncryption(failed_checks):
function test_CKV_AWS_166_BackupVaultEncrypted (line 74) | def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):
function test_CKV_AWS_174_CloudFrontTLS12 (line 79) | def test_CKV_AWS_174_CloudFrontTLS12(failed_checks):
function test_CKV_AWS_36_CloudTrailLogValidation (line 83) | def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):
function test_CKV_AWS_20_S3PublicACLRead (line 88) | def test_CKV_AWS_20_S3PublicACLRead(failed_checks):
function test_CKV_AWS_56_S3RestrictPublicBuckets (line 92) | def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):
function test_CKV_AWS_149_SecretManagerSecretEncrypted (line 97) | def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):
function test_CKV_AWS_23_SecurityGroupRuleDescription (line 102) | def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):
function test_CKV_AWS_26_SNSTopicEncryption (line 107) | def test_CKV_AWS_26_SNSTopicEncryption(failed_checks):
function test_CKV_AWS_27_SQSQueueEncryption (line 112) | def test_CKV_AWS_27_SQSQueueEncryption(failed_checks):
function test_CKV_AWS_164_TransferServerIsPublic (line 117) | def test_CKV_AWS_164_TransferServerIsPublic(failed_checks):
function test_CKV_AWS_123_VPCEndpointAcceptanceConfigured (line 122) | def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):
function test_CKV_AWS_68_WAFEnabled (line 127) | def test_CKV_AWS_68_WAFEnabled(failed_checks):
function test_CKV_AWS_156_WorkspaceRootVolumeEncrypted (line 131) | def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):
function test_CKV_AWS_155_WorkspaceUserVolumeEncrypted (line 136) | def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):
function test_CKV_AWS_88_EC2PublicIP (line 141) | def test_CKV_AWS_88_EC2PublicIP(failed_checks):
function test_CKV_AWS_163_ECRImageScanning (line 145) | def test_CKV_AWS_163_ECRImageScanning(failed_checks):
function test_CKV_AWS_51_ECRImmutableTags (line 150) | def test_CKV_AWS_51_ECRImmutableTags(failed_checks):
function test_CKV_AWS_136_ECRRepositoryEncrypted (line 154) | def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):
function test_CKV_AWS_65_ECSClusterContainerInsights (line 159) | def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):
function test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption (line 164) | def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):
function test_CKV_AWS_42_EFSEncryptionEnabled (line 169) | def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):
function test_CKV_AWS_58_EKSSecretsEncryption (line 174) | def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):
function test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest (line 179) | def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_c...
function test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit (line 184) | def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(faile...
function test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken (line 190) | def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthTo...
function test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS (line 196) | def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):
function test_CKV_AWS_84_ElasticsearchDomainLogging (line 201) | def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):
function test_CKV_AWS_92_ELBAccessLogs (line 206) | def test_CKV_AWS_92_ELBAccessLogs(failed_checks):
function test_CKV_AWS_91_ELBv2AccessLogs (line 210) | def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):
function test_CKV_AWS_158_CloudWatchLogGroupKMSKey (line 214) | def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):
function test_CKV_AWS_66_CloudWatchLogGroupRetention (line 219) | def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):
function test_CKV_AWS_34_CloudfrontDistributionEncryption (line 224) | def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):
function test_CKV_AWS_86_CloudfrontDistributionLogging (line 229) | def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):
function test_CKV_AWS_35_CloudtrailEncryption (line 234) | def test_CKV_AWS_35_CloudtrailEncryption(failed_checks):
function test_CKV_AWS_67_CloudtrailMultiRegion (line 239) | def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):
function test_CKV_AWS_78_CodeBuildProjectEncryption (line 244) | def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):
function test_CKV_AWS_47_DAXEncryption (line 249) | def test_CKV_AWS_47_DAXEncryption(failed_checks):
function test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible (line 253) | def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_chec...
function test_CKV_AWS_104_DocDBAuditLogs (line 258) | def test_CKV_AWS_104_DocDBAuditLogs(failed_checks):
function test_CKV_AWS_74_DocDBEncryption (line 262) | def test_CKV_AWS_74_DocDBEncryption(failed_checks):
function test_CKV_AWS_90_DocDBTLS (line 266) | def test_CKV_AWS_90_DocDBTLS(failed_checks):
function test_CKV_AWS_165_DynamodbGlobalTableRecovery (line 270) | def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):
function test_CKV_AWS_28_DynamodbRecovery (line 275) | def test_CKV_AWS_28_DynamodbRecovery(failed_checks):
function test_CKV_AWS_3_EBSEncryption (line 279) | def test_CKV_AWS_3_EBSEncryption(failed_checks):
function test_CKV_AWS_18_S3BucketLogging (line 283) | def test_CKV_AWS_18_S3BucketLogging(failed_checks):
function test_CKV_AWS_19_S3BucketEncryption (line 288) | def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
function test_CKV_AWS_21_S3BucketVersioning (line 293) | def test_CKV_AWS_21_S3BucketVersioning(failed_checks):
function test_CKV_AWS_145_S3BucketKMSEncryption (line 298) | def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
function test_CKV2_AWS_6_S3BucketPublicAccessBlock (line 303) | def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
function test_CKV_AWS_195_GlueSecurityConfigurationEnabled (line 308) | def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):
function test_CKV_AWS_5_ElasticsearchEncryption (line 313) | def test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):
function test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption (line 318) | def test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):
function test_CKV_AWS_94_GlueDataCatalogEncryption (line 323) | def test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):
function test_CKV_AWS_99_GlueSecurityConfiguration (line 328) | def test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):
function test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles (line 333) | def test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):
function test_CKV_AWS_43_KinesisStreamEncryptionType (line 338) | def test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):
function test_CKV_AWS_116_LambdaDLQConfigured (line 343) | def test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):
function test_CKV_AWS_45_LambdaEnvironmentCredentials (line 348) | def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):
function test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings (line 353) | def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):
function test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit (line 358) | def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_...
function test_CKV_AWS_117_LambdaInVPC (line 363) | def test_CKV_AWS_117_LambdaInVPC(failed_checks):
function test_CKV_AWS_8_LaunchConfigurationEBSEncryption (line 367) | def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):
function test_CKV_AWS_44_NeptuneClusterStorageEncrypted (line 372) | def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):
function test_CKV_AWS_157_RDSMultiAZEnabled (line 383) | def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):
function test_CKV_AWS_17_RDSPubliclyAccessible (line 388) | def test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):
function test_CKV_AWS_105_RedShiftSSL (line 393) | def test_CKV_AWS_105_RedShiftSSL(failed_checks):
function test_CKV_AWS_64_RedshiftClusterEncryption (line 398) | def test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):
function test_CKV_AWS_71_RedshiftClusterLogging (line 403) | def test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):
function test_CKV_AWS_87_RedshiftClusterPubliclyAccessible (line 408) | def test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):
function test_CKV_AWS_154_RedshiftInEc2ClassicMode (line 413) | def test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):
function test_CKV_AWS_53_S3BlockPublicACLs (line 418) | def test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):
function test_CKV_AWS_54_S3BlockPublicPolicy (line 423) | def test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):
FILE: cdk_integration_tests/utils.py
function load_failed_checks_from_file (line 10) | def load_failed_checks_from_file(lang: str) -> Dict[str, List[Dict[str, ...
function is_policy_with_correct_check_id (line 36) | def is_policy_with_correct_check_id(check_id: str, language: str, policy...
function run_check (line 45) | def run_check(check_results: Dict[str, List[Dict[str, Any]]], check_id: ...
function validate_report (line 51) | def validate_report(report_path: str) -> None:
FILE: checkov/ansible/checks/base_ansible_task_check.py
class BaseAnsibleTaskCheck (line 17) | class BaseAnsibleTaskCheck(BaseCheck):
method __init__ (line 18) | def __init__(
method scan_entity_conf (line 60) | def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> ...
method scan_conf (line 73) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
FILE: checkov/ansible/checks/base_ansible_task_value_check.py
class BaseAnsibleTaskValueCheck (line 17) | class BaseAnsibleTaskValueCheck(BaseAnsibleTaskCheck):
method __init__ (line 18) | def __init__(
method scan_conf (line 39) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
method get_inspected_key (line 58) | def get_inspected_key(self) -> str:
method get_expected_values (line 64) | def get_expected_values(self) -> list[Any]:
method get_expected_value (line 72) | def get_expected_value(self) -> Any:
method get_evaluated_keys (line 78) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/ansible/checks/task/aws/EC2EBSOptimized.py
class EC2EBSOptimized (line 9) | class EC2EBSOptimized(BaseAnsibleTaskValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_conf (line 20) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
method get_inspected_key (line 27) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/aws/EC2PublicIP.py
class EC2PublicIP (line 9) | class EC2PublicIP(BaseAnsibleTaskValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_conf (line 20) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
method get_inspected_key (line 27) | def get_inspected_key(self) -> str:
method get_expected_value (line 30) | def get_expected_value(self) -> Any:
FILE: checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py
class AptAllowUnauthenticated (line 9) | class AptAllowUnauthenticated(BaseAnsibleTaskValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_expected_value (line 21) | def get_expected_value(self) -> Any:
method get_inspected_key (line 24) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/builtin/AptForce.py
class AptForce (line 9) | class AptForce(BaseAnsibleTaskValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_expected_value (line 21) | def get_expected_value(self) -> Any:
method get_inspected_key (line 24) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py
class GetUrlValidateCerts (line 7) | class GetUrlValidateCerts(BaseAnsibleTaskValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/builtin/UriValidateCerts.py
class UriValidateCerts (line 7) | class UriValidateCerts(BaseAnsibleTaskValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/builtin/YumSslVerify.py
class YumSslVerify (line 7) | class YumSslVerify(BaseAnsibleTaskValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/checks/task/builtin/YumValidateCerts.py
class YumValidateCerts (line 7) | class YumValidateCerts(BaseAnsibleTaskValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
FILE: checkov/ansible/graph_builder/graph_components/resource_types.py
class ResourceType (line 4) | class ResourceType(str, Enum):
method __str__ (line 8) | def __str__(self) -> str:
FILE: checkov/ansible/graph_builder/local_graph.py
class AnsibleLocalGraph (line 18) | class AnsibleLocalGraph(ObjectLocalGraph):
method __init__ (line 19) | def __init__(self, definitions: dict[str | Path, dict[str, Any] | list...
method _create_vertices (line 24) | def _create_vertices(self) -> None:
method _process_blocks (line 43) | def _process_blocks(self, file_path: str, task: Any, prefix: str = "")...
method _create_tasks_vertices (line 58) | def _create_tasks_vertices(self, file_path: str, task: Any, prefix: st...
method _create_block_vertices (line 117) | def _create_block_vertices(self, file_path: str, block: dict[str, Any]...
method _create_edges (line 140) | def _create_edges(self) -> None:
method get_files_definitions (line 144) | def get_files_definitions(root_folder: str | Path) -> dict[str | Path,...
FILE: checkov/ansible/runner.py
class Runner (line 23) | class Runner(YamlRunner):
method __init__ (line 26) | def __init__(
method require_external_checks (line 41) | def require_external_checks(self) -> bool:
method import_registry (line 44) | def import_registry(self) -> BaseCheckRegistry:
method _parse_file (line 48) | def _parse_file(
method get_resource (line 57) | def get_resource(
method generate_resource_name (line 72) | def generate_resource_name(
method _handle_block_tasks (line 109) | def _handle_block_tasks(
method build_definitions_context (line 128) | def build_definitions_context(
method set_definitions_raw (line 135) | def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[in...
FILE: checkov/ansible/utils.py
function get_scannable_file_paths (line 70) | def get_scannable_file_paths(root_folder: str | Path) -> set[Path]:
function get_relevant_file_content (line 82) | def get_relevant_file_content(file_path: str | Path) -> str | None:
function parse_file (line 100) | def parse_file(
function generate_task_name (line 111) | def generate_task_name(task: dict[str, Any], prefix: str = "") -> str | ...
function build_definitions_context (line 128) | def build_definitions_context(
function _process_blocks (line 158) | def _process_blocks(
function _create_resource_context (line 186) | def _create_resource_context(definition_raw: list[tuple[int, str]], reso...
function create_definitions (line 202) | def create_definitions(
function create_file_definition (line 223) | def create_file_definition(files_to_load: List[str], definitions: dict[s...
FILE: checkov/argo_workflows/checks/base_argo_workflows_check.py
class BaseArgoWorkflowsCheck (line 14) | class BaseArgoWorkflowsCheck(BaseCheck):
method __init__ (line 15) | def __init__(
method scan_entity_conf (line 34) | def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> ...
method scan_conf (line 40) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
FILE: checkov/argo_workflows/checks/template/DefaultServiceAccount.py
class DefaultServiceAccount (line 10) | class DefaultServiceAccount(BaseArgoWorkflowsCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_conf (line 22) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
FILE: checkov/argo_workflows/checks/template/RunAsNonRoot.py
class RunAsNonRoot (line 10) | class RunAsNonRoot(BaseArgoWorkflowsCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_conf (line 22) | def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[s...
FILE: checkov/argo_workflows/runner.py
class Runner (line 21) | class Runner(YamlRunner, ImageReferencer):
method require_external_checks (line 28) | def require_external_checks(self) -> bool:
method import_registry (line 31) | def import_registry(self) -> BaseCheckRegistry:
method _parse_file (line 35) | def _parse_file(
method _get_workflow_file_content (line 45) | def _get_workflow_file_content(file_path: str) -> str | None:
method is_workflow_file (line 63) | def is_workflow_file(self, file_path: str) -> bool:
method get_images (line 66) | def get_images(self, file_path: str) -> set[Image]:
method extract_image (line 136) | def extract_image(self, file_path: str, container: dict[str, Any]) -> ...
FILE: checkov/arm/base_parameter_check.py
class BaseParameterCheck (line 14) | class BaseParameterCheck(BaseCheck):
method __init__ (line 15) | def __init__(
method scan_entity_conf (line 34) | def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> ...
method scan_resource_conf (line 40) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/base_registry.py
class Registry (line 9) | class Registry(BaseCheckRegistry):
method __init__ (line 10) | def __init__(self) -> None:
method extract_entity_details (line 13) | def extract_entity_details(self, entity: dict[str, Any]) -> tuple[str,...
FILE: checkov/arm/base_resource_check.py
class BaseResourceCheck (line 13) | class BaseResourceCheck(BaseCheck):
method __init__ (line 14) | def __init__(
method scan_entity_conf (line 35) | def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> ...
method scan_resource_conf (line 59) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/base_resource_negative_value_check.py
class BaseResourceNegativeValueCheck (line 17) | class BaseResourceNegativeValueCheck(BaseResourceCheck):
method __init__ (line 18) | def __init__(
method _is_variable_dependant (line 33) | def _is_variable_dependant(value: Any) -> bool:
method scan_resource_conf (line 36) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_inspected_key (line 56) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 63) | def get_forbidden_values(self) -> list[Any]:
method get_evaluated_keys (line 69) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/arm/base_resource_value_check.py
class BaseResourceValueCheck (line 16) | class BaseResourceValueCheck(BaseResourceCheck):
method __init__ (line 17) | def __init__(
method _is_variable_dependant (line 32) | def _is_variable_dependant(value: Any) -> bool:
method scan_resource_conf (line 37) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_inspected_key (line 56) | def get_inspected_key(self) -> str:
method get_expected_values (line 62) | def get_expected_values(self) -> List[Any]:
method get_expected_value (line 70) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py
class SecureStringParameterNoHardcodedValue (line 9) | class SecureStringParameterNoHardcodedValue(BaseParameterCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/ACRAdminAccountDisabled.py
class ACRAdminAccountDisabled (line 7) | class ACRAdminAccountDisabled(BaseResourceNegativeValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 18) | def get_forbidden_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/ACRAnonymousPullDisabled.py
class ACRAnonymousPullDisabled (line 9) | class ACRAnonymousPullDisabled(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 37) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/ACRContainerScanEnabled.py
class ACRContainerScanEnabled (line 8) | class ACRContainerScanEnabled(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 27) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/ACREnableImageQuarantine.py
class ACREnableImageQuarantine (line 6) | class ACREnableImageQuarantine(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/ACREnableZoneRedundancy.py
class ACREnableZoneRedundancy (line 9) | class ACREnableZoneRedundancy(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 22) | def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
FILE: checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py
class ACRPublicNetworkAccessDisabled (line 7) | class ACRPublicNetworkAccessDisabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py
class AKSApiServerAuthorizedIpRanges (line 9) | class AKSApiServerAuthorizedIpRanges(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 44) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AKSDashboardDisabled.py
class AKSDashboardDisabled (line 9) | class AKSDashboardDisabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py
class AKSEncryptionAtHostEnabled (line 5) | class AKSEncryptionAtHostEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 28) | def get_inspected_key(self) -> str:
method get_expected_value (line 34) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AKSEphemeralOSDisks.py
class AKSEphemeralOSDisks (line 5) | class AKSEphemeralOSDisks(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 24) | def get_inspected_key(self) -> str:
method get_expected_value (line 27) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/AKSLocalAdminDisabled.py
class AKSLocalAdminDisabled (line 5) | class AKSLocalAdminDisabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AKSLoggingEnabled.py
class AKSLoggingEnabled (line 9) | class AKSLoggingEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AKSMaxPodsMinimum.py
class AKSMaxPodsMinimum (line 8) | class AKSMaxPodsMinimum(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 33) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AKSNetworkPolicy.py
class AKSNetworkPolicy (line 9) | class AKSNetworkPolicy(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 35) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py
class AKSPoolTypeIsScaleSet (line 9) | class AKSPoolTypeIsScaleSet(BaseResourceNegativeValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 20) | def get_forbidden_values(self) -> list[Any]:
FILE: checkov/arm/checks/resource/AKSRbacEnabled.py
class AKSRbacEnabled (line 9) | class AKSRbacEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AKSUpgradeChannel.py
class AKSUpgradeChannel (line 9) | class AKSUpgradeChannel(BaseResourceNegativeValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 23) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 26) | def get_forbidden_values(self) -> Any:
FILE: checkov/arm/checks/resource/APIManagementMinTLS12.py
class APIManagementMinTLS12 (line 9) | class APIManagementMinTLS12(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/APIManagementPublicAccess.py
class APIManagementPublicAccess (line 7) | class APIManagementPublicAccess(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py
class APIServicesUseVirtualNetwork (line 8) | class APIServicesUseVirtualNetwork(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 22) | def get_inspected_key(self) -> str:
method get_expected_value (line 25) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AkSSecretStoreRotation.py
class AkSSecretStoreRotation (line 5) | class AkSSecretStoreRotation(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py
class AppGWDefinesSecureProtocols (line 35) | class AppGWDefinesSecureProtocols(BaseResourceCheck):
method __init__ (line 36) | def __init__(self) -> None:
method scan_resource_conf (line 49) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 70) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py
class AppGatewayWAFACLCVE202144228 (line 7) | class AppGatewayWAFACLCVE202144228(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AppServiceAuthentication.py
class AppServiceAuthentication (line 11) | class AppServiceAuthentication(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AppServiceClientCertificate.py
class AppServiceClientCertificate (line 9) | class AppServiceClientCertificate(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 26) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py
class AppServiceDetailedErrorMessagesEnabled (line 6) | class AppServiceDetailedErrorMessagesEnabled(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AppServiceDisallowCORS.py
class AppServiceDisallowCORS (line 7) | class AppServiceDisallowCORS(BaseResourceNegativeValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 21) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 24) | def get_forbidden_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
class AppServiceDotnetFrameworkVersion (line 5) | class AppServiceDotnetFrameworkVersion(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/AppServiceEnableFailedRequest.py
class AppServiceEnableFailedRequest (line 7) | class AppServiceEnableFailedRequest(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AppServiceFTPSState.py
class AppServiceFTPSState (line 7) | class AppServiceFTPSState(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
method get_expected_values (line 21) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/AppServiceHTTPSOnly.py
class AppServiceHTTPSOnly (line 9) | class AppServiceHTTPSOnly(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 25) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py
class AppServiceHttpLoggingEnabled (line 6) | class AppServiceHttpLoggingEnabled(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AppServiceHttps20Enabled.py
class AppServiceHttps20Enabled (line 10) | class AppServiceHttps20Enabled(BaseResourceCheck):
method __init__ (line 13) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AppServiceIdentity.py
class AppServiceIdentity (line 9) | class AppServiceIdentity(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 31) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py
class AppServiceIdentityProviderEnabled (line 7) | class AppServiceIdentityProviderEnabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AppServiceInstanceMinimum.py
class AppServiceInstanceMinimum (line 9) | class AppServiceInstanceMinimum(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 21) | def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, int]]...
method get_evaluated_keys (line 33) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AppServiceJavaVersion.py
class AppServiceJavaVersion (line 6) | class AppServiceJavaVersion(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AppServiceMinTLSVersion.py
class AppServiceMinTLSVersion (line 7) | class AppServiceMinTLSVersion(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
method get_expected_values (line 22) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/AppServicePHPVersion.py
class AppServicePHPVersion (line 6) | class AppServicePHPVersion(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_values (line 18) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/AppServicePlanZoneRedundant.py
class AppServicePlanZoneRedundant (line 5) | class AppServicePlanZoneRedundant(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 21) | def get_inspected_key(self) -> str:
method get_expected_value (line 24) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AppServicePublicAccessDisabled.py
class AppServicePublicAccessDisabled (line 7) | class AppServicePublicAccessDisabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
method get_expected_value (line 22) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AppServicePythonVersion.py
class AppServicePythonVersion (line 7) | class AppServicePythonVersion(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 21) | def get_inspected_key(self) -> str:
method get_expected_values (line 24) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py
class AppServiceRemoteDebuggingNotEnabled (line 5) | class AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AppServiceSetHealthCheck.py
class AppServiceSetHealthCheck (line 8) | class AppServiceSetHealthCheck(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 20) | def get_inspected_key(self) -> str:
method get_expected_values (line 23) | def get_expected_values(self) -> Any:
FILE: checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py
class AppServiceSlotDebugDisabled (line 5) | class AppServiceSlotDebugDisabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py
class AppServiceSlotHTTPSOnly (line 5) | class AppServiceSlotHTTPSOnly(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AppServiceUsedAzureFiles.py
class AppServiceUsedAzureFiles (line 9) | class AppServiceUsedAzureFiles(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 27) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AutomationEncrypted.py
class AutomationEncrypted (line 5) | class AutomationEncrypted(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AzureBatchAccountEndpointAccessDefaultAction.py
class AzureBatchAccountEndpointAccessDefaultAction (line 9) | class AzureBatchAccountEndpointAccessDefaultAction(BaseResourceCheck):
method __init__ (line 14) | def __init__(self) -> None:
method _exists_and_lower_equal (line 22) | def _exists_and_lower_equal(actual_value: Any, expected_lowercase_valu...
method scan_resource_conf (line 25) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py
class AzureBatchAccountUsesKeyVaultEncryption (line 7) | class AzureBatchAccountUsesKeyVaultEncryption(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py
class AzureDataExplorerDoubleEncryptionEnabled (line 6) | class AzureDataExplorerDoubleEncryptionEnabled(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py
class AzureDefenderOnKeyVaults (line 9) | class AzureDefenderOnKeyVaults(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 27) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/arm/checks/resource/AzureDefenderOnKubernetes.py
class AzureDefenderOnKubernetes (line 7) | class AzureDefenderOnKubernetes(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 22) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py
class AzureDefenderOnSqlServersVMS (line 6) | class AzureDefenderOnSqlServersVMS(BaseResourceCheck):
method __init__ (line 7) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 27) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AzureDefenderOnStorage.py
class AzureDefenderOnStorage (line 6) | class AzureDefenderOnStorage(BaseResourceCheck):
method __init__ (line 7) | def __init__(self) -> None:
method scan_resource_conf (line 14) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 23) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py
class AzureFirewallDenyThreatIntelMode (line 7) | class AzureFirewallDenyThreatIntelMode(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
method get_expected_value (line 22) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py
class AzureFrontDoorEnablesWAF (line 8) | class AzureFrontDoorEnablesWAF(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureInstanceExtensions.py
class AzureInstanceExtensions (line 5) | class AzureInstanceExtensions(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/AzureInstancePassword.py
class AzureInstancePassword (line 7) | class AzureInstancePassword(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_inspected_key (line 30) | def get_inspected_key(self) -> str:
method get_expected_value (line 33) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py
class AzureMLWorkspacePrivateEndpoint (line 8) | class AzureMLWorkspacePrivateEndpoint(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 16) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 32) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/AzureManagedDiscEncryption.py
class AzureManagedDiscEncryption (line 10) | class AzureManagedDiscEncryption(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py
class AzureManagedDiskEncryptionSet (line 8) | class AzureManagedDiskEncryptionSet(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
method get_expected_value (line 22) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureScaleSetPassword.py
class AzureScaleSetPassword (line 7) | class AzureScaleSetPassword(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_inspected_key (line 31) | def get_inspected_key(self) -> str:
method get_expected_value (line 34) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/AzureSearchSLAIndex.py
class AzureSearchSLAIndex (line 9) | class AzureSearchSLAIndex(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py
class AzureSearchSQLQueryUpdates (line 9) | class AzureSearchSQLQueryUpdates(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 23) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py
class AzureServiceFabricClusterProtectionLevel (line 7) | class AzureServiceFabricClusterProtectionLevel(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
FILE: checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py
class AzureSparkPoolIsolatedComputeEnabled (line 5) | class AzureSparkPoolIsolatedComputeEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py
class SynapseWorkspaceVAisEnabled (line 5) | class SynapseWorkspaceVAisEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
class AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached (line 6) | class AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached(BaseResourceCh...
method __init__ (line 7) | def __init__(self) -> None:
method scan_resource_conf (line 14) | def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
FILE: checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py
class CognitiveServicesConfigureIdentity (line 7) | class CognitiveServicesConfigureIdentity(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py
class CognitiveServicesDisablesPublicNetwork (line 7) | class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py
class CognitiveServicesEnableLocalAuth (line 7) | class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 20) | def get_inspected_key(self) -> str:
method get_expected_value (line 23) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py
class CosmosDBAccountsRestrictedAccess (line 7) | class CosmosDBAccountsRestrictedAccess(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py
class CosmosDBDisableAccessKeyWrite (line 9) | class CosmosDBDisableAccessKeyWrite(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 23) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py
class CosmosDBDisablesPublicNetwork (line 5) | class CosmosDBDisablesPublicNetwork(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/CosmosDBHaveCMK.py
class CosmosDBHaveCMK (line 8) | class CosmosDBHaveCMK(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py
class CosmosDBLocalAuthDisabled (line 7) | class CosmosDBLocalAuthDisabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_inspected_key (line 20) | def get_inspected_key(self) -> str:
method get_expected_value (line 23) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py
class CustomRoleDefinitionSubscriptionOwner (line 16) | class CustomRoleDefinitionSubscriptionOwner(BaseResourceCheck):
method __init__ (line 17) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 38) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py
class DataExplorerUsesDiskEncryption (line 5) | class DataExplorerUsesDiskEncryption(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py
class DataFactoryNoPublicNetworkAccess (line 7) | class DataFactoryNoPublicNetworkAccess(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/DataFactoryUsesGitRepository.py
class DataFactoryUsesGitRepository (line 9) | class DataFactoryUsesGitRepository(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/DataLakeStoreEncryption.py
class DataLakeStoreEncryption (line 5) | class DataLakeStoreEncryption(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
class DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey (line 10) | class DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(BaseRes...
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 31) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py
class DatabricksWorkspaceIsNotPublic (line 10) | class DatabricksWorkspaceIsNotPublic(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 26) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py
class EventHubNamespaceMinTLS12 (line 9) | class EventHubNamespaceMinTLS12(BaseResourceValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 18) | def get_inspected_key(self) -> str:
method get_expected_value (line 21) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py
class EventgridTopicIdentityProviderEnabled (line 8) | class EventgridTopicIdentityProviderEnabled(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py
class EventgridTopicLocalAuthentication (line 5) | class EventgridTopicLocalAuthentication(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/EventgridTopicNetworkAccess.py
class EventgridTopicNetworkAccess (line 5) | class EventgridTopicNetworkAccess(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py
class FrontDoorWAFACLCVE202144228 (line 8) | class FrontDoorWAFACLCVE202144228(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 16) | def scan_resource_conf(self, conf: Dict[Any, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/FrontdoorUseWAFMode.py
class FrontdoorUseWAFMode (line 9) | class FrontdoorUseWAFMode(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 26) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/arm/checks/resource/FunctionAppDisallowCORS.py
class FunctionAppDisallowCORS (line 6) | class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 20) | def get_forbidden_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py
class FunctionAppHttpVersionLatest (line 5) | class FunctionAppHttpVersionLatest(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 18) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/FunctionAppMinTLSVersion.py
class FunctionAppMinTLSVersion (line 7) | class FunctionAppMinTLSVersion(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
method get_expected_values (line 22) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py
class FunctionAppsAccessibleOverHttps (line 9) | class FunctionAppsAccessibleOverHttps(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 21) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 44) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py
class FunctionAppsEnableAuthentication (line 9) | class FunctionAppsEnableAuthentication(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 31) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/KeyBackedByHSM.py
class KeyBackedByHSM (line 9) | class KeyBackedByHSM(BaseResourceValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_expected_value (line 20) | def get_expected_value(self) -> Any:
method get_expected_values (line 23) | def get_expected_values(self) -> list[Any]:
FILE: checkov/arm/checks/resource/KeyExpirationDate.py
class KeyExpirationDate (line 6) | class KeyExpirationDate(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py
class KeyVaultDisablesPublicNetworkAccess (line 6) | class KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py
class KeyVaultEnablesFirewallRulesSettings (line 7) | class KeyVaultEnablesFirewallRulesSettings(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py
class KeyVaultEnablesPurgeProtection (line 7) | class KeyVaultEnablesPurgeProtection(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> Any:
method get_expected_value (line 18) | def get_expected_value(self) -> bool:
FILE: checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py
class KeyVaultEnablesSoftDelete (line 6) | class KeyVaultEnablesSoftDelete(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py
class KeyVaultRecoveryEnabled (line 9) | class KeyVaultRecoveryEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 27) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/LinuxVMUsesSSH.py
class LinuxVMUsesSSH (line 7) | class LinuxVMUsesSSH(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 20) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py
class MSSQLServerMinTLSVersion (line 7) | class MSSQLServerMinTLSVersion(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 19) | def get_inspected_key(self) -> str:
method get_expected_value (line 22) | def get_expected_value(self) -> str:
method get_expected_values (line 25) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py
class MariaDBGeoBackupEnabled (line 5) | class MariaDBGeoBackupEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py
class MariaDBPublicAccessDisabled (line 5) | class MariaDBPublicAccessDisabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py
class MariaDBSSLEnforcementEnabled (line 7) | class MariaDBSSLEnforcementEnabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/MonitorLogProfileCategories.py
class MonitorLogProfileRetentionDays (line 11) | class MonitorLogProfileRetentionDays(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 26) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py
class MonitorLogProfileRetentionDays (line 12) | class MonitorLogProfileRetentionDays(BaseResourceCheck):
method __init__ (line 13) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/MySQLEncryptionEnabled.py
class MySQLEncryptionEnabled (line 8) | class MySQLEncryptionEnabled(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 16) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/MySQLGeoBackupEnabled.py
class MySQLGeoBackupEnabled (line 5) | class MySQLGeoBackupEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/MySQLPublicAccessDisabled.py
class MySQLPublicAccessDisabled (line 7) | class MySQLPublicAccessDisabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 21) | def get_expected_value(self) -> str:
method get_expected_values (line 24) | def get_expected_values(self) -> List[str]:
FILE: checkov/arm/checks/resource/MySQLServerMinTLSVersion.py
class MySQLServerMinTLSVersion (line 5) | class MySQLServerMinTLSVersion(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py
class MySQLServerSSLEnforcementEnabled (line 7) | class MySQLServerSSLEnforcementEnabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py
class NSGRuleHTTPAccessRestricted (line 4) | class NSGRuleHTTPAccessRestricted(NSGRulePortAccessRestricted):
method __init__ (line 5) | def __init__(self) -> None:
FILE: checkov/arm/checks/resource/NSGRulePortAccessRestricted.py
class NSGRulePortAccessRestricted (line 14) | class NSGRulePortAccessRestricted(BaseResourceCheck):
method __init__ (line 15) | def __init__(self, name: str, check_id: str, port: int) -> None:
method is_port_in_range (line 24) | def is_port_in_range(self, port_range: Union[int, str]) -> bool:
method scan_resource_conf (line 34) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py
class NSGRuleRDPAccessRestricted (line 4) | class NSGRuleRDPAccessRestricted(NSGRulePortAccessRestricted):
method __init__ (line 5) | def __init__(self) -> None:
FILE: checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py
class NSGRuleSSHAccessRestricted (line 4) | class NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted):
method __init__ (line 5) | def __init__(self) -> None:
FILE: checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py
class NetworkWatcherFlowLogPeriod (line 10) | class NetworkWatcherFlowLogPeriod(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 37) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py
class PostgreSQLEncryptionEnabled (line 5) | class PostgreSQLEncryptionEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py
class PostgreSQLServerConnectionThrottlingEnabled (line 9) | class PostgreSQLServerConnectionThrottlingEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py
class PostgreSQLServerLogCheckpointsEnabled (line 9) | class PostgreSQLServerLogCheckpointsEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py
class PostgreSQLServerLogConnectionsEnabled (line 9) | class PostgreSQLServerLogConnectionsEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 44) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py
class PostgreSQLServerHasPublicAccessDisabled (line 5) | class PostgreSQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py
class PostgreSQLServerSSLEnforcementEnabled (line 7) | class PostgreSQLServerSSLEnforcementEnabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> str:
method get_expected_value (line 18) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py
class PostgressSQLGeoBackupEnabled (line 7) | class PostgressSQLGeoBackupEnabled(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 15) | def get_inspected_key(self) -> Any:
method get_expected_value (line 18) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/PubsubSKUSLA.py
class PubsubSKUSLA (line 9) | class PubsubSKUSLA(BaseResourceNegativeValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 20) | def get_forbidden_values(self) -> Any:
FILE: checkov/arm/checks/resource/PubsubSpecifyIdentity.py
class PubsubSpecifyIdentity (line 8) | class PubsubSpecifyIdentity(BaseResourceValueCheck):
method __init__ (line 9) | def __init__(self) -> None:
method get_inspected_key (line 16) | def get_inspected_key(self) -> str:
method get_expected_value (line 19) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py
class RedisCachePublicNetworkAccessEnabled (line 5) | class RedisCachePublicNetworkAccessEnabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
method get_expected_value (line 16) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py
class SQLDatabaseZoneRedundant (line 7) | class SQLDatabaseZoneRedundant(BaseResourceValueCheck):
method __init__ (line 8) | def __init__(self) -> None:
method get_inspected_key (line 39) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/SQLServerAuditingEnabled.py
class SQLServerAuditingEnabled (line 12) | class SQLServerAuditingEnabled(BaseResourceCheck):
method __init__ (line 17) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 41) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py
class SQLServerAuditingRetention90Days (line 11) | class SQLServerAuditingRetention90Days(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method check_resource (line 45) | def check_resource(resource: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py
class SQLServerEmailAlertsEnabled (line 11) | class SQLServerEmailAlertsEnabled(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py
class SQLServerEmailAlertsToAdminsEnabled (line 11) | class SQLServerEmailAlertsToAdminsEnabled(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py
class SQLServerHasPublicAccessDisabled (line 5) | class SQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/SQLServerNoPublicAccess.py
class SQLServerNoPublicAccess (line 9) | class SQLServerNoPublicAccess(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 21) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py
class SQLServerThreatDetectionTypes (line 11) | class SQLServerThreatDetectionTypes(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SQLServerUsesADAuth.py
class SQLServerUsesADAuth (line 10) | class SQLServerUsesADAuth(BaseResourceNegativeValueCheck):
method __init__ (line 11) | def __init__(self) -> None:
method get_inspected_key (line 22) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 25) | def get_forbidden_values(self) -> list[Any]:
FILE: checkov/arm/checks/resource/SecretContentType.py
class SecretContentType (line 9) | class SecretContentType(BaseResourceValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_expected_value (line 20) | def get_expected_value(self) -> Any:
FILE: checkov/arm/checks/resource/SecretExpirationDate.py
class SecretExpirationDate (line 9) | class SecretExpirationDate(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py
class SecurityCenterContactEmailAlert (line 9) | class SecurityCenterContactEmailAlert(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 25) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py
class SecurityCenterContactEmailAlertAdmins (line 9) | class SecurityCenterContactEmailAlertAdmins(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 25) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/SecurityCenterContactPhone.py
class SecurityCenterContactPhone (line 9) | class SecurityCenterContactPhone(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 25) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/SecurityCenterStandardPricing.py
class SecurityCenterStandardPricing (line 9) | class SecurityCenterStandardPricing(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py
class StorageAccountAzureServicesAccessEnabled (line 11) | class StorageAccountAzureServicesAccessEnabled(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 21) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py
class StorageAccountDefaultNetworkAccessDeny (line 12) | class StorageAccountDefaultNetworkAccessDeny(BaseResourceCheck):
method __init__ (line 13) | def __init__(self) -> None:
method scan_resource_conf (line 22) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 41) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py
class StorageAccountDisablePublicAccess (line 9) | class StorageAccountDisablePublicAccess(BaseResourceNegativeValueCheck):
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 20) | def get_forbidden_values(self) -> list[Any]:
FILE: checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py
class StorageAccountLoggingQueueServiceEnabled (line 9) | class StorageAccountLoggingQueueServiceEnabled(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 40) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py
class StorageAccountMinimumTlsVersion (line 9) | class StorageAccountMinimumTlsVersion(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 24) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 31) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/StorageAccountName.py
class StorageAccountName (line 15) | class StorageAccountName(BaseResourceCheck):
method __init__ (line 16) | def __init__(self) -> None:
method scan_resource_conf (line 29) | def scan_resource_conf(self, conf: dict[str, typing.Any]) -> CheckResult:
method get_evaluated_keys (line 47) | def get_evaluated_keys(self) -> typing.List[str]:
FILE: checkov/arm/checks/resource/StorageAccountsTransportEncryption.py
class StorageAccountsTransportEncryption (line 10) | class StorageAccountsTransportEncryption(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/StorageAccountsUseReplication.py
class StorageAccountsUseReplication (line 6) | class StorageAccountsUseReplication(BaseResourceValueCheck):
method __init__ (line 7) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> Any:
method get_expected_values (line 20) | def get_expected_values(self) -> List[Any]:
FILE: checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py
class StorageBlobServiceContainerPrivateAccess (line 9) | class StorageBlobServiceContainerPrivateAccess(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 23) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py
class NetworkInterfaceEnableIPForwarding (line 5) | class NetworkInterfaceEnableIPForwarding(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
method get_expected_value (line 17) | def get_expected_value(self) -> str:
FILE: checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py
class SynapseWorkspaceAdministratorLoginPasswordHidden (line 9) | class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 17) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 22) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py
class SynapseWorkspaceCMKEncryption (line 7) | class SynapseWorkspaceCMKEncryption(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 23) | def get_evaluated_keys(self) -> list[str]:
FILE: checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py
class SynapseWorkspaceEnablesDataExfilProtection (line 5) | class SynapseWorkspaceEnablesDataExfilProtection(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 13) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py
class SynapseWorkspaceEnablesManagedVirtualNetworks (line 9) | class SynapseWorkspaceEnablesManagedVirtualNetworks(BaseResourceNegative...
method __init__ (line 10) | def __init__(self) -> None:
method get_inspected_key (line 17) | def get_inspected_key(self) -> str:
method get_forbidden_values (line 20) | def get_forbidden_values(self) -> list[Any]:
FILE: checkov/arm/checks/resource/VMCredsInCustomData.py
class VMCredsInCustomData (line 8) | class VMCredsInCustomData(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 16) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
method get_evaluated_keys (line 28) | def get_evaluated_keys(self) -> List[str]:
FILE: checkov/arm/checks/resource/VMDisablePasswordAuthentication.py
class VMDisablePasswordAuthentication (line 9) | class VMDisablePasswordAuthentication(BaseResourceCheck):
method __init__ (line 10) | def __init__(self) -> None:
method scan_resource_conf (line 20) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py
class VMEncryptionAtHostEnabled (line 11) | class VMEncryptionAtHostEnabled(BaseResourceCheck):
method __init__ (line 12) | def __init__(self) -> None:
method scan_resource_conf (line 19) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py
class VMScaleSetsAutoOSImagePatchingEnabled (line 10) | class VMScaleSetsAutoOSImagePatchingEnabled(BaseResourceCheck):
method __init__ (line 11) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/VMStorageOsDisk.py
class VMStorageOsDisk (line 7) | class VMStorageOsDisk(BaseResourceCheck):
method __init__ (line 8) | def __init__(self) -> None:
method scan_resource_conf (line 15) | def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
FILE: checkov/arm/checks/resource/VnetLocalDNS.py
class VnetLocalDNS (line 8) | class VnetLocalDNS(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 21) | def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[...
FILE: checkov/arm/checks/resource/VnetSingleDNSServer.py
class VnetSingleDNSServer (line 7) | class VnetSingleDNSServer(BaseResourceCheck):
method __init__ (line 9) | def __init__(self) -> None:
method scan_resource_conf (line 18) | def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[...
FILE: checkov/arm/checks/resource/WinVMAutomaticUpdates.py
class WinVMAutomaticUpdates (line 5) | class WinVMAutomaticUpdates(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 14) | def get_inspected_key(self) -> str:
FILE: checkov/arm/checks/resource/WinVMEncryptionAtHost.py
class WinVMEncryptionAtHost (line 5) | class WinVMEncryptionAtHost(BaseResourceValueCheck):
method __init__ (line 6) | def __init__(self) -> None:
method get_inspected_key (line 20) | def get_inspected_key(self) -> str:
FILE: checkov/arm/context_parser.py
class ContextParser (line 22) | class ContextParser:
method __init__ (line 27) | def __init__(self, arm_file: str, arm_template: dict[str, Any], arm_te...
method evaluate_default_parameters (line 32) | def evaluate_default_parameters(self) -> None:
method extract_arm_resource_id (line 85) | def extract_arm_resource_id(arm_resource: dict[str, Any]) -> str | None:
method extract_arm_resource_name (line 97) | def extract_arm_resource_name(arm_resource: dict[str, Any]) -> str | N...
method extract_arm_resource_code_lines (line 105) | def extract_arm_resource_code_lines(
method find_lines (line 120) | def find_lines(node: dict[str, Any] | list[dict[str, Any]], kv: str) -...
method collect_skip_comments (line 133) | def collect_skip_comments(resource: dict[str, Any]) -> list[_SkippedCh...
method search_deep_keys (line 157) | def search_deep_keys(search_text: str, arm_dict: dict[str, Any], path:...
method search_deep_values (line 186) | def search_deep_values(search_text: str, arm_dict: dict[str, Any], pat...
method _set_in_dict (line 224) | def _set_in_dict(self, data_dict: dict[str, Any], map_list: list[str |...
method _get_from_dict (line 228) | def _get_from_dict(data_dict: dict[str, Any], map_list: list[str | int...
FILE: checkov/arm/graph_builder/definition_context.py
function build_definitions_context (line 13) | def build_definitions_context(definitions: dict[str, dict[str, Any]], de...
function add_resource_to_definitions_context (line 36) | def add_resource_to_definitions_context(definitions_context: dict[str, d...
FILE: checkov/arm/graph_builder/graph_components/block_types.py
class BlockType (line 10) | class BlockType(CommonBlockType):
FILE: checkov/arm/graph_builder/graph_components/blocks.py
class ArmBlock (line 9) | class ArmBlock(Block):
method __init__ (line 10) | def __init__(
method should_run_get_inner_attributes (line 21) | def should_run_get_inner_attributes(self, attribute_value: Any) -> bool:
FILE: checkov/arm/graph_builder/graph_to_definitions.py
function convert_graph_vertices_to_definitions (line 14) | def convert_graph_vertices_to_definitions(vertices: list[ArmBlock], root...
function add_breadcrumbs (line 32) | def add_breadcrumbs(vertex: ArmBlock, breadcrumbs: dict[str, dict[str, A...
FILE: checkov/arm/graph_builder/local_graph.py
class ArmLocalGraph (line 29) | class ArmLocalGraph(LocalGraph[ArmBlock]):
method __init__ (line 30) | def __init__(self, definitions: dict[str, dict[str, Any]]) -> None:
method build_graph (line 37) | def build_graph(self, render_variables: bool = True) -> None:
method _create_vertices (line 55) | def _create_vertices(self) -> None:
method _create_variables_vertices (line 70) | def _create_variables_vertices(self, file_path: str, variables: dict[s...
method _create_parameter_vertices (line 95) | def _create_parameter_vertices(self, file_path: str, parameters: dict[...
method _create_resource_vertices (line 119) | def _create_resource_vertices(self, file_path: str, resources: list[di...
method _create_edges (line 145) | def _create_edges(self) -> None:
method _create_explicit_edge (line 151) | def _create_explicit_edge(self, origin_vertex_index: int, resource_nam...
method _create_vars_and_parameters_edges (line 166) | def _create_vars_and_parameters_edges(self) -> None:
method _create_edge (line 178) | def _create_edge(self, element_name: str, origin_vertex_index: int, la...
method _create_implicit_edges (line 187) | def _create_implicit_edges(self, origin_vertex_index: int, resource_na...
method _create_implicit_edge (line 193) | def _create_implicit_edge(self, origin_vertex_index: int, resource_nam...
method _update_resource_vertices_names (line 197) | def _update_resource_vertices_names(self) -> None:
method update_vertices_configs (line 210) | def upda
Copy disabled (too large)
Download .json
Condensed preview — 9724 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (40,133K chars).
[
{
"path": ".cfnlintrc",
"chars": 1843,
"preview": "templates:\n - tests/cloudformation/checks/resource/aws/**/*.json\n - tests/cloudformation/checks/resource/aws/**/*.yaml"
},
{
"path": ".coveragerc",
"chars": 107,
"preview": "[run]\nbranch = True\n[report]\nomit =\n tests/*\n */.pytest_cache/*\n */.local/*\n docs/*\n hooks/*"
},
{
"path": ".dockerignore",
"chars": 45,
"preview": "bin/\ncheckov/\ndocs/\nintegration_tests/\ntests/"
},
{
"path": ".flake8",
"chars": 645,
"preview": "# can be moved to pyproject.toml some day\n# https://github.com/PyCQA/flake8/issues/234\n[flake8]\nmax-line-length = 120\n# "
},
{
"path": ".github/ISSUE_TEMPLATE/best_practices_issue.md",
"chars": 568,
"preview": "---\nname: Best practices improvement\nabout: Issues that will help achieve best practices using checkov.\ntitle: ''\nlabels"
},
{
"path": ".github/ISSUE_TEMPLATE/checks_issue.md",
"chars": 542,
"preview": "---\nname: Checks Issue\nabout: Create an issue regarding a check (existing or missing)\ntitle: ''\nlabels: 'checks'\nassigne"
},
{
"path": ".github/ISSUE_TEMPLATE/crash_report.md",
"chars": 733,
"preview": "---\nname: Crash report\nabout: Create an issue for cases causing checkov to crash\ntitle: ''\nlabels: 'crash'\nassignees: ''"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 573,
"preview": "---\nname: Feature request\nabout: Feature requests or requests for enhancements that are not bugs.\ntitle: ''\nlabels: 'con"
},
{
"path": ".github/ISSUE_TEMPLATE/graph_issue.md",
"chars": 602,
"preview": "---\nname: Graph Issue\nabout: Create an issue regarding the graph creation and querying\ntitle: ''\nlabels: 'graph'\nassigne"
},
{
"path": ".github/ISSUE_TEMPLATE/integrations_issue.md",
"chars": 401,
"preview": "---\nname: Integrations Issue\nabout: Create an issue regarding the integration of checkov with other tools.\ntitle: ''\nlab"
},
{
"path": ".github/ISSUE_TEMPLATE/languages_issue.md",
"chars": 424,
"preview": "---\nname: Languages Issue\nabout: Create an issue regarding the frameworks and languages supported by checkov\ntitle: ''\nl"
},
{
"path": ".github/ISSUE_TEMPLATE/noise_issue.md",
"chars": 495,
"preview": "---\nname: Noise Issue\nabout: Create an issue regarding checkov's output and noise it generates.\ntitle: ''\nlabels: 'noise"
},
{
"path": ".github/ISSUE_TEMPLATE/outputs_issue.md",
"chars": 416,
"preview": "---\nname: Outputs Issue\nabout: Create an issue regarding checkov's output (addition or fix)\ntitle: ''\nlabels: 'outputs'\n"
},
{
"path": ".github/ISSUE_TEMPLATE/skips_issue.md",
"chars": 520,
"preview": "---\nname: Skipping Issue\nabout: Create an issue regarding checkov's skipping mechanism\ntitle: ''\nlabels: 'skips'\nassigne"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 1925,
"preview": "**By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.**\n\n"
},
{
"path": ".github/actionlint.yaml",
"chars": 43,
"preview": "self-hosted-runner:\n labels:\n - public\n"
},
{
"path": ".github/checkov.yaml",
"chars": 2166,
"preview": "enable-secret-scan-all-files: true\nframework:\n- secrets\nquiet: true\nskip-path:\n- docs\n- tests/arm/checks/resource/exampl"
},
{
"path": ".github/codeql-config.yml",
"chars": 47,
"preview": "name: \"CodeQL config\"\n\npaths-ignore:\n - tests\n"
},
{
"path": ".github/dependabot.yml",
"chars": 118,
"preview": "version: 2\nupdates:\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n"
},
{
"path": ".github/exclude-patterns.txt",
"chars": 2450,
"preview": "checkov/terraform/module_loading/loaders/github_access_token_loader.py\ncheckov/terraform/module_loading/loaders/git_load"
},
{
"path": ".github/pr-title-checker-config.json",
"chars": 805,
"preview": "{\n \"LABEL\": {\n \"name\": \"title needs adjustment\",\n \"color\": \"EEEEEE\"\n },\n \"CHECKS\": {\n \"prefixes\": [\n \"c"
},
{
"path": ".github/release-changelog-config.json",
"chars": 1078,
"preview": "{\n \"categories\": [\n {\n \"title\": \"## Breaking Change\",\n \"labels\": [\"break\"]\n },\n "
},
{
"path": ".github/stale.yml",
"chars": 2418,
"preview": "# Configuration for probot-stale - https://github.com/probot/stale\n\n# Number of days of inactivity before an Issue or Pu"
},
{
"path": ".github/workflows/build.yml",
"chars": 19302,
"preview": "name: build\n\non:\n workflow_dispatch:\n inputs:\n versionBump:\n description: 'The part of the version to bu"
},
{
"path": ".github/workflows/codeql-analysis.yml",
"chars": 2250,
"preview": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# Y"
},
{
"path": ".github/workflows/coverage.yaml",
"chars": 1799,
"preview": "name: Coverage\n\non:\n schedule:\n - cron: '0 0 * * 0'\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n upd"
},
{
"path": ".github/workflows/jekyll-gh-pages.yml",
"chars": 1673,
"preview": "# Sample workflow for building and deploying a Jekyll site to GitHub Pages\nname: Deploy Jekyll with GitHub Pages depende"
},
{
"path": ".github/workflows/nightly.yml",
"chars": 6352,
"preview": "name: Nightly Run\n\non:\n schedule:\n # daily at 23:00 UTC\n - cron: \"0 23 * * *\"\n workflow_dispatch:\n\npermissions:\n"
},
{
"path": ".github/workflows/pipenv-update.yml",
"chars": 1825,
"preview": "name: pipenv-update\non:\n schedule:\n - cron: '8 22 * * 1'\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:"
},
{
"path": ".github/workflows/pr-test.yml",
"chars": 22311,
"preview": "name: PR Test\n\non: pull_request\n\npermissions:\n contents: read\n\njobs:\n lint:\n uses: bridgecrewio/gha-reusable-workfl"
},
{
"path": ".github/workflows/pr-title.yml",
"chars": 484,
"preview": "name: PR Title\n\non:\n pull_request:\n branches:\n - main\n types: [opened, edited, reopened, synchronize]\n\npermi"
},
{
"path": ".github/workflows/security-shared.yml",
"chars": 1607,
"preview": "# !!! Important !!!\n# This a reusable workflow and is used in the PR and push to main branch flow separately\n# to be abl"
},
{
"path": ".github/workflows/security.yml",
"chars": 639,
"preview": "# !!! Important !!!\n# any change to this workflow will not take into effect on the same PR and only after,\n# because of "
},
{
"path": ".gitignore",
"chars": 2851,
"preview": "# Created by .ignore support plugin (hsz.mobi)\n### Python template\n# Byte-compiled / optimized / DLL files\n__pycache__/\n"
},
{
"path": ".gitmodules",
"chars": 117,
"preview": "[submodule \"checkov/sast/sast_core\"]\n\tpath = checkov/sast/sast_core\n\turl = git@github.com:bridgecrewio/SAST-Core.git\n"
},
{
"path": ".gitpod.Dockerfile",
"chars": 322,
"preview": "FROM gitpod/workspace-python\nRUN pyenv install 3.10.14\nRUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com"
},
{
"path": ".gitpod.yml",
"chars": 1104,
"preview": "# This configuration file was automatically generated by Gitpod.\n# Please adjust to your needs (see https://www.gitpod.i"
},
{
"path": ".pre-commit-config.yaml",
"chars": 1383,
"preview": "repos:\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.5.0\n hooks:\n - id: debug-statements\n"
},
{
"path": ".pre-commit-hooks.yaml",
"chars": 1799,
"preview": "---\n\n# For use with pre-commit.\n# See usage instructions at http://pre-commit.com\n\n- id: checkov\n name: Checkov\n "
},
{
"path": ".swm/creating-a-solver.gm0ti.sw.md",
"chars": 11835,
"preview": "---\nid: gm0ti\nname: Creating a Solver\nfile_version: 1.0.2\napp_version: 0.9.4-0\nfile_blobs:\n checkov/common/checks_infra"
},
{
"path": ".swm/swimm.json",
"chars": 125,
"preview": "{\n \"repo_id\": \"Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==\",\n \"configuration\": {\n \"swmd\": true\n "
},
{
"path": "CHANGELOG.md",
"chars": 291312,
"preview": "# CHANGELOG\n\n## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.510...HEAD)\n\n## [3.2.510](https://githu"
},
{
"path": "CNAME",
"chars": 10,
"preview": "checkov.io"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 3351,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, w"
},
{
"path": "CONTRIBUTING.md",
"chars": 6897,
"preview": "# Contributing\n\nThe developer guide is for anyone wanting to contribute directly to the Checkov project. \n\nIf you've alr"
},
{
"path": "Dockerfile",
"chars": 1366,
"preview": "FROM python:3.11-slim\n\nENV RUN_IN_DOCKER=True\n\nRUN set -eux; \\\n apt-get update; \\\n apt-get -y upgrade; \\\n apt-g"
},
{
"path": "INTHEWILD.md",
"chars": 1296,
"preview": "# Who uses checkov?\n\nAs the checkov community grows, we'd like to keep track of who is using the OSS tool. \nPlease send "
},
{
"path": "LICENSE",
"chars": 11348,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Pipfile",
"chars": 2624,
"preview": "[[source]]\nname = \"pypi\"\nurl = \"https://pypi.org/simple\"\nverify_ssl = true\n\n[dev-packages]\npytest = \"<8.0.0\"\npytest-xdis"
},
{
"path": "README.md",
"chars": 23252,
"preview": "[](#)\n "
},
{
"path": "SECURITY.md",
"chars": 3039,
"preview": "# Security\n\n## Reporting a Vulnerability\n\nIf you think you have found a potential security vulnerability in `checkov`,\np"
},
{
"path": "bin/checkov",
"chars": 244,
"preview": "#!/usr/bin/env python\nfrom checkov.main import Checkov\nimport warnings\nimport sys\n\nif __name__ == '__main__':\n with w"
},
{
"path": "bin/checkov.cmd",
"chars": 957,
"preview": "@echo OFF\nREM=\"\"\"\nsetlocal\nset PythonExe=\"\"\nset PythonExeFlags=\n\nfor %%i in (cmd bat exe) do (\n for %%j in (python.%%"
},
{
"path": "cdk_integration_tests/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "cdk_integration_tests/prepare_data.sh",
"chars": 1029,
"preview": "#!/bin/bash\n\n# iterate over all the cdk python checks\n#for file in \"checkov/cdk/checks/python\"/*; do\n# # Ensure it's a "
},
{
"path": "cdk_integration_tests/run_integration_tests.sh",
"chars": 1712,
"preview": "#!/bin/bash\n\n# In order to run this script set the following environment variables:\n# BC_API_URL - your API url.\n# BC_KE"
},
{
"path": "cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py",
"chars": 725,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBStack(core.Stack):\n def "
},
{
"path": "cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py",
"chars": 724,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBStack(core.Stack):\n def "
},
{
"path": "cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py",
"chars": 806,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyListenerStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py",
"chars": 1322,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyListenerStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAccessLogging/fail__2__.py",
"chars": 1988,
"preview": "from aws_cdk import aws_apigateway as apigateway\n\ncfn_stage = apigateway.CfnStage(self, \"MyCfnStage\",\n rest_api_id=\"r"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAccessLogging/pass.py",
"chars": 2225,
"preview": "from aws_cdk import aws_apigateway as apigateway\n\ncfn_stage = apigateway.CfnStage(self, \"MyCfnStage\",\n rest_api_id=\"r"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAuthorization/fail__1__.py",
"chars": 958,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigw\n\nclass MyApiGatewayMethodStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAuthorization/pass.py",
"chars": 961,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigw\n\nclass MyApiGatewayMethodStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py",
"chars": 1567,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_sam as sam\nclass MyApi"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py",
"chars": 1835,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_sam as sam\nclass MyApi"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayV2AccessLogging/fail__2__.py",
"chars": 1286,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayV2StageStack(core.Stack"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayV2AccessLogging/pass.py",
"chars": 1780,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayV2StageStack(core.Stack"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayXray/fail__2__.py",
"chars": 1463,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_apigatewayv2 as apigat"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayXray/pass.py",
"chars": 1462,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_apigatewayv2 as apigat"
},
{
"path": "cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/fail__1__.py",
"chars": 674,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_amazonmq as amazonmq\n\nclass AmazonMQStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/pass.py",
"chars": 675,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_amazonmq as amazonmq\n\nclass AmazonMQStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/AppSyncFieldLevelLogs/fail__1__.py",
"chars": 758,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(s"
},
{
"path": "cdk_integration_tests/src/python/AppSyncFieldLevelLogs/pass.py",
"chars": 816,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(s"
},
{
"path": "cdk_integration_tests/src/python/AppSyncLogging/fail__1__.py",
"chars": 739,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(s"
},
{
"path": "cdk_integration_tests/src/python/AppSyncLogging/pass.py",
"chars": 806,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(s"
},
{
"path": "cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/fail__1__.py",
"chars": 1019,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_athena as athena\n\nclass AthenaStack(core.Stack):\n\n def __init__(self"
},
{
"path": "cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/pass.py",
"chars": 1018,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_athena as athena\n\nclass AthenaStack(core.Stack):\n\n def __init__(self"
},
{
"path": "cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py",
"chars": 623,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBClusterStack(core.Stack):\n def __init__(self, "
},
{
"path": "cdk_integration_tests/src/python/AuroraEncryption/pass.py",
"chars": 622,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBClusterStack(core.Stack):\n def __init__(self, "
},
{
"path": "cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py",
"chars": 429,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_backup as backup\n\nclass MyBackupStack(core.Stack):\n\n def __init__(se"
},
{
"path": "cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py",
"chars": 624,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_backup as backup\n\nclass MyBackupStack(core.Stack):\n\n def __init__(se"
},
{
"path": "cdk_integration_tests/src/python/CloudFrontTLS12/fail__2__.py",
"chars": 1685,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudFrontTLS12/pass.py",
"chars": 878,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudTrailLogValidation/fail__1__.py",
"chars": 709,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\nfrom aws_cdk import aws_iam as iam\n\nclass Clou"
},
{
"path": "cdk_integration_tests/src/python/CloudTrailLogValidation/pass.py",
"chars": 738,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\nfrom aws_cdk import aws_iam as iam\n\nclass Clou"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py",
"chars": 561,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyBadLogGroupStack(core.Stack):\n\n def __init__(s"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py",
"chars": 551,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n\n def __init__(self"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupRetention/fail__1__.py",
"chars": 465,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupRetention/pass.py",
"chars": 602,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionEncryption/fail__2__.py",
"chars": 1832,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionEncryption/pass.py",
"chars": 1767,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionLogging/fail__1__.py",
"chars": 513,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionLogging/pass.py",
"chars": 866,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stac"
},
{
"path": "cdk_integration_tests/src/python/CloudtrailEncryption/fail__1__.py",
"chars": 456,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailTrailStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/CloudtrailEncryption/pass.py",
"chars": 620,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailTrailStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/CloudtrailMultiRegion/fail__1__.py",
"chars": 555,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailStack(core.Stack):\n def "
},
{
"path": "cdk_integration_tests/src/python/CloudtrailMultiRegion/pass.py",
"chars": 554,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailStack(core.Stack):\n def "
},
{
"path": "cdk_integration_tests/src/python/CodeBuildProjectEncryption/fail__1__.py",
"chars": 855,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_codebuild as codebuild\n\nclass MyCodeBuildProjectStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/CodeBuildProjectEncryption/pass.py",
"chars": 1592,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_codebuild as codebuild\n\nclass MyCodeBuildProjectStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/DAXEncryption/fail__1__.py",
"chars": 629,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dax as dax\n\nclass DAXClusterStack(core.Stack):\n def __init__(self, s"
},
{
"path": "cdk_integration_tests/src/python/DAXEncryption/pass.py",
"chars": 861,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dax as dax\n\nclass DAXClusterStack(core.Stack):\n def __init__(self, s"
},
{
"path": "cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/fail__1__.py",
"chars": 784,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dms as dms\n\nclass MyDMSReplicationInstanceStack(core.Stack):\n def __"
},
{
"path": "cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/pass.py",
"chars": 785,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dms as dms\n\nclass MyDMSReplicationInstanceStack(core.Stack):\n def __"
},
{
"path": "cdk_integration_tests/src/python/DocDBAuditLogs/fail__1__.py",
"chars": 637,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass DocDBStack(core.Stack):\n\n def __init__(self, s"
},
{
"path": "cdk_integration_tests/src/python/DocDBAuditLogs/pass.py",
"chars": 636,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass DocDBStack(core.Stack):\n\n def __init__(self, s"
},
{
"path": "cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py",
"chars": 734,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBClusterStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/DocDBEncryption/pass.py",
"chars": 798,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBClusterStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/DocDBTLS/fail__1__.py",
"chars": 709,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBParameterGroupStack(core.Stack):\n def _"
},
{
"path": "cdk_integration_tests/src/python/DocDBTLS/pass.py",
"chars": 708,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBParameterGroupStack(core.Stack):\n def _"
},
{
"path": "cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py",
"chars": 833,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass DynamoDBGlobalTableStack(core.Stack):\n d"
},
{
"path": "cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py",
"chars": 831,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass DynamoDBGlobalTableStack(core.Stack):\n d"
},
{
"path": "cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py",
"chars": 726,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass MyDynamoDBStack(core.Stack):\n\n def __ini"
},
{
"path": "cdk_integration_tests/src/python/DynamodbRecovery/pass.py",
"chars": 725,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass MyDynamoDBStack(core.Stack):\n\n def __ini"
},
{
"path": "cdk_integration_tests/src/python/EBSEncryption/fail__1__.py",
"chars": 657,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVolumeStack(core.Stack):\n\n def __init__(self, sc"
},
{
"path": "cdk_integration_tests/src/python/EBSEncryption/pass.py",
"chars": 641,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVolumeStack(core.Stack):\n\n def __init__(self, sc"
},
{
"path": "cdk_integration_tests/src/python/EC2PublicIP/fail__2__.py",
"chars": 1627,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyEC2InstanceStack(core.Stack):\n def __init__(self"
},
{
"path": "cdk_integration_tests/src/python/EC2PublicIP/pass.py",
"chars": 1768,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyEC2InstanceStack(core.Stack):\n def __init__(self"
},
{
"path": "cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py",
"chars": 427,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope"
},
{
"path": "cdk_integration_tests/src/python/ECRImageScanning/pass.py",
"chars": 497,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope"
},
{
"path": "cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py",
"chars": 518,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope"
},
{
"path": "cdk_integration_tests/src/python/ECRImmutableTags/pass.py",
"chars": 520,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope"
},
{
"path": "cdk_integration_tests/src/python/ECRRepositoryEncrypted/fail__1__.py",
"chars": 481,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRRepositoryStack(core.Stack):\n def __init__(se"
},
{
"path": "cdk_integration_tests/src/python/ECRRepositoryEncrypted/pass.py",
"chars": 629,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRRepositoryStack(core.Stack):\n def __init__(se"
},
{
"path": "cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py",
"chars": 1219,
"preview": "import aws_cdk as core\nfrom constructs import Construct\nfrom aws_cdk import aws_ecs as ecs\nfrom aws_cdk import aws_ec2 a"
},
{
"path": "cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py",
"chars": 1370,
"preview": "import aws_cdk as core\nfrom constructs import Construct\nfrom aws_cdk import aws_ecs as ecs\nfrom aws_cdk import aws_ec2 a"
},
{
"path": "cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/fail__1__.py",
"chars": 774,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecs as ecs\n\nclass MyECSTaskDefinitionStack(core.Stack):\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/pass.py",
"chars": 773,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_ecs as ecs\n\nclass MyECSTaskDefinitionStack(core.Stack):\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/EFSEncryptionEnabled/fail__1__.py",
"chars": 493,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_efs as efs\n\nclass EfsStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/EFSEncryptionEnabled/pass.py",
"chars": 567,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_efs as efs\n\nclass EfsStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py",
"chars": 602,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_eks as eks\n\nclass MyEKSClusterStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py",
"chars": 606,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_eks as eks\n\nclass MyEKSClusterStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/ELBAccessLogs/fail__1__.py",
"chars": 1080,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancing as elb\n\nclass MyLoadBalancerStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/ELBAccessLogs/pass.py",
"chars": 1079,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancing as elb\n\nclass MyLoadBalancerStack(core.Stack):\n "
},
{
"path": "cdk_integration_tests/src/python/ELBv2AccessLogs/fail__2__.py",
"chars": 1134,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBWithAccessLogs(core.Stack):"
},
{
"path": "cdk_integration_tests/src/python/ELBv2AccessLogs/pass.py",
"chars": 751,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBWithAccessLogs(core.Stack):"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/fail__1__.py",
"chars": 967,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/pass.py",
"chars": 1040,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py",
"chars": 890,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py",
"chars": 963,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py",
"chars": 1811,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass MyElastiCacheReplicationGroupStack(co"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py",
"chars": 976,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass MyElastiCacheReplicationGroupStack(co"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/fail__1__.py",
"chars": 801,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass ElasticsearchStack(core.Stack):\n\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/pass.py",
"chars": 1176,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass ElasticsearchStack(core.Stack):\n\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainLogging/fail__2__.py",
"chars": 2223,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\nfrom aws_cdk import aws_opensearchservic"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainLogging/pass.py",
"chars": 2223,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\nfrom aws_cdk import aws_opensearchservic"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchEncryption/fail__1__.py",
"chars": 789,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchEncryption/pass.py",
"chars": 788,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/fail__1__.py",
"chars": 799,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/pass.py",
"chars": 798,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/GlueDataCatalogEncryption/fail__2__.py",
"chars": 1563,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueDataCatalogEncryptionSettingsStack(core.Stack"
},
{
"path": "cdk_integration_tests/src/python/GlueDataCatalogEncryption/pass.py",
"chars": 866,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueDataCatalogEncryptionSettingsStack(core.Stack"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfiguration/fail__2__.py",
"chars": 1779,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueSecurityConfigurationStack(core.Stack):\n d"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfiguration/pass.py",
"chars": 978,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueSecurityConfigurationStack(core.Stack):\n d"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py",
"chars": 1818,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass GlueCrawlerStack(core.Stack):\n\n def __init__(sel"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py",
"chars": 2420,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\nfrom aws_cdk import aws_iam as iam\n\nclass GlueCrawlerStack"
},
{
"path": "cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/fail__1__.py",
"chars": 704,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_iam as iam\n\nclass IAMStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/pass.py",
"chars": 680,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_iam as iam\n\nclass IAMStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/KinesisStreamEncryptionType/fail__1__.py",
"chars": 717,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_kinesis as kinesis\n\nclass KinesisStreamStack(core.Stack):\n\n def __in"
},
{
"path": "cdk_integration_tests/src/python/KinesisStreamEncryptionType/pass.py",
"chars": 739,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_kinesis as kinesis\n\nclass KinesisStreamStack(core.Stack):\n\n def __in"
},
{
"path": "cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py",
"chars": 1530,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sqs as sqs\nfrom aws_cdk impor"
},
{
"path": "cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py",
"chars": 1692,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sqs as sqs\nfrom aws_cdk impor"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py",
"chars": 1428,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaFun"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py",
"chars": 1434,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaFun"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py",
"chars": 1382,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaFunc"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py",
"chars": 1556,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaFunc"
},
{
"path": "cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py",
"chars": 1617,
"preview": "from aws_cdk import core\nfrom aws_cdk.aws_lambda import Function, Runtime, Code\nfrom aws_cdk.aws_sam import CfnFunction\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py",
"chars": 1707,
"preview": "from aws_cdk import core\nfrom aws_cdk.aws_lambda import Function, Runtime, Code\nfrom aws_cdk.aws_sam import CfnFunction\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py",
"chars": 1398,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_ec2 as ec2\nfrom aws_cdk impor"
},
{
"path": "cdk_integration_tests/src/python/LambdaInVPC/pass.py",
"chars": 1928,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_ec2 as ec2\nfrom aws_cdk impor"
},
{
"path": "cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/fail__1__.py",
"chars": 833,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_autoscaling as autoscaling\n\nclass MyAutoScalingLaunchConfig(core.Stack)"
},
{
"path": "cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/pass.py",
"chars": 1594,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_autoscaling as autoscaling\n\nclass MyAutoScalingLaunchConfig(core.Stack)"
},
{
"path": "cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py",
"chars": 1667,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_neptune as neptune\n\nclass MyNeptuneStack(core.Stack):\n\n def __init__"
},
{
"path": "cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py",
"chars": 1731,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_neptune as neptune\n\nclass MyNeptuneStack(core.Stack):\n\n def __init__"
},
{
"path": "cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/fail__1__.py",
"chars": 936,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/pass.py",
"chars": 1012,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py",
"chars": 644,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBInstanceStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py",
"chars": 643,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBInstanceStack(core.Stack):\n def __init__(self,"
},
{
"path": "cdk_integration_tests/src/python/RDSPubliclyAccessible/fail__1__.py",
"chars": 1011,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/RDSPubliclyAccessible/pass.py",
"chars": 1014,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: "
},
{
"path": "cdk_integration_tests/src/python/RedShiftSSL/fail__2__.py",
"chars": 1759,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterParameterGroupStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/RedShiftSSL/pass.py",
"chars": 3251,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterParameterGroupStack(core.S"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py",
"chars": 729,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftClusterStack(core.Stack):\n\n def "
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py",
"chars": 777,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftClusterStack(core.Stack):\n\n def "
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterLogging/fail__1__.py",
"chars": 718,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterLogging/pass.py",
"chars": 900,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py",
"chars": 761,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py",
"chars": 764,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftStack(core.Stack):\n\n def __init_"
},
{
"path": "cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/fail__1__.py",
"chars": 472,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/pass.py",
"chars": 642,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py",
"chars": 1074,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def "
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py",
"chars": 1074,
"preview": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def "
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicPolicy/fail__2__.py",
"chars": 507,
"preview": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\nclass MyS3Sta"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicPolicy/pass.py",
"chars": 594,
"preview": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\n\nclass MyS3St"
},
{
"path": "cdk_integration_tests/src/python/S3BucketEncryption/fail__2__.py",
"chars": 428,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
},
{
"path": "cdk_integration_tests/src/python/S3BucketEncryption/pass.py",
"chars": 347,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
},
{
"path": "cdk_integration_tests/src/python/S3BucketKMSEncryption/fail__3__.py",
"chars": 563,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
},
{
"path": "cdk_integration_tests/src/python/S3BucketKMSEncryption/pass.py",
"chars": 348,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
},
{
"path": "cdk_integration_tests/src/python/S3BucketLogging/fail.py",
"chars": 292,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
},
{
"path": "cdk_integration_tests/src/python/S3BucketLogging/pass.py",
"chars": 434,
"preview": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:"
}
]
// ... and 9524 more files (download for full content)
About this extraction
This page contains the full source code of the bridgecrewio/checkov GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 9724 files (35.5 MB), approximately 10.0M tokens, and a symbol index with 16106 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.